WIXLIB

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCIT Security Procedural Guide:Conducting Penetration TestExercisesCIO-IT Security-11-51Revision 5July 27, 2020Office of the Chief Information Security Officer

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCCIO-IT Security-11-51, Revision 5Conducting Penetration Test ExercisesVERSION HISTORY/CHANGE RECORDChangeNumberPerson PostingChange1Bo Berlas1Bo Berlas2Bo Berlas3Blanche Heard1Bo Berlas2William Salamon1Dean/ Feliksa/Klemens/Newsome1ChangeRevision 1 – April 30, 2012Clarified guidance relating toperformance of penetrationtesting against developmentenvironments.Revision 2 – December 11, 2014Changed requirement forpenetration testing from ALLsystems (i.e., FIPS PUB 199 Low,Moderate and High) to FIPS PUB199 Low and Moderate Internetaccessible systems and All FIPSPUB 199 High.Changed references to Office ofthe Senior Agency InformationSecurity Officer (OSAISO) andSenior Agency InformationSecurity Officer (SAISO) to Officeof the Chief Information SecurityOfficer (OCISO) and ChiefInformation Security Officer(CISO)Updated to reflect references tocomply with ADM O 5440.667Revision 3 – December 1, 2015Updated Reporting Templateand associated referencesUpdated Reporting Template,Rules of Engagement Template,and updated several sectionsRevision 4 – January 18, 2018Revised to reflect current GSAprocesses and procedures forconducting penetration tests.Revision 17 – July 27, 2020ArmandoPrimary changes:Quintananieves/A Expanded the types of penngela Christian/tests listedRaja Hayat/ Clarified pen testBranndon DeanapproachesU.S. General Services AdministrationReason for ChangePage Numberof ChangePenetration testing shall occuragainst productionenvironments to ensure testingactivities reflect the risks of thesystem under review.8Focuses penetration testingactivities at areas of greatestrisk. Aligns with updatedrequirements in GSA IT SecurityProcedural Guide 06-30,"Managing Enterprise Risk".Pages 4 and 8Administrative to reflectNumerouschanges in office name and CISOtitle as a result of IT and ITSecurity consolidation.Organization titles andresponsibilitiesNumerousUpdated to reflect changes toNIST SP 800-53 Rev 4 and reflectprocess updatesReflect changes to OWASP, NISTSP 800-15 recommendations,incorporate cloud computingconcepts, and other processupdatesPages 9 and20Revised to reflect how GSAconducts penetration testsbased on Federal policies, NISTcontrols with GSA parameters,and GSA processes andprocedures. Updated to currentguide structure and format.ThroughoutRevised to reflect current GSAprocesses and procedures forconducting penetration tests indifferent environments.ThroughoutPages 11-12,16-17, 21-22

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCCIO-IT Security-11-51, Revision 5ChangeNumberConducting Penetration Test ExercisesPerson PostingChangeChange Added section on specificpen tests GSA conducts andtheir applicability Added section onresponsibilities for systemand pen test roles Added an Appendix withGSA A&A Penetration TestMinimum Requirements Modified formatting andstyle to latest guidance,including 508 complianceU.S. General Services AdministrationReason for ChangePage Numberof Change

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCCIO-IT Security-11-51, Revision 5Conducting Penetration Test ExercisesApprovalIT Security Procedural Guide: Conducting Penetration Test Exercises, CIO-IT Security 11-51,Revision 5, is hereby approved for distribution.XBo BerlasGSA Chief Information Security OfficerContact: GSA Office of the Chief Information Security Officer (OCISO), Policy and ComplianceDivision (ISP) at ispcompliance@gsa.gov.U.S. General Services Administration

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCCIO-IT Security-11-51, Revision 5Conducting Penetration Test ExercisesTable of Contents1Introduction . 11.1 Purpose . 11.2 Scope. 11.3 Policy . 11.4 References . 22Penetration Testing Overview . 22.1 Penetration Testing Approaches . 52.2 Defining the Scope and Test Boundary. 72.3 Vulnerability Risk Rating . 72.4 Exploiting Vulnerabilities . 73GSA Penetration Tests Defined . 83.1 GSA A&A Penetration Test:. 83.1.1 Web Application Penetration Tests: . 83.1.2 Network Penetration Tests: . 83.2 GSA Annual Penetration Test: . 83.2.1 FIPS Moderate and Low . 83.2.2 FIPS High . 83.2.3 FISMA High Value Assets (HVAs) . 83.2.4 Ongoing Authorization (OA) . 93.3 GSA Delta Penetration Test . 93.4 GSA Incident Response (IR) Penetration Test . 94GSA Penetration Testing Process . 94.1 Responsibilities . 104.1.1 ISSM/ISSO . 104.1.2 Pentest Lead . 104.1.3 System Owner . 104.1.4 Penetration Tester/Team . 104.2 Planning Phase . 104.2.1 Penetration Test Scope . 114.3 Defining the Rules of Engagement . 124.4 Penetration Testing Authorization . 134.5 Test Phases . 134.6 Additional Considerations. 145Incident Response Procedures . 156Points of Contact . 15Appendix A: Pentest Minimum Requirements Matrix . 16Appendix B: Conducting Penetration Test Templates . 17Appendix C: GSA A&A Penetration Test Detailed Min Requirements (Including HVA A&A and AnnualPenetration Testing) . 18Table A-1: Pentest Minimum Requirements Matrix . 16U.S. General Services Administrationi

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCCIO-IT Security-11-51, Revision 5Conducting Penetration Test ExercisesNotes: Hyperlinks in running text will be provided if they link to a location within this document(i.e., a different section or an appendix). Hyperlinks will be provided for external sourcesunless the hyperlink is to a webpage or document listed in Section 1.4. For example,Google Forms, Google Docs, and websites will have links. It may be necessary to copy and paste hyperlinks in this document (Right-Click, SelectCopy Hyperlink) directly into a web browser rather than using Ctrl-Click to access themwithin the document.U.S. General Services Administrationii

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCCIO-IT Security-11-51, Revision 51Conducting Penetration Test ExercisesIntroductionA penetration test is an authorized simulation of a cyber-attack which is used to identifysecurity weaknesses by way of technical flaws, misconfigurations, software vulnerabilities,and/or business logic. A penetration tester will attempt to exploit weaknesses to gain access,modify functionality, and/or corrupt the business logic of the target system without creatingadditional risk to the agency or organization. The penetration tester will attempt to performactivities of a malicious actor; however, such activities will be conducted ethically and with thepermission of the General Services Administration (GSA) Office of the Chief InformationSecurity Officer (OCISO) prior to execution.A penetration test exercise supports the overall security process by identifying security risksand demonstrating exploitability of findings that may not be readily apparent when performinga security review. A penetration test can be performed with or without knowledge of thesystem, and involves the execution of a scenario and abuse cases that focus on violatingtechnical, administrative, and management controls to gain access to the system or data.Penetration tests can be used to verify and prove scan results that are false positives or falsenegatives. Penetration tests, as opposed to vulnerability scans, should not have false positivefindings since they report only on found vulnerabilities. Penetration tests while capable ofverifying or proving a specific false negative finding, are not exhaustive and therefore cannotprove there are no vulnerabilities to a system. The test processes described in this documentare used for measuring, evaluating, and testing the security posture of an information system,but test findings should not be used to the exclusion of other security processes (e.g.,architecture analyses, configuration checks.)1.1 PurposeThis procedural guide provides guidance for performing penetration test exercises against GSAapplications, infrastructure, and systems. It provides GSA associates and contractors withsignificant security responsibilities as identified in the current Chief Information Officer (CIO)GSA Order CIO 2100.1, “GSA Information Technology (IT) Security Policy,” and other ITpersonnel involved in penetration testing exercises on GSA IT resources, an independentrepeatable framework for conducting penetration test activities.1.2 ScopeThe requirements outlined within this guide apply to any internal or external organizations whoare involved in penetration testing of GSA information systems and data.1.3 PolicyPenetration testing is addressed in CIO 2100.1 as stated in the following paragraphs:U.S. General Services Administration1

DocuSign Envelope ID: A5A2B37A-13CC-46ED-80C2-02EB99D1CABCCIO-IT Security-11-51, Revision 5Conducting Penetration Test ExercisesChapter 3, Paragraph 4:b. All Internet accessible information systems, and all FIPS 199 High impact informationsystems are required to complete an independent penetration test (or ‘pentest’) andprovide a Penetration Test Report documenting the results of the exercise as part of theA&A package. In addition, these same systems must complete penetration testsannually. The annual penetration tests can be completed internally and do not requirean independent assessor.c. Independent vulnerability testing including penetration testing and system or portscanning conducted by a third-party such as the GAO and other external organizationsmust be specifically authorized by the AO and supervised by the ISSM.1.4 ReferencesFederal Standards and Guidance: Federal Information Processing Standards (FIPS) Publication 199, “Standards for SecurityCategorization of Federal Information and Information Systems”National Institute of Standards and Technology (NIST) Special Publication

24.07.2020 · performance of penetration testing against development environments. Penetration testing shall occur against production environments to ensure testing activities reflect the risks of the system under review. 8 Revision 2 – December 11, 2014 1 Bo Berlas Changed requirement for penetration testing from ALL systems (i.e., FIPS PUB 199 Low,