FedRAMP updated penetration testing guidelines

FedRAMP Penetration Testing Guidelines

The Federal Risk and Authorization Management Program (FedRAMP) has updated the guidelines to the standardized penetration testing methodologies to devise more robust techniques for testing systems for security weaknesses. With these updates, not only Cloud Service Providers (CSPs), but also Third-Party Assessment Organizations (3PAO) and authorizing officials (AOs) can reference these guidelines for evaluation purposes.

Based on input from industry experts, the changes focus on preventing evolving threats in an effort to not only further streamline the integrity and quality of the system, but also to elevate the standards of testing and associated documentation.  

The Penetration Testing updates include:  

  • Phishing campaign guidance
  • Relaxed security protections to support external testing
  • Renamed and updated threat models  
  • Elimination of staged environments, all testing is completed in a production environment
  • Internal and External attack vectors are merged
  • Added legality requiring consideration of the legal ramifications of performing penetration testing as a service offering

The Penetration Test plan must now include all aspects of the system that are to be assessed in order to define the appropriate boundaries against attack vectors. This allows the appropriate testing methods to be applied and outlying attack vectors to be addressed. FedRAMP also clearly establishes the threat models used during penetration testing to ensure potential risks are properly evaluated.

The categories include:

  • Internet based (Untrusted)  
  • CSP Corporate (Untrusted and Trusted)
  • Internal Threat (Untrusted and Trusted)

If additional threat models are needed, 3PAOs must determine what is required and a CSP must approve the recommendation prior to testing.

Mandatory Attack Vectors

An attack vector is a compromised area that allows unauthorized system access to launch a cyber-attack. These types of attacks weaken the system’s integrity and security which can then be exploited for the retrieval of data and personal information. Attack vectors include, but are not limited to, malware, pop-ups, viruses, instant messages, and email attachments. To ensure that the penetration testing requirements are met, FedRAMP updated the list of attack vectors using Mitre’s Att&ck knowledge base as a resource which provides more information to create detailed operational test procedures.  

When conducting a penetration test, the reliability of a system’s security capabilities is determined by the testing techniques employed to identify and evaluate the vulnerabilities caused by attack vectors. Due to shared attributes, a list of mandatory attack vectors was created for use that apply to all authorized systems:

Attack Vector 1: External to Corporate - requires the execution of a social engineering (phishing) attack against a CSP’s system administrators and managing personnel. Details of a test sampling must be documented in the Rules of Engagement (ROE). In addition, for email phishing, originating IPs and domains of the attackers will be permitted on the protection systems to test for user compliance. These campaigns are coordinated between the 3PAO and CSP and must be customized to define the boundaries, applications, personnel, networks, and devices to be considered in-scope. The landing pages for affected CSP personnel should be notified and provide information regarding the identification of phishing attacks. Metrics are based on the Common Vulnerability Scoring System (CVSS) and 3PAO justification.  

Attack Vector 2: External to CSP Target System – tests vulnerabilities from a myriad of threats which include external online-based, internal, unintentional, intentional, and due to a lack of proper customer access controls.

Attack Vector 3: Tenant to CSP Management System – simulates vulnerabilities from untrusted and trusted internal threats that originate from network, application, or abuse of system services. Application tests are conducted attempting to access CSP management systems due to flaws, misconfiguration, or abuse.  

Attack Vector 4: Tenant-to-Tenant – simulates and tests vulnerabilities from untrusted and trusted internal threats that originate from ransomware spread from government and multi-organization access to the authorized system. A full application test is conducted using provisional access of one tenant to compromise another tenant. Environments are required to test all aspects of the service provided. Access to the cloud service offering mirrors the methods used by system customers.

Attack Vector 5: Mobile Application to Target System – consists of emulating a mobile application user attempting to access a CSP target system or CSP management system. This attack vector is tested on a mobile device and does not directly impact the CSP system or infrastructure.  

Attack Vector 6: Client-side Application and/or Agents to Target System – client-side components must be included in the CSP's authorization boundary and tested as part of a CSP's system boundary security assessment if the components are essential for their customer's use of their CSO. Client-side applications or components may include software applications, servers, appliances, browser extensions, clients, and agents.

Adequately scoping the Penetration Test

The scope of the penetration test is defined by the identified risks from the attack vectors. Components are labeled as in or out of scope and then authorized as boundaries of a CSP penetration test. The testing process is outlined in FedRAMP’s System Security Plan (SSP) baseline templates for high, moderate, and low categorizations. It consists of five phases: Scoping, Discovery, Exploitation, Post-Exploitation, and Reporting.

An important change in the FedRAMP guidelines is the suggestion to consider the legal ramifications of penetration testing activities for third-party environments. Assets are required to be included in the scope of testing and confined to the established boundaries to adhere to permissible agreements and limit legal liability.  

Rules of Engagement (ROE)

The ROE depicts all elements of the penetration test plan, including the systems, scope, constraints, methodologies, detailed schedules, and notifications. An important addition is the statement from NIST SP 800-115, Section 7 which says, “appropriate personnel such as the CIO, CISO, and ISSO are informed of any critical high-impact vulnerabilities as soon as they are discovered”. FedRAMP requires that the ROE contains this clause and includes all required stakeholders.


While navigating through the FedRAMP penetration guidelines can be confusing, MindPoint Group’s experienced FedRAMP 3PAO team can help guide CSPs through the updated process. Our experts possess a deep understanding of all aspects of cloud service security, compliance, and risk management. We pride ourselves on the experience gained through the success of our previous engagements and continually assist our customers to detect and reduce risks to assure they maintain their FedRAMP approved status.

If you’d like to learn more about FedRAMP’s Penetration Testing Guidelines, reach out to the experts at MindPoint Group.


  • Kory Ponting - SME
  • Chanel Bernard - Editor
  • Mack Sutton - Graphic Design

More from Our Cybersecurity Experts