Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements.

The new guidance addresses new attack vectors targeting subsystems in IT infrastructure. 

Here, we’ll cover his newest draft about new guidance standards for FedRAMP penetration testing.

 

NIST Guidelines for FedRAMP Penetration Testing

The guidance mandates strict adherence to standards and guidelines established by the National Institute of Standards and Technology (NIST), ensuring that Cloud Service Providers and their offerings are thoroughly assessed for security vulnerabilities. Key standards include:

• NIST SP 800-115: This document provides technical information security testing and assessment guidelines. It offers a baseline for testing procedures that ensure comprehensive vulnerability identification.
• NIST SP 800-145: This publication defines cloud computing and its service models (SaaS, PaaS, IaaS), helping to categorize CSP offerings and tailor penetration testing approaches accordingly.
• NIST SP 800-53 & SP 800-53A: These documents list security and privacy controls for federal information systems and organizations and guidelines for assessing those controls and ensuring CSPs meet federal security requirements.

The document classifies cloud services into SaaS, PaaS, and IaaS systems, each with distinct characteristics and security requirements. Penetration tests must cover all relevant components, services, and access paths within the CSP’s system boundary and consider the service model’s specific vulnerabilities and threats.

 

FedRAMP Penetration Testing and Mandatory Attack Vectors

FedRAMP defines attack vectors as “potential avenues of compromise that might lead to a loss or degradation of system integrity, confidentiality, or availability.” 

However, the section on attack vectors notes that while there are several unique components of different vectors based on the service offering types (SaaS, IaaS, PaaS, or hybrid systems), there are commonalities that allow for the defining of mandatory attack vectors that penetration tests must assess for all authorized systems:

• External to Corporate: Evaluates the security against social engineering and phishing attacks targeting corporate personnel, including system administrators and managing staff. Penetration tests should include email phishing attacks and “non-credentialed” phishing attacks (attempting to run untrusted scripts by users that can compromise the system).
• External to CSP Target System: Assesses the vulnerabilities that external threat actors might exploit to compromise the CSP’s target system, covering both technology-based and social engineering-based attacks. Tests should include internal threat attacks and security issues related to unintentional breaches caused by negligence or accident. Tests should also include those associated with separating Internet-facing infrastructure and internal systems.
• Tenant to CSP Management System: This test determines whether a tenant can gain unauthorized access to the CSP’s management systems through misconfigurations, system design flaws, or abuse of intended functions. Penetration tests should include using privileged accounts to uncover where and how attackers can elevate privileges to undermine system and account security.
• Tenant-to-Tenant: This investigates the isolation and separation between tenants, ensuring one tenant cannot compromise another tenant’s environment or access their data. Tests will include checks on how internal accounts and systems can spread threats (like ransomware) throughout the system.
• Mobile Application to Target System: Focuses on the security of mobile applications provided by the CSP, assessing their potential to serve as an entry point for attacks against the target system.
• Client-side Application and/or Agents to Target System: This section examines client-side components, including applications, agents, or browser extensions, for vulnerabilities that could compromise the target system or access sensitive information.

Scoping a Penetration Test and Understanding Rules of Engagement

With these vectors understood, FedRAMP also defines how a 3PAO can undertake a penetration test per FedRAMP and NIST requirements. The process’s scoping ensures that the test is comprehensive and practical without breaking a target system or unintentionally exposing data. 

The general rules for scoping the test are:

• Defining the Authorization Boundaries: The cloud service’s authorization boundaries are initially determined based on the System Security Plan (SSP) and accompanying documentation. The scope of the penetration test is then agreed upon, which includes reviewing individual system components to decide if they are “in-scope” or “out-of-scope” for the test. The cumulative “in-scope” components make up the system boundary for the penetration test.
• Legal and Permission Considerations: The scoping process also involves understanding the test’s legal implications, especially when third-party environments or services are involved. Testing must be confined within the agreed-upon boundaries to ensure compliance with all relevant laws and agreements. Permission to test any third-party assets must be explicitly obtained and documented.
• Third-Party Involvement: If the cloud service utilizes third-party services or components within its operational environment, these must also be considered during the scoping phase. Decisions on whether these third-party components are included in the test boundary should be based on their relevance to the cloud service’s security posture and potential impact on the service.

Furthermore, there are strict controls over the rules of engagement that include:

• Comprehensive Planning: The ROE document is a crucial part of the test plan that outlines the target systems, testing scope, methodologies, constraints, and notification requirements. It serves as a blueprint for the penetration test, detailing what will be tested, how it will be tested, and the boundaries the testers must not cross.
• Notification and Disclosure: The ROE must include provisions for notifying appropriate personnel (such as the CIO, CISO, and ISSO) of critical findings as soon as they are discovered. The FedRAMP Program Management Office (PMO) emphasizes the importance of immediate communication regarding high-impact vulnerabilities.
• Detailed Test Schedule: The ROE should specify the test schedule, including start and end times for each testing period and the overall duration of the penetration test. This scheduling ensures that all stakeholders know when testing activities will occur and can prepare accordingly.
  
• Technical Points of Contact (POC): Identifying POCs for each subsystem or application within the test boundary is essential. These individuals can provide technical support and guidance during the test and assist with addressing any issues.

 

How 3PAOs Report Test Results

A detailed and structured penetration test report is crucial for documenting the vulnerabilities discovered, the testing methods used, and the potential impact of the identified vulnerabilities. The key elements that must be included in the report are:

• Scope of Target System: This section describes the components, services, and access paths included in the penetration test and provides context for the findings.
• Attack Vectors Assessed During the Penetration Test: This section outlines which mandatory attack vectors were tested and any additional vectors considered relevant by the CSP or 3PAO. If any attack vector is deemed out of scope or not applicable, the 3PAO must explain why. 
• Timeline for Assessment Activity: The report documents the specific dates and duration of the penetration testing activities, offering a timeline of the testing process.
• Actual Tests Performed and Results: This section details the tests executed, including the methodologies and tools used and reports on their results. It should provide clear insight into how the tests were conducted and their outcomes.
• Findings and Evidence: For each vulnerability or issue discovered during testing, the report must include a description, the assessed impact, recommended remediation actions, and a risk rating. Evidence supporting the findings, such as screenshots, logs, or descriptions of exploitation steps, should also be included to provide context and aid in prioritization and remediation.
• Access Paths: This section describes how different vulnerabilities could be combined or exploited in sequence to achieve unauthorized access or impact, offering insight into potential attack paths an adversary could use.

 

Partner With an Experienced 3PAO: Lazarus Alliance

If you’re preparing for your FedRAMP Authorization, penetration testing will be a big part of that assessment. Work with Lazarus Alliance to ensure you get the proper tests, professionally conducted, for your needs.

If you’re looking to kickstart your assessment, contact Lazarus Alliance.

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!

[wpforms id=”137574″]