FedRAMP Pentesting Requirements

FedRAMP Pentesting Requirements

If you’re doing business in the cloud, odds are you know a thing or two about compliance maintenance. This article highlights The Federal Risk and Authorization Management Program FedRAMP Pentesting Requirements and explains how this certification stands out from the rest by not being another just another check here for compliance standard.

FedRAMP Pentesting Requirements: FedRAMP SUMMARIZED

So, what is FedRAMP?

“It’s a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”

FedRAMP is not compliance adherence. Certification is earned by an ongoing program focused solely around security. This security-centric design allows anyone who’s using it to be able to pull security events at any given time. This is otherwise known as .  With this, a company gains a faster response time to the events, as well as maintaining better historical records of occurrences. For the FedRAMP Pentesting Requirements, FedRAMP also requires offensive testing (pen-testing) to be performed on applications existing on cloud architecture.

By making that a prerequisite for certification, FedRAMP provides preventative measures toward ensuring unknowns are known, risks are reduced, and a more secure cyber presence for the user, and the internet at large. Having continuous monitoring in place, an organization gains corresponding insight into any hypothetical event over a given time, provides alerting, and greatly aids data forensics.

As with any penetration test scope is defined just as with when testing for FedRAMP certification. To define this, scope identifies the technologies being used are:

  • Web Applications
  • Application Program Interfaces
  • Mobile Applications
  • Network Testing
  • Simulated Internal
  • Social Engineering

Outlining the route that could potentially compromise one of these technologies is known as an attack vector. Understanding attack vectors give insight into the impact of an impending event. FedRAMP Pentesting Requirements has developed risk scenarios for you or third-party assessment organizations to consider while scoping a penetration test. These scenarios are focused on risk and will aid your companies decision making.

All relationships between events are trust-based:

  • External to Corporate– External Untrusted to Internal Untrusted

In this scenario, an internet attack is attempting to gain useful information or access the target cloud system through an external corporate network owned and operated by the CSP.

  • External to Target System – External Untrusted to External Trusted

An internet-based attack as an un-credentialed third party attempting to gain unauthorized access to the target system.

  • Target System to CSP  Management System – External Trusted to Internal Trusted

An external attack as a credentialed system user attempting to access the CSP management system or infrastructure.

  • Tenant to Tenant – External Trusted to  External Trusted

An external attack as a credentialed system user attempting to access the CSP management system or infrastructure.

  • Corporate to CSP Management System – Internal Untrusted to Internal Trusted

An internal attack attempting to access the target management system from a system with an identified or simulated security weakness on the CSP corporate network that mimics a  malicious device

  • Mobile Application – External Untrusted to External Trusted

An attack that emulates a mobile application user attempting to access the CSP target system or the CSP’s target system’s mobile application.

Pentest Scoping

For FedRAMP Pentesting Requirements, potential risks found through identifying attack vectors are used to define the scope of your pentest.  By playing-out different scenarios, you are able to identify risks associated with the different services. Through testing weakness, you are providing assurance to your company, through actionable results. The need to understand these attack vectors is critical because they ensure the correct scope is defined, which leads to a better test, providing comprehensive information into the current state, aids in making future more secure decisions which leads to an overall better cybersecurity investment.

Once scope has been defined the penetration test starts. The auditor will begin with discovering information regarding your application, its behaviors, and fingerprinting technologies involved. The discovery process should be the longest phase of the pentest. By taking the needed time to discover as much information as possible the tester is able to formulate a more effective and impactful result. When an auditor determines the operating system of an in-scope technology, they’re also able to see if there is already an existing exploit for your systems.

Many times old codes are tossed into a cloud environment with existing unknown exploits and this could be the trigger for a systematic compromise. The proper discovery must be performed in order to obtain this information from a black-box perspective. Forms within an application where data is passed, most commonly where users log-in, or submit an email for a password reset. These can potentially be abused to disclose error messages, or perhaps enumerate existing users.

Does an administrative user exist, and can the account be accessed? Information obtained during this critical phase of the test are well documented and stand as a base for the duration of the test. The tester must understand the boundaries within the environment they are working. Which ports remain open? While the application is communicating is information being securely transmitted?  Lastly, can the cryptography used be subverted?

An auditor studies how applications communicate, and to what exactly they communicate. The tester will check to see how the application communicates with the database and if it’s able to be accessed directly. The tester notates information which may be inadvertently disclosed by systems such as server headers or error messages. This information is useful because the penetration tester will match systems to any potential known vulnerabilities. During the discovery phase, the penetration tester will perform scans, not only to further fingerprint systems but also to aid in finding potential vulnerabilities that lurk within.

Exploitation Phase

When the penetration tester feels they’ve acquired enough information the exploitation phase of the test begins.  In the exploitation phase of the penetration test, the information obtained from the previous discovery phase is used to circumvent security controls within a given scope.  An example of this could be an error message which was provoked with a single quote pass through an input field.

This type of behavior is typical of a SQL injection, which would be validated in this phase of testing.  For instance, another would be the systems information matched for a known exploit which has a Metasploit module. In this phase, the module is run against the system in question and documenting corresponding events. While in some instances vulnerabilities can take the form of application logic, authorization, authentication, or perhaps identifying unencrypted data being stored on a device, just to name a few.

Post Exploitation Phase

The resulting information from the exploitation phase is used. This is appropriately named post-exploitation phase, where a tester then demonstrates the impact of the test’s results.  The documentation from this phase of the test is used to show actual criticality.  This phase of the test allows a creative penetration tester to demonstrate other potentially unknown vectors.  Also during this phase, the auditor will test to see if they can escalate privileges, or in any way go deeper into your applications or networks.  This action is commonly referred to as pivoting. An example would be an application compromise leads to machine compromise, then moving from that point deeper into your corporate environment.

Reporting Phase

After the post-exploitation phase of the test has been completed the audit moves into the reporting phase.  During the reporting phase, all of the data collected by the tester over the last several tests are compiled into a digestible document outlining events which took place.  The report will include scope, attack vectors, the timeline of activity, tests performed /results, findings, evidence, chained exploits, and/or access paths. From this report, your company can make informed decisions to greatly increase your overall corporate security.  These reports tell you exactly what you need to fix in order to fix vulnerabilities. Fixing vulnerabilities makes your company a more secure organization, but also provides the user with a more secure experience.


In short, FedRAMP is not compliance. The FedRAMP program is a certification enhancing your company’s ability to monitor and prevent vulnerabilities in applications today. FedRAMP focuses on understanding attack vectors, performing due diligence through penetration testing in order to validate proper controls are in place and reduces the amount of exploitable code on the internet today.   

With the added measure towards your overall security, the cost associated with FedRAMP is greater and does require an annual pentest to maintain the certification. By neglecting to understand and embrace FedRAMP your company is not moving fiscally forward. FedRAMP certification is required in order to do business with the federal government today, and the days moving forward.
Check out the new article on How you can Pentest your Vendor?.

Ignyte Assurance Platform gives you the power needed to easily manage all of your compliance needs by visually assuring you each step of the way!  We are able to ingest your security testing output from penetration testing, scan data and much more to graph your compliance progress. Contact us today to schedule a demo!
Take a look at Ignyte FedRAMP Datasheet.

Stay up to date with everything Ignyte