FedRAMP PENETRATION TEST GUIDANCE
FedRAMPPENETRATION TESTGUIDANCEVersion 2.0November 24, 2017
DOCUMENT REVISION 151.0AllFirst ReleaseFedRAMP PMO07/06/20151.0.1AllMinor corrections and editsFedRAMP PMO06/06/20171.0.1CoverUpdated FedRAMP logoFedRAMP PMO11/24/20172.0AllUpdated to the new templateFedRAMP PMOABOUT THIS DOCUMENTThe purpose of this document is to provide guidelines for organizations regarding planning andconducting Penetration Testing and analyzing and reporting on the findings.A Penetration Test is a proactive and authorized exercise to break through the security of an IT system.The main objective of a Penetration Test is to identify exploitable security weaknesses in aninformation system. These vulnerabilities may include service and application flaws, improperconfigurations, and risky end-user behavior. A Penetration Test also may evaluate an organization’ssecurity policy compliance, its employees’ security awareness, and the organization's ability to identifyand respond to security incidents.WHO SHOULD USE THIS DOCUMENTThe following individuals should read this document:§Cloud Service Providers (CSP) should use this document when preparing to perform aPenetration Test on their cloud system§Third Party Assessor Organizations (3PAO) should use this document when planning,executing, and reporting on Penetration Testing activities§Authorizing Officials (AO) should use this document when developing and evaluatingPenetration Test plans. i
HOW THIS DOCUMENT IS ORGANIZEDThis document is divided into the following primary sections and appendices:Table 1: Document Section TableSECTIONCONTENTSSection 1Document ScopeSection 2Definitions and AssumptionsSection 3Attack VectorsSection 4Scoping The Penetration TestSection 5Penetration Test Methodology and RequirementsSection 6ReportingSection 7Test Schedule RequirementsSection 83PAO Staffing RequirementsAppendix ATable of acronyms used in this documentAppendix BReferencesAppendix CRules of Engagement/Test PlanHOW TO CONTACT USQuestions about FedRAMP or this document should be directed to info@fedramp.gov.For more information about FedRAMP, visit the website at http://www.fedramp.gov. ii
TABLE OF CONTENTSDOCUMENT REVISION HISTORY . I1.SCOPE . 12.DEFINITIONS & THREATS . 22.1.2.2.2.3.3.DEFINITIONS . 2THREAT MODELS . 3THREAT MODELING . 4ATTACK VECTORS . 53.1.3.2.3.3.3.4.3.5.3.6.EXTERNAL TO CORPORATE – EXTERNAL UNTRUSTED TO INTERNAL UNTRUSTED . 6EXTERNAL TO TARGET SYSTEM – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED . 7TARGET SYSTEM TO CSP MANAGEMENT SYSTEM – EXTERNAL TRUSTED TO INTERNAL TRUSTED . 8TENANT TO TENANT – EXTERNAL TRUSTED TO EXTERNAL TRUSTED . 9CORPORATE TO CSP MANAGEMENT SYSTEM – INTERNAL UNTRUSTED TO INTERNAL TRUSTED . 10MOBILE APPLICATION – EXTERNAL UNTRUSTED TO EXTERNAL TRUSTED . 114.SCOPING THE PENETRATION TEST . 115.PENETRATION TEST METHODOLOGY AND REQUIREMENTS . RMATION GATHERING & DISCOVERY . 13WEB APPLICATION/API TESTING INFORMATION GATHERING/DISCOVERY. 14MOBILE APPLICATION INFORMATION GATHERING/DISCOVERY . 14NETWORK INFORMATION GATHERING/DISCOVERY. 15SOCIAL ENGINEERING INFORMATION GATHERING/DISCOVERY . 16SIMULATED INTERNAL ATTACK INFORMATION GATHERING/DISCOVERY . 16EXPLOITATION . 16WEB APPLICATION/API EXPLOITATION . 17MOBILE APPLICATION EXPLOITATION . 17NETWORK EXPLOITATION . 17SOCIAL ENGINEERING EXPLOITATION . 18SIMULATED INTERNAL ATTACK EXPLOITATION . 18POST-EXPLOITATION . 19WEB APPLICATION/API POST-EXPLOITATION . 20MOBILE APPLICATION POST-EXPLOITATION . 20NETWORK POST-EXPLOITATION . 20SOCIAL ENGINEERING POST-EXPLOITATION . 21SIMULATED INTERNAL ATTACK POST-EXPLOITATION . 21REPORTING . 21 iii
6.1.6.2.6.3.6.4.6.5.6.6.SCOPE OF TARGET SYSTEM . 21ATTACK VECTORS ADDRESSED DURING THE PENETRATION TEST . 21TIMELINE FOR ASSESSMENT ACTIVITY . 21ACTUAL TESTS PERFORMED AND RESULTS . 22FINDINGS AND EVIDENCE . 22ACCESS PATHS . 227.TESTING SCHEDULE REQUIREMENTS. 228.THIRD PARTY ASSESSMENT ORGANIZATION (3PAO) STAFFING REQUIREMENTS . 22APPENDIX A:FEDRAMP ACRONYMS . 24APPENDIX B:REFERENCES . 25APPENDIX C: ROE/TEST PLAN TEMPLATE . 26RULES OF ENGAGEMENT/TEST PLAN . 26SYSTEM SCOPE . 27ASSUMPTIONS AND LIMITATIONS. 27TESTING SCHEDULE . 27TESTING METHODOLOGY . 27RELEVANT PERSONNEL. 27INCIDENT RESPONSE PROCEDURES . 28EVIDENCE HANDLING PROCEDURES . 28LIST OF FIGURESFigure 1. Sample Target System .6Figure 2. External to Corporate Attack Vector .7Figure 3. External to Target System Attack Vector .8Figure 4. Target System to CSP Management System .9Figure 5. Tenant to Tenant Attack Vector .10Figure 6. Corporate to CSP Management System Attack Vector .11 iv
LIST OF TABLESTable 1 – Document Section Table . iiTable 2 – Cloud Service Classification .1Table 3 – Types of Attacks .5Table 4 – Attack Vector Summary .5Table 5 – Discovery Activities.14Table 6 – Mobile Application Information Gathering/Discovery .15Table 7 – Network Information Gathering/Discovery.15Table 8 – Social Engineering Information Gathering/Discovery .16Table 9 – Simulated Internal Attack Gathering/Discovery .16Table 10 – Web Application/API Exploitation .17Table 11 – Mobile Application Exploitation .17Table 12 – Network Exploitation.18Table 13 – Social Engineer Exploitation .18Table 14 – Simulated Internal Attack Exploitation .19Table 15 – Post-Exploitation .19Table 16 – Web Application/API Post-Exploitation .20Table 17 – Network Post-Exploitation .20Table 18 – 3PAO Staffing Requirements .23 v
1. SCOPEThe Federal Risk and Authorization Management Program (FedRAMP) requires that PenetrationTesting be conducted in compliance with the following guidance:§NIST SP 800-115 Technical Guide to Information Security Testing and Assessment,September 2008§NIST SP 800-145 The NIST Definition of Cloud Computing, September 2011§NIST SP 800-53 Security and Privacy Controls for Federal Information Systems andOrganizations, Revision 4, April 2013, with updates as of January 2015§NIST SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems andOrganizations: Building Effective Assessment Plans, Revision 4, December 2014FedRAMP also requires that CSP products and solutions (cloud service) undergoing a FedRAMPassessment and Penetration Test must be classified as a SaaS, PaaS, or IaaS. In some scenarios, it maybe appropriate to apply multiple designations to a cloud service. Table 2 below shows the definitions ofthese three service types.Table 2 – Cloud Service ClassificationCLOUD SERVICEMODELNIST DESCRIPTIONSoftware as a Service(SaaS)The capability provided to the consumer is to use the provider’s applications running on acloud infrastructure. The applications are accessible from various client devices througheither a thin-client interface, such as a web browser (e.g., web-based email), or a programinterface. The consumer does not manage or control the underlying cloud infrastructureincluding network, servers, operating systems, storage, or even individual applicationcapabilities, with the possible exception of limited user-specific application configurationsettings.Platform as a Service(PaaS)The capability provided to the consumer is to deploy onto the cloud infrastructureconsumer-created or acquired applications created using programming languages,libraries, services, and tools supported by the provider. The consumer does not manage orcontrol the underlying cloud infrastructure including network, servers, operating systems,or storage, but has control over the deployed applications and possibly configurationsettings for the application- hosting environment.Infrastructure as aService (IaaS)The capability provided to the consumer is to provision processing, storage, networks, andother fundamental computing resources where the consumer is able to deploy and runarbitrary software, which can include operating systems and applications. The consumerdoes not manage or control the underlying cloud infrastructure, but has control overoperating systems, storage, and deployed applications; and possibly limited control ofselect networking components (e.g., host firewalls). 1
All components, associated services, and access paths (internal/external) within the defined testboundary of the CSP system must be scoped and assessed. The Rules of Engagement (ROE) mustidentify and define the appropriate testing method(s) and techniques associated with exploitation ofthe relevant devices and/or services.Penetration Testing may require:§Negotiation and agreement with third parties such as Internet Service Providers (ISP),Managed Security Service Providers (MSSP), facility leaseholders, hosting services, and/orother organizations involved in, or affected by, the test. In such scenarios, the CSP isresponsible for coordination and obtaining approvals from third parties prior to thecommencement of testing.§To limit impact on business operations, the complete or partial testing may be conducted ina non-production environment as long as it is identical to the production environment andhas been validated by the 3PAO. For instance, if a CSP has two identical locations, aPenetration Test on one location may suffice. In this case, the environments must be exactlythe same, not almost, nearly, or virtually.§When the cloud system has multiple tenants, the CSP must build a temporary tenantenvironment if another tenant environment suitable for testing does not exist.The Penetration Test plan must include actual testing of all the attack vectors described in Section 3below or explain why a particular vector was not applicable. The Independent Assessors (IA) mayinclude additional attack vectors they believe are appropriate. See Appendix C: ROE/Test Plan Templatefor more information regarding test plans.2. DEFINITIONS & THREATSTo establish a baseline and context for FedRAMP Penetration Testing, the following terms are used todescribe proposed cloud services.2.1.DEFINITIONSThe following is a list of definitions for this document.§Corporate – Internal CSP network access outside the authorization boundary.§Insider Threat – A threat that is posed by an employee or a third party acting on behalf ofthe CSP.§Management System – A backend application or infrastructure setup that facilitatesadministrative access to the cloud service. The Management System is accessible only byCSP personnel. 2
§Roles – Access levels and privileges of a user.§System – The cloud service that is offered to government customers.§Target – The application or cloud service that will be evaluated during thePenetration Test.§Tenant – A customer instance of the cloud service.2.2.THREAT MODELSFor FedRAMP threat models with multiple tenants, the CSP must build a temporary tenantenvironment if another tenant environment suitable for testing does not exist.The Penetration Test plan must include:§A description of the approach, constraints, and methodologies for each planned attack§A detailed Test Schedule that specifies the Start and End Date/Times and content of eachtest period and the overall Penetration Test beginning and end dates§Technical Points of Contact (POC) with a backup for each subsystem and/or application thatmay be included in the Penetration TestThe Penetration Test Rules of Engagement (ROE) describes the target systems, scope, constraints, andproper notifications and disclosures of the Penetration Test. The IA develops the ROE based on theparameters provided by the CSP. The ROE must be developed in accordance with National Institute ofStandards and Technology (NIST) Special Publication (SP) 800-115, Appendix B, and be approved by theauthorizing officials of the CSP prior to testing. See Section 6, Rules of Engagement, of the FedRAMPSecurity Assessment Plan Template for more information on the ROE. The IA must include a copy of theROE in the FedRAMP Security Assessment Plan submitted to FedRAMP.The ROE should also include:§Local Computer Incident Response Team or capability and their requirements for exercisingthe Penetration Test§Physical Penetration Constraints§Acceptable Social Engineering Pretext(s)§A summary and reference to any Third Party agreements, including Points of Contact (POC)for Third Parties that may be affected by the Penetration Test 3
2.3.THREAT MODELINGThe IA must ensure the Penetration Test is appropriate for the size and complexity of the cloud systemand takes into account the most critical security risks. The IA must perform the Penetration Test inaccordance with industry best practices and standards. Typical goals for Penetration Testing include:§Gaining access to sensitive information§Circumventing access controls and privilege escalation§Exploiting vulnera
conducting Penetration Testing and analyzing and reporting on the findings. A Penetration Test is a proactive and authorized exercise to break through the security of an IT system. The main objective of a Penetration Test is to identify exploitable security weaknesses in an information system.
FedRAMP PMO 06/06/2017 2.0 Cover Updated logo. FedRAMP PMO 1/31/2018 3.0 All General changes to grammar and use of terminology to add clarity, as well as consistency with other FedRAMP documents. FedRAMP PMO 1/31/2018 3.0 Appendix A, B, and C Updated ConMon Report Template and other outdated information. FedRAMP PMO 1/31/2018 3.0 19
The FedRAMP Program Management Office (PMO) updated the FedRAMP baseline security controls, documentation, and templates to reflect the changes in NIST SP 800-53, . 06/06/2017 1.0 Cover Updated logo FedRAMP PMO 11/24/2017 2.0 All Updated to the new template FedRAMP PMO
Document System Security Plan (SSP) 1.2.1. 1.2. . must use the FedRAMP security requirements - which includes the FedRAMP baseline set of controls as well as all FedRAMP templates ** A&A packages without a FedRAMP 3PAO do not meet the independence requirements
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
Updated ConMon Report Template and other outdated information. FedRAMP PMO 1/31/2018 3.0 19 Added remediation time frame for low risk vulnerabilities. FedRAMP PMO 1/31/2018 3.0 All Updated to newest template. FedRAMP PMO 2/21/2018 3.1 3 Added a docum
Cloud Service Providers Third-Party Assessment Organizations Tailored Process Current FedRAMP One Size Fits All FedRAMP was designed to be agnostic to all types of clouds Infrastructure, Platform, and Software Private, Public, Hybrid, Community High impact, moderate impact, low impact FedRAMP Designed to Iterate
Course 200-A button, FedRAMP System Security Plan (SSP) Required Documents. You will learn how to populate the SSP. Course 200-B button, How to Write a Control. You will learn to write a security control implementation description. Course 200-C button, Continuous Monitoring (or ConMon) Overview. You will learn the CSP role and responsibilities .
2.FedRAMP System Security Plan (SSP) Required Documents - 200A 3.Security Assessment Plan (SAP) Overview - 200B . The System Security Plan is a document that requires an eye for detail. A few small mistakes can create a lot of questions following the review by the FedRAMP PMO, Agency, or JAB and slow down the assessment .
