About This Document
The purpose of this document is to provide requirements for organizations planning to conduct a FedRAMP penetration test, as well as the associated attack vectors and overall reporting requirements.
A penetration test is a proactive and authorized exercise to break through the security of an IT system. The main objective of a penetration test is to identify exploitable security weaknesses in an information system.
These vulnerabilities may include service and application flaws, insecure configurations, improper role-based privilege assignments, and risky end-user behavior. A penetration test may also evaluate an organization’s security policy compliance, its employees’ security awareness, and the organization’s ability to identify and respond to security incidents. Threat actors work diligently to bypass initial system defenses. Penetration testing ensures that the depth of defense goes beyond initial compromise and/or takes into account things like proper coding practices being followed.
Zero Trust Protection mechanisms should be defined as part of the system boundary and are better addressed and included in the SSP front matter discussions.
This document uses the term authorizing official (AO). For systems with a Joint Authorization Board (JAB) provisional authorization to operate (P-ATO), AO refers primarily to the JAB unless this document explicitly says agency AO. For systems with a FedRAMP Agency authorization to operate (ATO), AO refers to each leveraging agency’s AO.
