A Security Assessment Report (SAR) is a detailed aggregation of information that includes technical specifications, and other basic identifying information pertaining to the system, system owner, and control assessor, as well as the surrounding information environment and details about the timing, scope, and details about the current assessment. Security Assessment Reports are considered pivotal in the Risk Management Framework, particularly in steps four (Assessment, naturally) and six (Monitoring, where prior steps can be repeated over the course of the Systems Development Life Cycle).
A Securty Assessment Report differs from a Risk Assessment Report (RAR) in that, as an SAR contains hard factual data pertaining to the information system, a RAR includes threats and risk factors that could inflict damage upon that system. Risk Assessment Reports are considered more valuable if created after an SAR, as the weaknesses and deficiencies identified in the SAR can be addressed in the RAR, as well as appropriate steps that can be undertaken to ameliorate said weaknesses.