FedRAMP and Penetration Testing Requirements in 2023

fedramp penetration testing featured

Penetration tests sometimes seem like an extreme measure that ultra-secure companies take to fend off the most formidable threats. However, any company wanting to get serious about cybersecurity and compliance will sometimes run against the practice. This is similar to when working with the federal government. Here, we’ll discuss FedRAMP and penetration testing requirements.


Penetration Testing and FedRAMP

Penetration testing is an established and proactive form of security assessment that involves a security firm actively attempting to breach critical IT systems to demonstrate vulnerabilities and flaws.

Unlike vulnerability scans, which are passive assessments of surface-level security issues, a pen test utilizes creative attacks to determine if there are flaws within a cybersecurity system. Because penetration tests are actively executed to breach the infrastructure, they can often surface security issues as part of the complex interaction between people, technologies, and organizations. 

Under FedRAMP regulations, cloud service providers must undergo penetration tests as part of their authorization. These tests are conducted by their 3PAO, who must compile results from the test and report them to the CSPs partner agency and the Project Management Office (PMO).

A 3PAO certified to conduct FedRAMP-compliant penetration tests must have an industry-recognized credential demonstrating their proficiency in pen testing alongside their officially-designated security experience designated in R311, “Specific Requirements: Federal Risk and Authorization Management Program.”

The CSP must undergo a penetration test no earlier than six months before their authorization date and once every 12 months during the continuous monitoring phase. 


What Are the Requirements for FedRAMP Penetration Testing?

fedramp penetration testing

The best practices of penetration testing remain relatively intact, and in the larger sense, there is an understanding that, as modern threats emerge, modern penetration testing methodologies will also evolve. 

Instead, FedRAMP guidelines provide the baseline requirements for an acceptable penetration test. These requirements are broken down into a few different categories:


Threat Models

The FedRAMP program broadly defines three threat model categories to align with modern hacking techniques. These include:

  • Internet-Based: Internet-based threats include those that come from the outside but potentially connect to the CSP’s cloud infrastructure via a network connection. These can include network attacks, user-level attacks, attacks against applications, or email phishing attacks.
  • CSP Corporate: Corporate threats are those tied to the business operations of the CSP and may include corporate insider threats, breaches of CSP management, support or enclave systems, or ransomware spread from a corporate location.
  • Internal Threats: Internal threat models come from inside the system but not necessarily from the CSP. These include weak permissions on cloud resources, multi-organizational access to designated secure systems, or ransomware coming from government systems.


Attack Models

Attack models refer to the different techniques that hackers may use to compromise a system. What’s important to note is that “techniques” aren’t singular but rather a collection of approaches and attacks that merge to potentially open vulnerabilities. And generally fall under two categories:

  • Enterprise: Enterprise attack models may include a collection of strategies and approaches that engage with the organization’s IT infrastructure from the web or direct attack and have the 3PAO’s ability to perform reconnaissance, escalate privileges, infiltrate and exfiltrate, evade detection, and propagate and persist within a given system.
  • Mobile: Mobile attack models follow most of the same attacks as an enterprise model but address those specific to mobile devices like phones, tablets, remote workstations, IoT systems, etc.).


Attack Vectors

Attack vectors are hackers’ routes to attack different software or cloud infrastructure. While there are hundreds of different attack vectors (depending on the architecture in place), FedRAMP emphasizes six categories as representing the commonalities found in different service offerings.

These attack vectors include:

  • External to Corporate: This attack vector refers to using external social engineering techniques to gain access to a cloud system. To conduct a penetration test against this vector, the 3PAO will launch phishing attacks with emails, the templates of which must be recorded and approved. Additionally, the 3PAO is authorized to launch both credentialed and non-credentialed attacks to determine if they can run untrusted scripts on the CSP’s machines.
  • External to CSP Target System: This attack vector emphasizes vulnerabilities that could be leveraged by untrusted, Internet-based attacks–what we might typically think of as “hacking.” This category can also include insider or unintentional threats that could open a system to outside attack. FedRAMP expects that these systems are not only well-protected by also categorized based on risk assessments and segmented to prevent expansive attacks.
  • Tenant to CSP Management System: Since FedRAMP governs providers for the government, it requires that the 3PAO penetration tests assess the security between the CSP’s internal IT infrastructure and the tenant systems they manage. This penetration test will focus on using vulnerabilities in applications, administration consoles, or management systems to try and gain access to the CSP “management zone” and, from there, into the CSP’s overall infrastructure.
  • Tenant-to-Tenant: If a hacker can compromise a CSP system by breaking through permissions and administrative controls, they can also do so between two cloud tenants. In multi-tenant cloud systems. 3PAOs are expected to be able to test against two offering instances representing two distinct clients.
  • Mobile App to Target System: The 3PAO must be able, should it exist, to model and launch attacks from different mobile devices and operating systems to determine security against threats. 
  • Client-Side Applications or Agents to Target System: If hybrid cloud systems or local and cloud infrastructures involve the provider installing local components, then the 3PAO must test those components and the connections. 

These attack vectors should always be part of a penetration test unless they fall out of scope. For example, if an offering doesn’t include mobile or mobile app access, there is no need to conduct the test. 


Rules of Engagement

Since all penetration tests require cooperation between the provider and the 3PAO, there must be some rules in place to define the boundaries of the test, what will be tested, the approaches and constraints used, and who needs to know. 



Regardless of the outcome, the 3PAO must compile and provide a report on the test results. This report must include the scope of the tests and target systems, the attack vectors assessed, the timeline of the test, the results, and the findings of the 3PAO. This report must also be included in the provider’s authorization package. 


FedRAMP Authorization and Penetration Testing Start with Lazarus Alliance

When preparing for FedRAMP, there are no corners to cut or shortcuts. The government expects the best and serves you to work with the best. We are a FedRAMP 3PAO with the experience and skills necessary to move you through your authorization journey, including conducting these key penetration tests. It takes serious attention to detail to pull off a successful and effective penetration test, and Lazarus Alliance is here to work with you every step of the way. 


Lazarus Alliance