Hi All,
FedRAMP just published FedRAMP Penetration Test Guidance
The purpose of this document is to provide requirements for organizations planning to conduct a FedRAMPpenetration test, as well as the associated attack vectors and overall reporting requirements. Apenetration test is a proactive and authorized exercise to break through the security of an IT system. The main objective of a penetration test is to identify exploitable security weaknesses in an information system. These vulnerabilities may include service and application flaws, insecure configurations, improper role-based privilege assignments, and risky end-user behavior. A penetration test may also evaluate an organization's security policy compliance, its employees' security awareness, and the organization's ability to identify and respond to security incidents. Threat actors work diligently to bypass initial system defenses. Penetration testing ensures that the depth of defense goes beyond initial compromise and/or takes into account things like proper coding practices being followed. Zero Trust Protection mechanisms should be defined as part of the system boundary and are better addressed and included in the SSP front matter discussions.
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------