Security Assessment and Authorization Policy for 18F
External Penetration testing
External penetration testing activities are conducted by GSA OCISO on an annual basis. These activites are designed to perform the necessary vulnerability analysis against cloud.gov based on all necessary security requirements. The GSA OCISO follows the GSA CIO IT Security Procedural Guide, CIO-IT Security-11-51, Conducting Penetration Test Exercises when performing these tests.
18F must request permission from AWS using the AWS Vulnerability / Penetration Testing Request Form to conduct penetration test activities against its own Virtual Private Cloud infrastructure and follow the AWS Acceptable Use Policy. Amazon requires customers to obtain authorization for penetration testing (or vulnerability assessments) both from or to their AWS resources.
AWS Acceptable Use Policy, http://aws.amazon.com/aup/ AWS Penetration testing, http://aws.amazon.com/security/penetration-testing/
GSA ISE performs penetration testing services for the GSA information systems hosted on the cloud.gov platform. It is also bound by the AWS penetration testing policy and procedures when conducting its penetration tests.
Internal Penetration testing
For internal penetration testing inside 18F's Virtual Private Cloud, 18F team members will conduct whitebox/greybox testing of the 18F environment using approved assessment tools.
For compliance with NIST Publication 800-53 CA-8, Parameter 1 Penetration Testing of all 18F Infrastructure and Application Components will occur annually. Parameter 2 Penetration Testing of Publicly Accessible Infrastructure will be performed on the direction of the 18F . Covered By: