Cloud service providers (CSPs) and Third Party Assessment Organizations (3PAOs) must now include social engineering and phishing attacks as part of efforts to test their systems, Federal Risk and Authorization Management Program (FedRAMP) officials said last week.
The FedRAMP Program Management Office detailed the changes in the new Penetration Test Guidance issued July 6.
“The new guidance is to give better information to 3PAOs as to what they need to include within their penetration tests and for CSPs to have a clear expectation of the level of testing they will need to complete before entering the FedRAMP process,” said Matt Goodrich, FedRAMP director. “Penetration testing requirements are worked on a case by case basis by each authorizing official, but this will create a common baseline of what is required in these penetration tests.”
Social engineering testing will include a spear phishing exercise aimed directly at CSP administrators, the guidelines state. Testers are instructed to “conduct an unannounced spear phishing exercise targeted at the CSP system administrators.”
Abel Sussman, director, technology advisory and assessment services at Coalfire, a FedRAMP third-party assessment organization, said the new requirement is warranted.
“Phishing attacks conducted as part of the FedRAMP assessment will test ‘the human factor’ of a cloud service provider and its environment as an attempt to gain access or compromise the environment,” Sussman said. “In light of all the press over the past years about data breaches and compromises, Coalfire thinks this is a good measure to put into practice.”
While the guidelines are new, the penetration testing requirement is not, Goodrich said.
“Penetration tests have always been a requirement in the FedRAMP security controls,” he explained. “They are required at the time of authorization and at least once annually.”
The new guidelines aim to ensure common standards for how those tests are performed and what they include. Among the requirements: identify six specific attack vectors that CSPs must test:
- External to Corporate – External Untrusted to Internal Untrusted
- External to Target System – External Untrusted to External Trusted
- Target System to CSP Management System – External Trusted to Internal Trusted
- Tenant to Tenant – External Trusted to External Trusted
- Corporate to CSP Management System – Internal Untrusted to Internal Trusted
- Mobile Application – External Untrusted to External Trusted
FedRAMP also provided clear testing guidelines steps for:
- Web Application/APIs
- Mobile Applications
- Networks
- Social Engineering
- Simulated Internal Attacks
- That testing must include attempts to exploit each system.
Read FedRAMP’s new guidelines on penetration testing here.