FedRAMP Revision 5, introduced in May 2023, brought a new requirement: red team exercises alongside penetration testing. As of 2024, organizations seeking FedRAMP Authorization must fulfill this new obligation.
This guide focuses on conducting red team exercises internally, empowering you to take charge of your FedRAMP compliance journey.
Performing a red team exercise internally for FedRAMP demands a high level of responsibility. Here's what you'll need to ensure a successful exercise:
The foundation of your exercise is a formal red team test plan, a detailed document outlining various components. Create this plan before the assessment and adhere to it closely throughout the process. The more formalized it is, the better.
Your plan should encompass, at a minimum:
The foundation of your exercise is a formal red team test plan, a detailed document outlining various components. Create this plan before the assessment and adhere to it closely throughout the process. The more formalized it is, the better.
Remember, real-world attackers operate in stealth. Mimic this approach by limiting knowledge of the red team assessment to a select few:
If status reports are necessary, ensure they are deliberately vague.
Finally, prepare a red team report. Similar to the test plan, this should be a formal document encompassing the scope, goals, escalation process, and dates of your exercise.
Your red team report should detail the following information:
Red teaming is a relatively new requirement in cybersecurity. For FedRAMP, it's entirely new. While navigating this new landscape, expect some initial challenges.
The standards outlined here provide a roadmap for conducting successful internal red team exercises. By following these guidelines, you can ensure your FedRAMP compliance efforts are on the right track.
If you'd like to delve deeper into red teaming or explore best practices for internal exercises, feel free to reach out to our team for further guidance.