Government Cloud Security Tackles Penetration Testing

Published: July 15, 2015

Cloud ComputingDOCCybersecurityDigital GovernmentGSA

Penetration testing has been part of requirements for cloud security assessments, but, until recently, government and industry lacked detailed guidance on how these tests should be conducted.

The National Institute of Standards and Technology hosted its eighth workshop on cloud computing from July 7-10, 2015. The final day of the event focused on cloud customers, namely industry and governments. In her keynote address, Dawn Leaf, the Department of Labor’s Chief Information Officer, noted that security has concerns have “been at the forefront” of issues that agencies consider when evaluating potential migrations to cloud. Thanks in part to efforts like the Federal Risk and Authorization Management Program (FedRAMP), agencies were quickly assured that cloud environments are no less secure that legacy operations, they’re just different.

As we’ve recently explored, the rising number of authorizations awarded through FedRAMP highlights that agencies are putting the security assessment process to use. With nearly 70 authorizations to operate (ATO) issued, the split between federal agency and Joint Authorization Board (JAB) reviews is pretty close. 59% of ATOs are associated with FedRAMP’s Agency Review path, while 41% of ATOs have stemmed from the JAB reviews.


Each of the systems associated with these authorizations is supported by a third-party assessment organization. To date, 42 organizations been accredited to complete assessments for the FedRAMP process. When we look at the compliant systems, the awarding of ATOs appears concentrated across a dozen systems, with a handful standing out from the group. Since these 3PAOs are responsible for providing independent security implementation testing, they’re duties include staying abreast of systems security vulnerabilities and the technical approaches for assessing the security of cloud solutions. Indeed, increasing reports of security incidents has directed greater attention toward the issue of ensuring the security of government systems. So, any new guidance on the subject is likely to seem quite timely for vendors and authorizing organizations.


In early July 2015, the FedRAMP PMO released guidance on penetration testing for cloud services. This first iteration of detailed advice provides assessment organizations, cloud service providers, and authorizing organizations with clearer requirements for assessing the vulnerabilities of systems that house government data. The guidance offers specific requirements based on technology solutions and deployment models. The document also outlines different types of attacks and identifies six attack vectors for 3PAOs to address during penetration testing.

These threat models offer best practices to address web application and application program interface (API) testing, mobile application testing, network testing, social engineering testing, and simulated internal attack vectors. Penetration test assessment activities and results are reported as part of the Security Assessment Report (SAR) completed for cloud services as part of the FedRAMP process. The guidance outlines specific staffing requirements for 3PAO’s conducting penetration testing, requiring industry recognized certifications for team leads. In addition to completing penetration testing as part of each initial security authorization, FedRAMP requires a complete penetration test at least every twelve months, unless approved otherwise. The addition of these requirements may place some additional scrutiny on vendors providing cloud and assessment services; overall, however, they will help to improve the technical security assessments completed for cloud solutions.