DRAFT
FedRAMP Penetration Test Guidance
access is gained through external breach or if the engagement is to begin with an assumed
breach approach.
● Phase II – Reconnaissance and Threat Modeling: Research and gather as much information as
possible about the target with the underlying objectives in mind. This may include identifying IP
ranges, domain names, and employee details. Identify potential threats and assess the level of
risk associated with the identified assets. Engagement can be constructed to model TTPs of
known threat actors by utilizing the MITRE ATT&CK framework.
● Phase III – Initial Access: Leverage identified data and vulnerabilities to exploit systems or
people to gain initial access. This can be achieved through various techniques such as social
engineering, physical attacks, or vulnerability exploitation on the external attack surface.
● Phase IV – Establish Persistence: Once the initial foothold has been established, actions will be
taken to maintain access, such as setting up backdoors, creating new accounts, and leveraging
Command and Control (C2) frameworks.
● Phase V – Escalation/Lateral Movement: Escalate privileges and move laterally using defense
evasion techniques within the organization to achieve the defined objectives. This could include
further exploitation of vulnerabilities, password cracking, accessing credential stores, and/or
social engineering techniques, etc.
● Phase VI – Data Exfiltration: Discover, collect, and exfiltrate target data.
● Phase VII – Reporting and Debrief: Present a detailed report of the findings, which includes an
executive summary, detailed findings, control successes and failures, and recommendations for
improvement.
The FedRAMP Penetration Test against the CSP/CSO is distinctly different from a Red Team exercise.
However, Red Team exercises can be performed by the 3PAO, a separate third party (non-3PAO), or
internally if the CSP has the capability and appropriate skill sets. It should be noted that Red Teaming is
an enterprise-focused activity. It is not solely focused on the CSO, but rather the CSP and its ability to
detect, defend, and respond to an attack. This will provide a framework that a CSP can implement for
continuous improvement. The exercise shall be modeled on the MITRE ATT&CK framework (which most
of the above Red Team activities are built upon), and the assessment organization shall leverage the
CSP’s threat intelligence avenues to establish agreed upon objectives of the Red Team engagement.
Deliverables
The organization performing the Red Team exercise is responsible for creating a Red Team Test Plan
(RTTP), executing the test, and documenting the results in a Red Team Test Report (RTTR).
The RTTP shall describe the scope, methodology for the test, activities slated to be performed, schedule
of testing activities, organizational resources performing the test, and appropriate authorizations from
the CSP.
The RTTR shall summarize the results of the test, annotate any findings from the test, assign a risk
rating to each finding from the test, and provide associated recommendations for remediation.