The Federal Risk and Authorization Management Program has released a document detailing what third-party assessment organizations will have to test before cloud service providers can be approved for government use.
Released Tuesday, the FedRAMP Penetration Test Guidance lays out how to test IT systems for security weaknesses, and how to gauge compliance to guidelines, employees’ security awareness and response to security incidents.
The test guidance builds on various NIST security frameworks, breaking down how assessment organizations should test each type of cloud — software-as-a-service, platform-as-a-service, infrastructure-as-a-service — for vulnerabilities that could be exploited, otherwise known as “attack vectors.”
The document also goes over the methodology behind various security tests — including testing for Web and mobile applications, and APIs, or application programming interfaces — along with simulated internal attack vectors.
All cloud service providers must complete the penetration test before FedRAMP gives them the authority to operate. Also, FedRAMP requires that all approved cloud service providers go through a penetration test at least once a year.
The testing is just one part of the FedRAMP approval process, which often has additional layers of security depending on the agency that’s interested in using the cloud offering.
Read the full guidance below.