Security Control Assessment Report (SCAR)

A Security Control Assessment Report (SCAR), also called a Security Assessment Report (SAR), is the formal document produced by the Security Control Assessor after evaluating a system's security controls. It details which controls were tested, how they were tested, what was found, and the assessor's overall risk findings.

The SCAR is a key input to the ATO decision. It identifies weaknesses, recommends mitigations, and provides the Authorizing Official with the information needed to determine whether the system's residual risk is acceptable.

Why It Matters

The SCAR drives your POA&M — every finding in the report becomes a gap you must address. Understanding how to read and respond to a SCAR helps you prioritize remediation efforts and maintain your authorization.