What to Expect from Your FedRAMP Penetration Test

You want to sell your cloud computing services to the federal government, you need to go through a FedRAMP assessment. In that FedRAMP assessment is a penetration test and a very robust one. Let's talk about what that looks like.

I'm Doug Barbin, managing principal and chief growth officer at Schellman. We've had the privilege of being a FedRAMP third party assessment organization or 3PAO for almost 10 years, the actual length of the program has been in existence.

Penetration testing is an area of security testing and evaluation that has broad implications across multiple compliance requirements. Whether you're handling credit card data or you're performing any sort of sensitive trading of information for financial systems. Penetration testing has been a robust requirement for most compliance domains, as well as just risk management and security posture in general.

For FedRAMP, there are very specific requirements as to what you need to do from a penetration testing perspective. First and foremost, you do have to use a third party assessment organization or a pow like Schellman. You have to use an authorized company to perform the penetration test. It's not something like some of the other standards where you can go out, get a non-accredited provider to do your penetration test and then the auditor relies on or looks at those reports. In the case of Schellman, when we're doing our FedRAMP assessment services, we are doing the penetration testing as part of that assessment.

In addition, the FedRamp guidance lays out six different attack vectors that need to be covered in a penetration test for a FedRAMP assessment. Not going to cover all of those in detail. I'll point you towards our website where we've got very rich information that talks about the six different attack vectors. But at a high level, you're looking at

  1. External to the web application
  2. The perspective of an external attacker
  3. The perspective of a potentially rogue internal attacker from a corporate network into the production environment
  4. Applications
  5. Mobile code
  6. Social engineering and the risk that administrative users could fall victim to a phishing attack providing their credentials and access into the environment.

All of that is laid out in guidance that that's been put forth by the FedRAMP PMO and the minimum set of requirements that they want to see in a FedRAMP penetration test. And again, on our website, we've further expounded upon that and provided you with additional detail and guidance to help you out. So we talked about FedRAMP penetration testing is a 6-vector test that has to be performed by a 3PAO. Contact us on our website today and we'd be happy to talk through more detail about what that process looks like, the individual vectors, and how that would apply to you. 

About the Author

Douglas Barbin

As Chief Growth Officer and firmwide Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

More Content by Douglas Barbin
Previous Video
What is PCI SSF
What is PCI SSF

Next Video
Transitioning from PA-DSS to PCI SSF
Transitioning from PA-DSS to PCI SSF