Site icon

FedRAMP and Penetration Testing Guidance Updates in 2024

Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements.

The new guidance addresses new attack vectors targeting subsystems in IT infrastructure. 

Here, we’ll cover his newest draft about new guidance standards for FedRAMP penetration testing.

 

NIST Guidelines for FedRAMP Penetration Testing

The guidance mandates strict adherence to standards and guidelines established by the National Institute of Standards and Technology (NIST), ensuring that Cloud Service Providers and their offerings are thoroughly assessed for security vulnerabilities. Key standards include:

The document classifies cloud services into SaaS, PaaS, and IaaS systems, each with distinct characteristics and security requirements. Penetration tests must cover all relevant components, services, and access paths within the CSP’s system boundary and consider the service model’s specific vulnerabilities and threats.

 

FedRAMP Penetration Testing and Mandatory Attack Vectors

FedRAMP defines attack vectors as “potential avenues of compromise that might lead to a loss or degradation of system integrity, confidentiality, or availability.” 

However, the section on attack vectors notes that while there are several unique components of different vectors based on the service offering types (SaaS, IaaS, PaaS, or hybrid systems), there are commonalities that allow for the defining of mandatory attack vectors that penetration tests must assess for all authorized systems:

Scoping a Penetration Test and Understanding Rules of Engagement

With these vectors understood, FedRAMP also defines how a 3PAO can undertake a penetration test per FedRAMP and NIST requirements. The process’s scoping ensures that the test is comprehensive and practical without breaking a target system or unintentionally exposing data. 

The general rules for scoping the test are:

Furthermore, there are strict controls over the rules of engagement that include:

 

How 3PAOs Report Test Results

A detailed and structured penetration test report is crucial for documenting the vulnerabilities discovered, the testing methods used, and the potential impact of the identified vulnerabilities. The key elements that must be included in the report are:

 

Partner With an Experienced 3PAO: Lazarus Alliance

If you’re preparing for your FedRAMP Authorization, penetration testing will be a big part of that assessment. Work with Lazarus Alliance to ensure you get the proper tests, professionally conducted, for your needs.

If you’re looking to kickstart your assessment, contact Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version