Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements.
The new guidance addresses new attack vectors targeting subsystems in IT infrastructure.
Here, we’ll cover his newest draft about new guidance standards for FedRAMP penetration testing.
NIST Guidelines for FedRAMP Penetration Testing
The guidance mandates strict adherence to standards and guidelines established by the National Institute of Standards and Technology (NIST), ensuring that Cloud Service Providers and their offerings are thoroughly assessed for security vulnerabilities. Key standards include:
- NIST SP 800-115: This document provides technical information security testing and assessment guidelines. It offers a baseline for testing procedures that ensure comprehensive vulnerability identification.
- NIST SP 800-145: This publication defines cloud computing and its service models (SaaS, PaaS, IaaS), helping to categorize CSP offerings and tailor penetration testing approaches accordingly.
- NIST SP 800-53 & SP 800-53A: These documents list security and privacy controls for federal information systems and organizations and guidelines for assessing those controls and ensuring CSPs meet federal security requirements.
The document classifies cloud services into SaaS, PaaS, and IaaS systems, each with distinct characteristics and security requirements. Penetration tests must cover all relevant components, services, and access paths within the CSP’s system boundary and consider the service model’s specific vulnerabilities and threats.
FedRAMP Penetration Testing and Mandatory Attack Vectors
FedRAMP defines attack vectors as “potential avenues of compromise that might lead to a loss or degradation of system integrity, confidentiality, or availability.”
However, the section on attack vectors notes that while there are several unique components of different vectors based on the service offering types (SaaS, IaaS, PaaS, or hybrid systems), there are commonalities that allow for the defining of mandatory attack vectors that penetration tests must assess for all authorized systems:
- External to Corporate: Evaluates the security against social engineering and phishing attacks targeting corporate personnel, including system administrators and managing staff. Penetration tests should include email phishing attacks and “non-credentialed” phishing attacks (attempting to run untrusted scripts by users that can compromise the system).
- External to CSP Target System: Assesses the vulnerabilities that external threat actors might exploit to compromise the CSP’s target system, covering both technology-based and social engineering-based attacks. Tests should include internal threat attacks and security issues related to unintentional breaches caused by negligence or accident. Tests should also include those associated with separating Internet-facing infrastructure and internal systems.
- Tenant to CSP Management System: This test determines whether a tenant can gain unauthorized access to the CSP’s management systems through misconfigurations, system design flaws, or abuse of intended functions. Penetration tests should include using privileged accounts to uncover where and how attackers can elevate privileges to undermine system and account security.
- Tenant-to-Tenant: This investigates the isolation and separation between tenants, ensuring one tenant cannot compromise another tenant’s environment or access their data. Tests will include checks on how internal accounts and systems can spread threats (like ransomware) throughout the system.
- Mobile Application to Target System: Focuses on the security of mobile applications provided by the CSP, assessing their potential to serve as an entry point for attacks against the target system.
- Client-side Application and/or Agents to Target System: This section examines client-side components, including applications, agents, or browser extensions, for vulnerabilities that could compromise the target system or access sensitive information.
Scoping a Penetration Test and Understanding Rules of Engagement
With these vectors understood, FedRAMP also defines how a 3PAO can undertake a penetration test per FedRAMP and NIST requirements. The process’s scoping ensures that the test is comprehensive and practical without breaking a target system or unintentionally exposing data.
The general rules for scoping the test are:
- Defining the Authorization Boundaries: The cloud service’s authorization boundaries are initially determined based on the System Security Plan (SSP) and accompanying documentation. The scope of the penetration test is then agreed upon, which includes reviewing individual system components to decide if they are “in-scope” or “out-of-scope” for the test. The cumulative “in-scope” components make up the system boundary for the penetration test.
- Legal and Permission Considerations: The scoping process also involves understanding the test’s legal implications, especially when third-party environments or services are involved. Testing must be confined within the agreed-upon boundaries to ensure compliance with all relevant laws and agreements. Permission to test any third-party assets must be explicitly obtained and documented.
- Third-Party Involvement: If the cloud service utilizes third-party services or components within its operational environment, these must also be considered during the scoping phase. Decisions on whether these third-party components are included in the test boundary should be based on their relevance to the cloud service’s security posture and potential impact on the service.
Furthermore, there are strict controls over the rules of engagement that include:
- Comprehensive Planning: The ROE document is a crucial part of the test plan that outlines the target systems, testing scope, methodologies, constraints, and notification requirements. It serves as a blueprint for the penetration test, detailing what will be tested, how it will be tested, and the boundaries the testers must not cross.
- Notification and Disclosure: The ROE must include provisions for notifying appropriate personnel (such as the CIO, CISO, and ISSO) of critical findings as soon as they are discovered. The FedRAMP Program Management Office (PMO) emphasizes the importance of immediate communication regarding high-impact vulnerabilities.
- Detailed Test Schedule: The ROE should specify the test schedule, including start and end times for each testing period and the overall duration of the penetration test. This scheduling ensures that all stakeholders know when testing activities will occur and can prepare accordingly.
- Technical Points of Contact (POC): Identifying POCs for each subsystem or application within the test boundary is essential. These individuals can provide technical support and guidance during the test and assist with addressing any issues.
How 3PAOs Report Test Results
A detailed and structured penetration test report is crucial for documenting the vulnerabilities discovered, the testing methods used, and the potential impact of the identified vulnerabilities. The key elements that must be included in the report are:
- Scope of Target System: This section describes the components, services, and access paths included in the penetration test and provides context for the findings.
- Attack Vectors Assessed During the Penetration Test: This section outlines which mandatory attack vectors were tested and any additional vectors considered relevant by the CSP or 3PAO. If any attack vector is deemed out of scope or not applicable, the 3PAO must explain why.
- Timeline for Assessment Activity: The report documents the specific dates and duration of the penetration testing activities, offering a timeline of the testing process.
- Actual Tests Performed and Results: This section details the tests executed, including the methodologies and tools used and reports on their results. It should provide clear insight into how the tests were conducted and their outcomes.
- Findings and Evidence: For each vulnerability or issue discovered during testing, the report must include a description, the assessed impact, recommended remediation actions, and a risk rating. Evidence supporting the findings, such as screenshots, logs, or descriptions of exploitation steps, should also be included to provide context and aid in prioritization and remediation.
- Access Paths: This section describes how different vulnerabilities could be combined or exploited in sequence to achieve unauthorized access or impact, offering insight into potential attack paths an adversary could use.
Partner With an Experienced 3PAO: Lazarus Alliance
If you’re preparing for your FedRAMP Authorization, penetration testing will be a big part of that assessment. Work with Lazarus Alliance to ensure you get the proper tests, professionally conducted, for your needs.
If you’re looking to kickstart your assessment, contact Lazarus Alliance.
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts