Site icon

FedRAMP and Penetration Testing Requirements in 2023

Penetration tests sometimes seem like an extreme measure that ultra-secure companies take to fend off the most formidable threats. However, any company wanting to get serious about cybersecurity and compliance will sometimes run against the practice. This is similar to when working with the federal government. Here, we’ll discuss FedRAMP and penetration testing requirements.

 

Penetration Testing and FedRAMP

Penetration testing is an established and proactive form of security assessment that involves a security firm actively attempting to breach critical IT systems to demonstrate vulnerabilities and flaws.

Unlike vulnerability scans, which are passive assessments of surface-level security issues, a pen test utilizes creative attacks to determine if there are flaws within a cybersecurity system. Because penetration tests are actively executed to breach the infrastructure, they can often surface security issues as part of the complex interaction between people, technologies, and organizations. 

Under FedRAMP regulations, cloud service providers must undergo penetration tests as part of their authorization. These tests are conducted by their 3PAO, who must compile results from the test and report them to the CSPs partner agency and the Project Management Office (PMO).

A 3PAO certified to conduct FedRAMP-compliant penetration tests must have an industry-recognized credential demonstrating their proficiency in pen testing alongside their officially-designated security experience designated in R311, “Specific Requirements: Federal Risk and Authorization Management Program.”

The CSP must undergo a penetration test no earlier than six months before their authorization date and once every 12 months during the continuous monitoring phase. 

 

What Are the Requirements for FedRAMP Penetration Testing?

The best practices of penetration testing remain relatively intact, and in the larger sense, there is an understanding that, as modern threats emerge, modern penetration testing methodologies will also evolve. 

Instead, FedRAMP guidelines provide the baseline requirements for an acceptable penetration test. These requirements are broken down into a few different categories:

 

Threat Models

The FedRAMP program broadly defines three threat model categories to align with modern hacking techniques. These include:

 

Attack Models

Attack models refer to the different techniques that hackers may use to compromise a system. What’s important to note is that “techniques” aren’t singular but rather a collection of approaches and attacks that merge to potentially open vulnerabilities. And generally fall under two categories:

 

Attack Vectors

Attack vectors are hackers’ routes to attack different software or cloud infrastructure. While there are hundreds of different attack vectors (depending on the architecture in place), FedRAMP emphasizes six categories as representing the commonalities found in different service offerings.

These attack vectors include:

These attack vectors should always be part of a penetration test unless they fall out of scope. For example, if an offering doesn’t include mobile or mobile app access, there is no need to conduct the test. 

 

Rules of Engagement

Since all penetration tests require cooperation between the provider and the 3PAO, there must be some rules in place to define the boundaries of the test, what will be tested, the approaches and constraints used, and who needs to know. 

 

Reporting

Regardless of the outcome, the 3PAO must compile and provide a report on the test results. This report must include the scope of the tests and target systems, the attack vectors assessed, the timeline of the test, the results, and the findings of the 3PAO. This report must also be included in the provider’s authorization package. 

 

FedRAMP Authorization and Penetration Testing Start with Lazarus Alliance

When preparing for FedRAMP, there are no corners to cut or shortcuts. The government expects the best and serves you to work with the best. We are a FedRAMP 3PAO with the experience and skills necessary to move you through your authorization journey, including conducting these key penetration tests. It takes serious attention to detail to pull off a successful and effective penetration test, and Lazarus Alliance is here to work with you every step of the way. 

[wpforms id=”137574″]

 

Exit mobile version