Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

FedRAMP Red Team Assessments FAQ Blog Feature
Christian Underkoffler

By: Christian Underkoffler

Print/Save as PDF

FedRAMP Red Team Assessments FAQ

Penetration Testing | Federal Assessments

The release of FedRAMP’s Revision 5 has raised many questions, including those regarding the addition of a red team exercise requirement for those seeking FedRAMP authorization. As the #1 provider of FedRAMP assessments on the Marketplace who have extensive experience in offensive security, we have insight to offer.

In this blog post, we’ll address all the big questions regarding red team assessments within the stringent framework of FedRAMP Rev. 5, including the differences from traditional penetration tests, the methodology employed, and other nuances you’ll want to know as you move forward with this new, important requirement.

Our insight is divided into three overarching sections:

 

 

Setting Up Your FedRAMP Red Team Assessment

 

How Does a Red Team Assessment Differ from a Penetration Test?

 

We wrote extensively on the differences between these two exercises, but here’s the gist:

  • A penetration test is a grey-box assessment of a specific system, application, or attack vector (e.g., internal or external network), and the organization being tested is often aware that it’s happening.
  • Meanwhile, a red team assessment is often only known to a few high-priority points of contact, as it’s intended to simulate a real-world attack as well as test your organization’s detection and response capabilities.

When you have a red team assessment performed as part of your FedRAMP compliance, the primary goal of those performing that exercise will be to identify and exploit both technical and human vulnerabilities before moving throughout the environment in an attempt to compromise the FedRAMP authorization boundary. Red teamers may leverage all of the standard penetration testing attack vectors to do so.

What’s In-Scope for Your FedRAMP Red Team Assessment?

 

Your red team assessment scope should encompass all corporate and FedRAMP systems, which may include:

  • Network infrastructure;
  • Internal and external applications; and
  • All user accounts.

It also extends to any third-party services you’re using, such as:

  • Cloud providers;
  • SaaS products; and
  • External collaboration tools that are a part of your organization's operational environment.

Though any specific exclusions you choose to outline in the assessment Rules of Engagement (RoE) will be respected, remember—the goal of this assessment type is to simulate a real-world attack, so your scope should be as broad as possible to find all possible vulnerabilities.

How are Third-Party Services Handled During a FedRAMP Red Team Assessment?

 

Third-party services are included in the scope without prior notification unless it might cause a service interruption. Specific users and accounts will be targeted as part of the assessment strategy.

 

 

What Happens During a FedRAMP Red Team Assessment

What Does a Red Team Assessment Look Like?

 

The red team assessment process can be broken down as follows:

  • Planning: First, you’ll need to set parameters for the exercise, and that includes working with your red team to define the scope, targets, and goals of the assessment (In the case of FedRAMP, the target is usually the authorization boundary and the systems/data within that boundary.) You’ll also establish communication protocols to ensure transparency and set a process to address escalations or disruptions.
  • Reconnaissance: Your red team can then begin by using open-source intelligence (OSINT) to gather actionable data that helps in crafting their attacks—that includes information gathering from public domains, network footprinting, and e-mail harvesting.
  • Vulnerability Discovery: After gathering the necessary data, red teamers will use techniques such as social engineering, and exploitation of both SaaS applications and vulnerable services to achieve initial access into your environment.
  • Establishing Persistence: Once inside your defenses, red teamers will attempt to maintain remote access into your environment pending system reboots or incident response actions through command-and-control (C2) channels.
  • Credential Access / Discovery and Lateral Movement: Red teamers will also leverage their current position on your network to move to other systems and compromise more permissive accounts as they attempt to move closer to your FedRAMP authorization boundary.
  • Exfiltration: At this point, red teams will attempt— using mock data—to simulate the extraction of critical data and test the organization’s Data Loss Prevention (DLP), monitoring, and response to data breaches.
  • Reset and Reporting: After the assessment is completed, red teamers will carefully remove any introduced files, configurations, and accounts to restore the environment to its original state. If certain artifacts cannot be cleaned up, they will provide clear instructions for their removal in the red team report, which will also document every step of the assessment—from entry to exit and failed attacks to successful ones—making for a comprehensive account of their insights into identified vulnerabilities and recommended improvements.

What Happens if the Red Team is Unable to Gain Access?

 

If, during the red team assessment, the team is unable to establish an initial foothold within your corporate network, they might proceed in one of two ways, depending on the rules of engagement:

  1. The first option is to continue their efforts to breach the external perimeter for the entire duration of the assessment. In this scenario, the focus would remain on identifying and exploiting vulnerabilities, finding new phishing targets, and launching additional attacks.
  2. If unable to gain initial access after X amount of time, red teams may instead shift to an "insider threat" scenario, which involves you providing the team with low-level credentials or internal access so that they can continue the attack from the perspective of a user that wishes to harm your organization.

Are Red Teamers Allowed to Use Privileged Information?

 

No. A red team assessment operates under a black box approach using only publicly available information (with the exception of the assumed breach scenario where credentials or access are provided).

Is There Any Way to Minimize the Disruption to Our Operations During a Red Team Assessment?

 

If you work with Schellman, our team will not pursue any exploits or actions that could result in Denial of Service (DoS), Distributed Denial of Service (DDoS), system crash, or other service interruptions.

Should any other service disruption arise, we’ll be able to address it as soon as possible as we make sure to establish who the trusted points of contact are for both parties at the start of our engagement. We also prioritize transparency throughout our work by maintaining open communication channels, weekly status updates, and providing detailed narratives of actions taken.

 

 

Post-FedRAMP Red Team Assessment Details

How Should the SOC / IR team Respond if Testing Activity is Detected?

 

Your Security Operations Center (SOC) should treat detected testing activity as a real attack—team members should first escalate the matter to the SOC / Incident Response (IR) team lead, who should be aware of the red team assessment and therefore able to de-escalate SOC / IR.

While de-escalation procedures should be followed, the SOC/IR team should continue to block domains, remove phishing emails, or isolate hosts that have been compromised so that your red team can effectively evaluate your organization’s response capabilities without premature de-escalation.

What Does a Red Team Assessment Deliverable Look Like?

 

After the assessment concludes, red teamers will then analyze and document the attack path, access levels, and vulnerabilities discovered during the exercise in the form of a comprehensive report that includes:

  • Indicators of Compromise (IOCs),
  • Detailed findings, and
  • A high-level executive summary outlining the scope, activities, and results of the engagement to ensure all stakeholders have a clear understanding of the security posture and areas for improvement.

Will Any Compromises of Systems Outside the FedRAMP Boundary be Reported on the SAR?

 

Your red team report will detail the extent of access gained and provide a complete view of the security landscape.

That being said, while all issues identified during the exercise will be included within the red team report, only issues that directly impact your FedRAMP boundary will be carried over to the Risk Exposure Table (RET) and the Security Assessment Report (SAR).

 

More Questions Regarding FedRAMP Red Teaming?

While these questions are among the most commonly being asked since the addition of a red team requirement for FedRAMP Authorization, we understand you may also still have more specific organizational concerns.

If so, feel free to contact us, as our team of experts is ready to address any lingering questions and clear the way toward FedRAMP success for you and your organization.

About Christian Underkoffler

Christian is a Manager on the Penetration Testing team with Schellman where he orchestrates assessments for general, PCI, FedRAMP, and other compliance frameworks. This includes project scoping, scheduling, communications, and engagement quality control from inception through the deliverable. Prior to his managment role, Christian performed a variety of offensive security assessments including internal and external network testing, social engineering, phishing, and web application assessments. He solely focused on penetration testing and red team assessments for eight (8) years, which has exposed him to a variety of environments including Fortune 500 companies, as well as an array of offensive and defensive tools.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.