If you want to sell cloud-based software to the U.S. Government, you need to be FedRAMP authorized. This is what they state in their Program Overview:
The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information.
If you are a Cloud Service Provider (CSP), the requirements are obviously quite stringent to make sure no bad actors are able to penetrate government orgs. Part of what CSPs need to do to be compliant is engage a Third Party Assessment Org (3PAO) and let them do a pentest at least every 12 months.
Cloud Service Providers (CSPs) include any entities offering cloud services to the federal government that need to be secure, reliable, and compliant with federal security standards. CSPs can be involved in providing various models of cloud services, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). These providers must go through the FedRAMP authorization process to ensure their services meet the required security protocols to handle government data and workloads
FedRAMP has published a very interesting Penetration Test Guidance for CSPs and 3PAOs.
The purpose of this document is to provide requirements for organizations planning to conduct a FedRAMP penetration test, as well as the associated attack vectors and overall reporting requirements. It is recommended reading if you are required to do your own pentests for regulatory compliance.
When I came to page 6, I was pleased to read the following line:
A phishing test is a coordinated assessment between a 3PAO and CSP. The intent is to test user compliance, not email security. Users are the last line of defense and should be tested. (Emphasis mine)
I downloaded the PDF and asked ChatGPT 4o to summarize the section related to testing the users. This is what it came back with. I checked it against the original and it correctly captured the intent. Noteworthy is point 3, the Scope of Users, these are the people with the keys to the kingdom.
-
Purpose of Phishing Tests: The aim is to assess user compliance and the effectiveness of security training, not merely to test email security.
-
Coordination and Allow-Listing: Tests must be coordinated with CSP (Cloud Service Provider) security teams to ensure the email phish campaign is not flagged or altered by security systems, presenting a real challenge to users as it would occur in an actual attack.
-
Scope of Users: All users with access to CSP management, authorized systems, applications, or support systems, especially system administrators with privileged access, are included in the scope of the phishing test.
-
Execution of the Test:
- The phishing attack involves sending emails that include the user's name, a link to a landing page, and a mechanism to track opens and interactions (such as hidden pixels).
- Emails must contain a link that directs users to a landing page designed to collect usernames and passwords, as well as to inform them post-click that they have fallen for a phishing test. This page should also provide educational tips on spotting phishing attempts.
- 3PAOs are authorized to coordinate with CSPs to utilize established user phishing programs to facilitate testing. 3PAOs will provide or approve email templates and landing pages used in testing. 3PAOs must either perform this attack vector themselves, or independently evaluate the effectiveness of a third party phishing campaign.
-
Metrics and Reporting:
- Metrics like the number of emails opened, links clicked, credentials entered, and the overall user response are tracked.
- Results are evaluated based on their risk and impact using current standards like the Common Vulnerability Scoring System (CVSS) and reported without revealing individual identities.
- Any data captured during the test is considered indicative of a test failure, and all passwords should be changed post-test.
KnowBe4 can send a phishing test that fully complies with these requirements. I highly recommend reading the most recent June 2022 FedRAMP Penetration Test Guidance [PDF]:
https://www.fedramp.gov/assets/resources/documents/CSP_Penetration_Test_Guidance.pdf
NOTE: The quality of the FedRAMP Phish test is highly dependent on the auditor, just like a penetration test or any audit. For the FedRAMP pentest, they only scope in a small set of 'fedramp admins', I think our latest test only tested 20 employees. And to be fully transparent, KnowBe4 is currently FedRAMP compliant with a Moderate Authority to Operate (ATO). Here are the key details regarding KnowBe4's FedRAMP compliance:
- FedRAMP Authorized: Since 11/14/2023
- Service Model: SaaS (Software as a Service)
- Deployment Model: Public Cloud
- Impact Level: Moderate
- Independent Assessor: Fortreum, LLC
For more detailed information, you can refer to the FedRAMP Marketplace listing for KnowBe4