[Verse 1] When the scanners finish crawling through your network maze STIG findings pile up like autumn leaves for days Four documents will carry all the weight you need To prove your system's worthy of the ATO deed [Chorus] SAR and POA&M, SSP and RAR These four pillars hold your authorization star Security Assessment tells the scanning tale POA&M maps the fixes without fail System Security Plan shows how controls align Risk Assessment wraps it in a bottom line [Verse 2] The SAR compiles every automated sweep Manual testing secrets that assessors keep Vulnerability numbers paint the current scene Both critical reds and medium yellows in between [Chorus] SAR and POA&M, SSP and RAR These four pillars hold your authorization star Security Assessment tells the scanning tale POA&M maps the fixes without fail System Security Plan shows how controls align Risk Assessment wraps it in a bottom line [Bridge] Timeline commitments in your POA&M rows Risk acceptance letters for the highs and lows SSP references where each STIG applies RAR calculations show what danger lies [Verse 3] Residual risk gets measured by the RAR report STIG implementation gives your SSP support Open findings tracked until they're closed for good ATO package tells the compliance neighborhood [Chorus] SAR and POA&M, SSP and RAR These four pillars hold your authorization star Security Assessment tells the scanning tale POA&M maps the fixes without fail System Security Plan shows how controls align Risk Assessment wraps it in a bottom line [Outro] From STIG scan to ATO decision day These documents will light your compliance way
← 1 Where STIGs Fit in the RMF | 3 Continuous Monitoring and STIGs →