You want to sell your cloud computing services to the federal government, you need to go through a FedRAMP assessment. In that FedRAMP assessment is a penetration test and a very robust one. Let's talk about what that looks like.
I'm Doug Barbin, managing principal and chief growth officer at Schellman. We've had the privilege of being a FedRAMP third party assessment organization or 3PAO for almost 10 years, the actual length of the program has been in existence.
Penetration testing is an area of security testing and evaluation that has broad implications across multiple compliance requirements. Whether you're handling credit card data or you're performing any sort of sensitive trading of information for financial systems. Penetration testing has been a robust requirement for most compliance domains, as well as just risk management and security posture in general.
For FedRAMP, there are very specific requirements as to what you need to do from a penetration testing perspective. First and foremost, you do have to use a third party assessment organization or a pow like Schellman. You have to use an authorized company to perform the penetration test. It's not something like some of the other standards where you can go out, get a non-accredited provider to do your penetration test and then the auditor relies on or looks at those reports. In the case of Schellman, when we're doing our FedRAMP assessment services, we are doing the penetration testing as part of that assessment.
In addition, the FedRamp guidance lays out six different attack vectors that need to be covered in a penetration test for a FedRAMP assessment. Not going to cover all of those in detail. I'll point you towards our website where we've got very rich information that talks about the six different attack vectors. But at a high level, you're looking at
- External to the web application
- The perspective of an external attacker
- The perspective of a potentially rogue internal attacker from a corporate network into the production environment
- Mobile code
- Social engineering and the risk that administrative users could fall victim to a phishing attack providing their credentials and access into the environment.
All of that is laid out in guidance that that's been put forth by the FedRAMP PMO and the minimum set of requirements that they want to see in a FedRAMP penetration test. And again, on our website, we've further expounded upon that and provided you with additional detail and guidance to help you out. So we talked about FedRAMP penetration testing is a 6-vector test that has to be performed by a 3PAO. Contact us on our website today and we'd be happy to talk through more detail about what that process looks like, the individual vectors, and how that would apply to you.
About the AuthorMore Content by Douglas Barbin