Advertisement

FedRAMP releases framework for cloud security assessments

The Federal Risk and Authorization Management Program has released a document detailing what third-party assessment organizations will have to test before cloud service providers are approved from government use.
(iStockphoto)

The Federal Risk and Authorization Management Program has released a document detailing what third-party assessment organizations will have to test before cloud service providers can be approved for government use.

Released Tuesday, the FedRAMP Penetration Test Guidance lays out how to test IT systems for security weaknesses, and how to gauge compliance to guidelines, employees’ security awareness and response to security incidents.

The test guidance builds on various NIST security frameworks, breaking down how assessment organizations should test each type of cloud — software-as-a-service, platform-as-a-service, infrastructure-as-a-service — for vulnerabilities that could be exploited, otherwise known as “attack vectors.”

Advertisement

The document also goes over the methodology behind various security tests — including testing for Web and mobile applications, and APIs, or application programming interfaces — along with simulated internal attack vectors.

All cloud service providers must complete the penetration test before FedRAMP gives them the authority to operate. Also, FedRAMP requires that all approved cloud service providers go through a penetration test at least once a year.

The testing is just one part of the FedRAMP approval process, which often has additional layers of security depending on the agency that’s interested in using the cloud offering.

Read the full guidance below.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts