• Share
  • Email
  • Embed
  • Like
  • Private Content
Sap template 050312
 

Sap template 050312

on

  • 1,770 views

The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for ...

The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document, released originally in Template format, has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).

Statistics

Views

Total Views
1,770
Views on SlideShare
1,770
Embed Views
0

Actions

Likes
0
Downloads
41
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Sap template 050312 Sap template 050312 Document Transcript

    • Security Assessment Plan<Information System Name>, <Date> Security Assessment Plan (Template) Version 1.0 May 2, 2012 Company Sensitive and Proprietary For Authorized Use Only
    • Security Assessment Plan<Information System Name>, <Date> Document Name Prepared by Identification of Third-Party Assessment Organization that Prepared this Document Organization Name Street Address <insert logo> Suite/Room/Building City, State Zip Prepared for Identification of Cloud Service Provider Organization Name Street Address <insert logo> Suite/Room/Building City, State Zip Company Sensitive and ProprietaryPage 2
    • Security Assessment Plan<Information System Name>, <Date> Executive SummaryThe Federal Risk Authorization Management Program (FedRAMP) is a government-wideprogram that provides a standardized approach to security assessment, authorization, andcontinuous monitoring for Cloud Service Providers (CSP). Testing security controls is anintegral part of the FedRAMP security authorization requirements and enables FederalAgencies to use the findings that result from the tests to make risk-based decisions.Providing a plan for security control ensures that the process runs smoothly. Thisdocument, released originally in Template format, has been designed for CSP Third-PartyIndependent Assessors (3PAOs) to use for planning security testing of CSPs. Once filledout, this document constitutes a plan for testing. Actual findings from the tests are to berecorded in FedRAMP security test procedure workbooks and a Security AssessmentReport (SAR). Company Sensitive and ProprietaryPage 3
    • Security Assessment Plan<Information System Name>, <Date> Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office 05/03/2012 Renamed Section 5.3 1.0 FedRAMP Office Company Sensitive and ProprietaryPage 4
    • Security Assessment Plan<Information System Name>, <Date> Table of ContentsAbout this document .....................................................................................................................................................7 Who should use this document? .....................................................................................................................7 How this document is organized .....................................................................................................................7 Conventions used in this document ................................................................................................................7 How to contact us............................................................................................................................................81. Overview...........................................................................................................................................................9 1.2 Applicable Laws and Regulations.......................................................................................................10 1.3 Applicable Standards and Guidance ..................................................................................................10 1.4 FedRAMP Governance .......................................................................................................................102. Scope ..............................................................................................................................................................10 2.1 System Name/Title ............................................................................................................................10 2.2 IP Addresses Slated for Testing ..........................................................................................................11 2.3 Web Applications Slated for Testing ..................................................................................................12 2.4 Databases Slated for Testing ..............................................................................................................12 2.5 Roles Slated for Testing ......................................................................................................................133. Assumptions ...................................................................................................................................................134. Methodology ..................................................................................................................................................145. Test Plan ..........................................................................................................................................................15 5.1 Security Assessment Team ................................................................................................................15 5.2 CSP Testing Points of Contact ............................................................................................................16 5.3 Testing Performed Using Automated Tools .......................................................................................16 5.4 Testing Performed Through Manual Methods...................................................................................17 5.5 Schedule ............................................................................................................................................176. Rules of Engagement ......................................................................................................................................18 6.1 Disclosures .........................................................................................................................................18 6.1.1. Security Testing May Include .........................................................................................................19 6.1.2. Security Testing Will Not Include...................................................................................................19 6.2 End of Testing ....................................................................................................................................20 6.3 Communication of Test Results ........................................................................................................20 6.4 Limitation of Liability .........................................................................................................................20 6.5 Signatures ..........................................................................................................................................21Acronyms .....................................................................................................................................................................22Appendix A – Test Case Procedures .............................................................................................................................23 Company Sensitive and Proprietary Page 5
    • Security Assessment Plan<Information System Name>, <Date> List of TablesTable 2-1. Information System Name and Title............................................................................................................11Table 2-2. Location of Components .............................................................................................................................11Table 2-3. Components Slated for Testing ...................................................................................................................11Table 2-4. Application URLs Slated for Testing ............................................................................................................12Table 2-5. Databases Slated for Testing ......................................................................................................................12Table 2-6. Role Based Testing .......................................................................................................................................13Table 5-1. Security Testing Team ..................................................................................................................................15Table 5-2. CSP Points of Contact ..................................................................................................................................16Table 5-3. Tools Used for Security Testing ....................................................................................................................16Table 5-4. Testing Performed Through Manual Methods ............................................................................................17Table 5-5. Testing Schedule ..........................................................................................................................................17Table 6-1. Individuals at CSP Receiving Test Results ....................................................................................................20 Company Sensitive and Proprietary Page 6
    • Security Assessment Plan<Information System Name>, <Date>ABOUT THIS DOCUMENTThis document has been developed to provide guidance on how to participate in and understandthe FedRAMP program.Who should use this document?This document is intended to be used by FedRAMP Third-Party Independent Assessors (3PAOs)when testing Cloud Service Provider (CSP) security controls.How this document is organizedThis document is divided into ten sections. Most sections include subsections.Section 1 describes an overview of the testing process.Section 2 describes the scope of the security testing.Section 3 describes assumptions related to the security testing.Section 4 describes the security testing methodology.Section 5 describes the test plan and schedule.Section 6 describes the Rules of Engagement and signatures for security testing.Conventions used in this documentThis document uses the following typographical conventions:Italic Italics are used for email addresses, security control assignments parameters, and formaldocument names.Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template.Bold Bold text indicates a parameter or an additional requirement.Constant width Constant width text is used for text that is representative of characters that would show up ona computer screen. Company Sensitive and Proprietary Page 7
    • Security Assessment Plan<Information System Name>, <Date><Brackets>Bold blue text in brackets indicates text that should be replaced with user-defined values. Oncethe text has been replaced, the brackets should be removed.Notes Notes are found between parallel lines and include additional information that may be helpfulto the users of this template. Note: This is a note.Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents.How to contact usIf you have questions about FedRAMP or something in this document, please write to: info@fedramp.govFor more information about the FedRAMP project, please see the website at: http://www.fedramp.gov. Company Sensitive and Proprietary Page 8
    • Security Assessment Plan<Information System Name>, <Date>1. OVERVIEWFederal Risk and Authorization Management Program (FedRAMP) is a government-wideprogram that provides a standardized approach to security assessment, authorization, andcontinuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integralpart of the FedRAMP security authorization requirements. Providing a plan for security controlensures that the process runs smoothly.The <Information System Name> will be assessed by a FedRAMP accredited Third-PartyAssessment Organization (3PAO). The use of an independent assessment team reduces thepotential for conflicts of interest that could occur in verifying the implementation status andeffectiveness of the security controls. NIST SP 800-39, Managing Information Security Riskstates: Assessor independence is an important factor in: (i) preserving the impartial and unbiased nature of the assessment process; (ii) determining the credibility of the security assessment results; and (iii) ensuring that the authorizing official receives the most objective information possible in order to make an informed, risk-based, authorization decision.1.1 PurposeInstruction: A goal of the kick-off meeting is to obtain the necessary information to populate thisplan. The 3PAO should obtain the requisite information on the CSP system at the kick-offmeeting so that this plan can be completed. After this plan has been completed, the 3PAO shouldmeet again with the CSP, present the Draft Security Assessment Plan, and make any necessarychanges before finalizing the plan. Both the Draft plan and Final plan should be submitted tothe FedRAMP ISSO for review.This document consists of a test plan to test the security controls for the <Information SystemName>. It has been completed by <3PAO> for the benefit of <CSP>. NIST SP 800-39,Managing Information Security Risk states: The information system owner and common control provider rely on the security expertise and the technical judgment of the assessor to: (i) assess the security controls employed within and inherited by the information system using assessment procedures specified in the security assessment plan; and (ii) provide specific recommendations on how to correct weaknesses or deficiencies in the controls and address identified vulnerabilities. Company Sensitive and Proprietary Page 9
    • Security Assessment Plan<Information System Name>, <Date>1.2 Applicable Laws and RegulationsThe following laws and regulations are applicable to the FedRAMP program: Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030] Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347] Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and Protection [HSPD-7] Management of Federal Information Resources [OMB Circular A-130] Privacy Act of 1974 as amended [5 USC 552a] Protection of Sensitive Agency Information [OMB M-06-16] Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]1.3 Applicable Standards and GuidanceThe following standards and guidance are applicable to security testing and risk assessment: Guide for Assessing the Security Controls in Federal Information Systems [NIST SP 800- 53A] Risk Management Guide for Information Technology Systems [NIST SP 800-30] Technical Guide to Information Security Testing and Assessment [NIST SP 800-115] Managing Information Security Risk [NIST SP 800-39]1.4 FedRAMP GovernanceFedRAMP is governed by a Joint Authorization Board (JAB) that consists of representativesfrom the Department of Homeland Security (DHS), the General Services Administration (GSA),and the Department of Defense (DoD). The FedRAMP program is endorsed by the U.S.government CIO Council including the Information Security and Identity ManagementCommittee (ISIMC). The ISIMC collaborates on identifying high-priority security and identitymanagement initiatives and developing recommendations for policies, procedures, and standardsto address those initiatives.2. SCOPEThe scope of the security tests that will be performed for the CSP service offering is limited andwell defined. Tests on systems and interfaces that are outside the boundary of the CSP serviceoffering (for FedRAMP) are not included in this plan.2.1 System Name/TitleInstruction: Name the system that that is slated for testing and include the geographic locationof all components that will be tested. Put in a brief description of the system components that isa direct copy/paste from the description in the System Security Plan. Company Sensitive and Proprietary Page 10
    • Security Assessment Plan<Information System Name>, <Date>This <Information System Name> that is undergoing testing as described in this SecurityAssessment Plan is named in Table 2-1. Table 2-1. Information System Name and Title Unique Identifier Information System Name Information System AbbreviationThe physical locations of all the different components that will be tested are described inTable 2-2. Table 2-2. Location of Components Data Center Site Name Address Description of Components2.2 IP Addresses Slated for TestingInstruction: List the IP address of all systems that will be tested. You will need to obtain thisinformation from the System Security Plan and the CSP. Note that the IP addresses found in theSystem Security Plan should be consistent with the boundary. If additional IP addresses arediscovered that were not included in the System Security Plan, advise the CSP to update theinventory and boundary information in the SSP and obtain new approval on the SSP from theISSO before moving forward. IP addresses can be listed by network ranges and CIDR blocks. Ifyou are scanning a large network (Class B or larger), you should plan on testing a subset of theIP addresses. All scans should be fully authenticated. Add additional rows to the table asnecessary.IP addresses, and network ranges, of the system that will be tested are noted inTable 2-3. Table 2-3. Components Slated for Testing IP Address(s) or Hostname Software & Version Function Ranges Company Sensitive and Proprietary Page 11
    • Security Assessment Plan<Information System Name>, <Date>2.3 Web Applications Slated for Testing Instruction: Insert any URLs and the associated login IDs that will be used for testing. Only list the login URL. Do not list every URL that is inside the login in the below table. In the Function column, indicate the purpose that the web-facing application plays for the system (e.g. control panel to build virtual machines).Activities employed to perform role testing on web applications may include capturing POSTand GET requests for each function. The various web based applications that make up thesystem, and the logins and their associated roles that will be used for testing are noted by URL inTable 2-4. Table 2-4. Application URLs Slated for Testing Login URL IP Address of Login Host Function2.4 Databases Slated for Testing Instruction: Insert the hostnames, IP address, and any relevant additional information on the databases that will be tested. All scans should be fully authenticated. Add additional rows as necessary.Databases that are slated for testing include those listed in Table 2-5. Table 2-5. Databases Slated for Testing Database Name Hostname IP Address Additional Info Company Sensitive and Proprietary Page 12
    • Security Assessment Plan<Information System Name>, <Date>2.5 Roles Slated for TestingRole testing will be performed to test the authorizations restrictions for each role. <3PAO> willaccess the system while logged in as different user types and attempt to perform restrictedfunctions as unprivileged users. Functions and roles that will be tested are noted in Table 2-6.Roles slated for testing correspond to those roles listed in Table 9-1 of the <Information SystemName> System Security Plan. Table 2-6. Role Based Testing Role Name Test User ID Associated Functions3. ASSUMPTIONS Instruction: The assumptions listed are default assumptions. 3PAO should edit these assumptions as necessary for each unique engagement.The following assumptions were used when developing this Security Assessment Plan: <CSP> resources, including documentation and individuals with knowledge of the <CSP> systems and infrastructure and their contact information, will be available to <3PAO> staff during the time necessary to complete assessments. The <CSP> will provide login account information / credentials necessary for <3PAO> to use its testing devices to perform authenticated scans of devices and applications. The <CSP> will permit <3PAO> to connect its testing laptops to the <CSP> networks defined within the scope of this assessment. The <CSP > will permit communication from <3PAO> testing appliances to an internet hosted vulnerability management service to permit the analysis of vulnerability data. Security controls that have been identified as “Not Applicable” (e.g. AC-18 wireless access) in the System Security Plan will be verified as such and further testing will not be performed on these security controls Significant upgrades or changes to the infrastructure and components of the system undergoing testing will not be performed during the security assessment period. Company Sensitive and Proprietary Page 13
    • Security Assessment Plan<Information System Name>, <Date> For onsite control assessment, <CSP> personnel will be available should the <3PAO> staff determine that either after hours work, or weekend work, is necessary to support the security assessment.4. METHODOLOGY Instruction: FedRAMP provides a documented methodology to describe the process for testing the security controls. 3PAOs may edit this section to add additional information.<3PAO> will perform an assessment of the <Information System Name> security controlsusing the methodology described in NIST SP 800-53A. <3PAO> will use FedRAMP suppliedtest procedures to evaluate the security controls. Contained in Excel worksheets, these testprocedures contain the test objectives and associated test cases to determine if a control iseffectively implemented and operating as intended. The results of the testing shall be recorded inthe worksheets (provided in Appendix A) along with information that notes whether the control(or control enhancement) is satisfied or not.<3PAO> data gathering activities will consist of the following: Request <CSP> to provide FedRAMP required documentation Request any follow-up documentation, files, or information needed that is not provided in FedRAMP required documentation Travel to the CSP sites as necessary to inspect systems and meet with CSP staff Obtain information through the use of security testing toolsSecurity controls will be verified using one or more of the following assessment methods: Examine: the 3PAO will review, analyze, inspect, or observe one or more assessment artifacts as specified in the attached test cases; Interview: the 3PAO will conduct discussions with individuals within the organization to facilitate assessor understanding, achieve clarification, or obtain evidence; Technical Tests: the 3PAO will perform technical tests, including penetration testing, on system components using automated and manual methods.NIST SP 800-39, Managing Information Security Risk states: Prior to initiating the security control assessment, an assessor conducts an assessment of the security plan to help ensure that the plan provides a set of security controls for the information system that meet the stated security Company Sensitive and Proprietary Page 14
    • Security Assessment Plan<Information System Name>, <Date> requirements. Instruction: All documentation provided to the 3PAO by the CSP should be reviewed for accuracy and completeness. Any issues with CSP documentation should be recorded in both the security testing procedures workbooks and in the SAR. If CSP documentation makes reference to5. TEST PLAN additional documentation that has not been provided to the 3PAO, the 3PAO may request copies of that documentation from the CSP. 3PAOs should keep a list of all documentation that wasThe schedule for testing, CSP, and which documents were provided as aused are described in the provided to them by the testing roles, and the testing tools that will be subsequent additional request. The SAR template will require that all documents reviewed be listed.sections that follow.5.1 Security Assessment TeamInstruction: List the members of the risk assessment team and the role each member will play.Include team members contact information.The security assessment team consists of individuals from <3PAO Name> which are located at<Address of 3PAO>. Information about <3PAO Name> can be found at the following URL:<insert URL>.Security control assessors play a unique role in testing system security controls. NIST 800-39,Managing Information Security Risk states: The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).The members of the 3PAO security testing team are found in Table 5-1. Table 5-1. Security Testing Team Name Role Contact Information Company Sensitive and Proprietary Page 15
    • Security Assessment Plan<Information System Name>, <Date>5.2 CSP Testing Points of ContactInstruction: The 3PAO should obtain at least three points of contact from the CSP to use fortesting communications. One of the contacts should be available 24 x 7 and should include anoperations center (e.g. NOC, SOC).The CSP points of contact that the testing team will use are found in Table 5-2. Table 5-2. CSP Points of ContactName Role Contact Information5.3 Testing Performed Using Automated ToolsInstruction: Describe what tools will be used for testing security controls. Include all productnames and names of open source tools and include version numbers. If open source tools areused, name the organization (or individuals) who developed the tools. Additionally, describe thefunction and purpose of the tool (e.g. file integrity checking, web application scanning). If youare using a scanner, indicate what the scanner’s capability is, e.g. database scanning, webapplication scanning, infrastructure scanning, code scanning/analysis). For more informationon please see the Guide to Understanding FedRAMP.<3PAO Name> plans to use the following tools noted in Table 5-3 to perform testing of the<Information System Name>. Table 5-3. Tools Used for Security Testing Tool Name Vendor/Organization Name & Version Purpose of Tool Company Sensitive and Proprietary Page 16
    • Security Assessment Plan<Information System Name>, <Date>5.4 Testing Performed Through Manual MethodsInstruction: Describe what technical tests will be performed through manual methods withoutthe use of automated tools. The results of all manual tests must be recorded in the SAR.Examples are listed in the first four rows. Delete the examples, and put in the real tests. Addadditional rows as necessary. Identifiers should be in the format MT-1, MT-2 which wouldindicate “Manual Test 1” and “Manual Test 2” etc.. Table 5-4. Testing Performed Through Manual Methods Test ID Test Name Description MT-1 Forceful Browsing We will login as a customer and try to see if we can gain access to the Network Administrator and Database Administrator privileges and authorizations by navigating to different views and manually forcing the browser to various URLs. MT-2 SQL Injection We will perform some manual SQL injection attacks using fake names and 0 OR 1=1 statements. MT-3 CAPTCHA We will test the CAPTCHA function on the web form manually. MT-4 OCSP We will manually test to see if OCSP is validating certificates.5.5 ScheduleInstruction: Insert the security assessment testing schedule. This schedule should be presentedto the CSP by the 3PAO at the kick-off meeting. The ISSO should be invited to the meeting thatpresents the schedule to the CSP. After being presented to the CSP at the kick-off meeting, the3PAO should make any necessary updates to the schedule and this document and send anupdated version of the CSP (Ccing the ISSO).The security assessment testing schedule can be found in Table 5-5. Table 5-5. Testing ScheduleTask Name Start Date Finish DateKick-off Meeting Company Sensitive and Proprietary Page 17
    • Security Assessment Plan<Information System Name>, <Date>Task Name Start Date Finish DatePrepare Test PlanMeeting to Review Test PlanTest Plan UpdateReview CSP DocumentationConduct Interviews of CSP StaffPerform TestingVulnerability Analysis and Threat AssessmentRisk Exposure Table DevelopmentComplete Draft SARDraft SAR Delivered to SAPIssue Resolution MeetingComplete Final Version of SARSend Final Version of SAR to CSP and ISSO6. RULES OF ENGAGEMENTA Rules of Engagement (ROE) is a document designed to describe proper notifications anddisclosures between the owner of a tested systems and an independent assessor. In particular, aROE includes information about targets of automated scans and IP address originationinformation of automated scans (and other testing tools). Together with the information providedin preceding sections of this document, this document shall serve as a Rules of Engagement oncesigned.Instruction: FedRAMP provides and recommends the Rules of Engagement as listed in thesection that follows. 3POAs should edit this ROE as necessary. The final version of the ROEshould be signed by both the 3PAO and CSP.6.1 DisclosuresInstruction: Edit and modify the disclosures as necessary. If testing is to be conducted from aninternal location, identify at least one network port with access to all subnets/segments to betested. The purpose of identifying the IP addresses from where the security testing will beperformed is so that when 3PAOs are performing scans, the CSP will understand that the rapidand high volume network traffic is not an attack and is part of the testing. Company Sensitive and Proprietary Page 18
    • Security Assessment Plan<Information System Name>, <Date>Any testing will be performed according to terms and conditions designed to minimize riskexposure that could occur during security testing. All scans will originate from the following IPaddress(es): <IP addresses>. 6.1.1. Security Testing May Include Instruction: 3PAO should edit the bullets in this default list to make it consistent with each unique system tested.Security testing may include the following activities: Port scans and other network service interaction and queries Network sniffing, traffic monitoring, traffic analysis, and host discovery Attempted logins or other use of systems, with any account name/password Attempted SQL injection and other forms of input parameter testing Use of exploit code for leveraging discovered vulnerabilities Password cracking via capture and scanning of authentication databases Spoofing or deceiving servers regarding network traffic Altering running system configuration except where denial of service would result Adding user accounts 6.1.2. Security Testing Will Not Include Instruction: 3PAO should edit the bullets in this default list to make it consistent with each unique system tested.Security testing will not include any of the following activities: Changes to assigned user passwords Modification of user files or system files Telephone modem probes and scans (active and passive) Intentional viewing of <CSP> staff email, Internet caches, and/or personnel cookie files Denial of Service attacks (smurf, land, SYN flood, etc.) Exploits that will introduce new weaknesses to the system Intentional introduction of malicious code (viruses, Trojans, worms, etc.) Company Sensitive and Proprietary Page 19
    • Security Assessment Plan<Information System Name>, <Date>6.2 End of Testing<3PAO> will notify <Name of Person> at <CSP> when security testing has been completed.6.3 Communication of Test ResultsEmail and reports on all security testing will be encrypted according to <CSP> requirements.Security testing results will be sent and disclosed to the individuals at <CSP> noted in Table 6-1within <number> days after security testing has been completed. Table 6-1. Individuals at CSP Receiving Test Results Name Role Contact Information6.4 Limitation of LiabilityInstruction: Insert any Limitations of Liability associated with the security testing below. Editthe provided default Limitation of Liability as needed.<3PAO>, and its stated partners, shall not be held liable to <CSP> for any and all liabilities,claims, or damages arising out of or relating to the security vulnerability testing portion of thisAgreement, howsoever caused and regardless of the legal theory asserted, including breach ofcontract or warranty, tort, strict liability, statutory liability, or otherwise.<CSP> acknowledges that there are limitations inherent in the methodologies implemented, andthe assessment of security and vulnerability relating to information technology is an uncertainprocess based on past experiences, currently available information, and the anticipation ofreasonable threats at the time of the analysis. There is no assurance that an analysis of this naturewill identify all vulnerabilities or propose exhaustive and operationally viable recommendationsto mitigate all exposure. Company Sensitive and Proprietary Page 20
    • Security Assessment Plan<Information System Name>, <Date>6.5 SignaturesThe following individuals at the 3PAO and CSP have been identified as having the authority toagree to security testing of <Information System Name>. ACCEPTANCE AND SIGNATURE I have read the above Security Assessment Plan and Rules of Engagement and I acknowledge and agree to the tests and terms set forth in the plan. 3PAO Representative: _________________________________ (printed) 3PAO Representative: _________________________________ (signature) ______ (date) CSP Representative: _________________________________ (printed) CSP Representative: _________________________________ (signature) ______ (date) Company Sensitive and Proprietary Page 21
    • Security Assessment Plan<Information System Name>, <Date>ACRONYMSAcronyms used in this document can be found in the below table.Acronym DescriptionFedRAMP Federal Risk Authorization Management ProgramNIST National Institute of Standards and TechnologySAP Security Assessment PlanSAR Security Assessment Report Company Sensitive and Proprietary Page 22
    • Security Assessment Plan<Information System Name>, <Date>APPENDIX A – TEST CASE PROCEDURESResults of the attached security test case procedures shall be recorded directly in each respectiveworkbook.A_01_AC_20111102. A_02_AT_20111028. A_03_AU_20111102. A_04_CA_20111102. A.3.1.2.05_CM_2011 xlsx xlsx xlsx xlsx 1102.xlsxA_06_CP_20111108. A_07_IA_20111109. A_08_IR_20111114. A_09_MA_20111115 A_10_MP_20111116. xlsx xlsx xlsx .xlsx xlsxA_11_PE_20111118. A_12_PL_20111118. A_13_PS_20111121. A_14_RA_20111122. A_15_SA_20111125. xlsx xlsx xlsx xlsx xlsxA_16_SC_20111130. A_17_SI_20111201. xlsx xlsx Company Sensitive and Proprietary Page 23