SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

The release of FedRAMP’s Revision 5 has raised many questions, including those regarding the addition of a red team exercise requirement for those seeking FedRAMP authorization. As the #1 provider of FedRAMP assessments on the Marketplace who have extensive experience in offensive security, we have insight to offer.

In this blog post, we’ll address all the big questions regarding red team assessments within the stringent framework of FedRAMP Rev. 5, including the differences from traditional penetration tests, the methodology employed, and other nuances you’ll want to know as you move forward with this new, important requirement.

Our insight is divided into three overarching sections:

 

 

Setting Up Your FedRAMP Red Team Assessment

 

How Does a Red Team Assessment Differ from a Penetration Test?

 

We wrote extensively on the differences between these two exercises, but here’s the gist:

  • A penetration test is a grey-box assessment of a specific system, application, or attack vector (e.g., internal or external network), and the organization being tested is often aware that it’s happening.
  • Meanwhile, a red team assessment is often only known to a few high-priority points of contact, as it’s intended to simulate a real-world attack as well as test your organization’s detection and response capabilities.

When you have a red team assessment performed as part of your FedRAMP compliance, the primary goal of those performing that exercise will be to identify and exploit both technical and human vulnerabilities before moving throughout the environment in an attempt to compromise the FedRAMP authorization boundary. Red teamers may leverage all of the standard penetration testing attack vectors to do so.

What’s In-Scope for Your FedRAMP Red Team Assessment?

 

Your red team assessment scope should encompass all corporate and FedRAMP systems, which may include:

  • Network infrastructure;
  • Internal and external applications; and
  • All user accounts.

It also extends to any third-party services you’re using, such as:

  • Cloud providers;
  • SaaS products; and
  • External collaboration tools that are a part of your organization's operational environment.

Though any specific exclusions you choose to outline in the assessment Rules of Engagement (RoE) will be respected, remember—the goal of this assessment type is to simulate a real-world attack, so your scope should be as broad as possible to find all possible vulnerabilities.

How are Third-Party Services Handled During a FedRAMP Red Team Assessment?

 

Third-party services are included in the scope without prior notification unless it might cause a service interruption. Specific users and accounts will be targeted as part of the assessment strategy.

 

 

What Happens During a FedRAMP Red Team Assessment

What Does a Red Team Assessment Look Like?

 

The red team assessment process can be broken down as follows:

  • Planning: First, you’ll need to set parameters for the exercise, and that includes working with your red team to define the scope, targets, and goals of the assessment (In the case of FedRAMP, the target is usually the authorization boundary and the systems/data within that boundary.) You’ll also establish communication protocols to ensure transparency and set a process to address escalations or disruptions.
  • Reconnaissance: Your red team can then begin by using open-source intelligence (OSINT) to gather actionable data that helps in crafting their attacks—that includes information gathering from public domains, network footprinting, and e-mail harvesting.
  • Vulnerability Discovery: After gathering the necessary data, red teamers will use techniques such as social engineering, and exploitation of both SaaS applications and vulnerable services to achieve initial access into your environment.
  • Establishing Persistence: Once inside your defenses, red teamers will attempt to maintain remote access into your environment pending system reboots or incident response actions through command-and-control (C2) channels.
  • Credential Access / Discovery and Lateral Movement: Red teamers will also leverage their current position on your network to move to other systems and compromise more permissive accounts as they attempt to move closer to your FedRAMP authorization boundary.
  • Exfiltration: At this point, red teams will attempt— using mock data—to simulate the extraction of critical data and test the organization’s Data Loss Prevention (DLP), monitoring, and response to data breaches.
  • Reset and Reporting: After the assessment is completed, red teamers will carefully remove any introduced files, configurations, and accounts to restore the environment to its original state. If certain artifacts cannot be cleaned up, they will provide clear instructions for their removal in the red team report, which will also document every step of the assessment—from entry to exit and failed attacks to successful ones—making for a comprehensive account of their insights into identified vulnerabilities and recommended improvements.

What Happens if the Red Team is Unable to Gain Access?

 

If, during the red team assessment, the team is unable to establish an initial foothold within your corporate network, they might proceed in one of two ways, depending on the rules of engagement:

  1. The first option is to continue their efforts to breach the external perimeter for the entire duration of the assessment. In this scenario, the focus would remain on identifying and exploiting vulnerabilities, finding new phishing targets, and launching additional attacks.
  2. If unable to gain initial access after X amount of time, red teams may instead shift to an "insider threat" scenario, which involves you providing the team with low-level credentials or internal access so that they can continue the attack from the perspective of a user that wishes to harm your organization.

Are Red Teamers Allowed to Use Privileged Information?

 

No. A red team assessment operates under a black box approach using only publicly available information (with the exception of the assumed breach scenario where credentials or access are provided).

Is There Any Way to Minimize the Disruption to Our Operations During a Red Team Assessment?

 

If you work with Schellman, our team will not pursue any exploits or actions that could result in Denial of Service (DoS), Distributed Denial of Service (DDoS), system crash, or other service interruptions.

Should any other service disruption arise, we’ll be able to address it as soon as possible as we make sure to establish who the trusted points of contact are for both parties at the start of our engagement. We also prioritize transparency throughout our work by maintaining open communication channels, weekly status updates, and providing detailed narratives of actions taken.

 

 

Post-FedRAMP Red Team Assessment Details

How Should the SOC / IR team Respond if Testing Activity is Detected?

 

Your Security Operations Center (SOC) should treat detected testing activity as a real attack—team members should first escalate the matter to the SOC / Incident Response (IR) team lead, who should be aware of the red team assessment and therefore able to de-escalate SOC / IR.

While de-escalation procedures should be followed, the SOC/IR team should continue to block domains, remove phishing emails, or isolate hosts that have been compromised so that your red team can effectively evaluate your organization’s response capabilities without premature de-escalation.

What Does a Red Team Assessment Deliverable Look Like?

 

After the assessment concludes, red teamers will then analyze and document the attack path, access levels, and vulnerabilities discovered during the exercise in the form of a comprehensive report that includes:

  • Indicators of Compromise (IOCs),
  • Detailed findings, and
  • A high-level executive summary outlining the scope, activities, and results of the engagement to ensure all stakeholders have a clear understanding of the security posture and areas for improvement.

Will Any Compromises of Systems Outside the FedRAMP Boundary be Reported on the SAR?

 

Your red team report will detail the extent of access gained and provide a complete view of the security landscape.

That being said, while all issues identified during the exercise will be included within the red team report, only issues that directly impact your FedRAMP boundary will be carried over to the Risk Exposure Table (RET) and the Security Assessment Report (SAR).

 

More Questions Regarding FedRAMP Red Teaming?

While these questions are among the most commonly being asked since the addition of a red team requirement for FedRAMP Authorization, we understand you may also still have more specific organizational concerns.

If so, feel free to contact us, as our team of experts is ready to address any lingering questions and clear the way toward FedRAMP success for you and your organization.

About Christian Underkoffler

Christian is a Manager on the Penetration Testing team with Schellman where he orchestrates assessments for general, PCI, FedRAMP, and other compliance frameworks. This includes project scoping, scheduling, communications, and engagement quality control from inception through the deliverable. Prior to his managment role, Christian performed a variety of offensive security assessments including internal and external network testing, social engineering, phishing, and web application assessments. He solely focused on penetration testing and red team assessments for eight (8) years, which has exposed him to a variety of environments including Fortune 500 companies, as well as an array of offensive and defensive tools.