Skip to main content

Penetration Testing Requirements

Overview

Federal agencies conducting penetration tests or load testing on Cloud.gov applications must notify the platform team before testing begins. This notification requirement applies to comprehensive security assessments and high-volume load tests typically performed during Authorized processes. Routine vulnerability scans and normal load testing do not require notification. This process ensures platform stability while enabling thorough security validation.

Prerequisites

  • Testing Scope: Defined list of applications and domains under test
  • Test Window: Planned start and end dates for testing
  • Source IPs: IP addresses or ranges used by testing tools
  • Contact Information: Security team and testing vendor details
  • Testing Agreement: Confirmation of compliance with Cloud.gov policies

Process / Steps

1. Determine if Notification is Required

Notification Required:

  • Third-party penetration testing
  • High-volume automated scanning
  • Load testing exceeding 1000 requests/second
  • Denial-of-service testing (limited scope)

No Notification Needed:

  • Routine vulnerability scans
  • Normal application testing
  • OWASP ZAP or similar during development

2. Prepare Notification Details

Customer Responsibility: Compile required information:

Subject: Penetration Test Notification - [Agency Name]

Testing Details:
* Applications under test:
  - app1.app.cloud.gov
  - app2.app.cloud.gov
  - custom-domain.agency.gov

* Testing organization: [Company Name]
* Contact: [Name, Email, Phone]

* Source IP ranges:
  - 192.0.2.0/24 (Scanner Network)
  - 198.51.100.0/24 (Tester Workstations)

* Test window:
  - Start: 2024-03-15 09:00 EDT
  - End: 2024-03-22 17:00 EDT

* Test types:
  - Web application scanning
  - API security testing
  - Authentication testing

I acknowledge compliance with /platform/compliance/pentest/

3. Submit Notification

Send notification to support@cloud.gov at least 48 hours before testing begins.

Note: No approval required - notification is sufficient to proceed.

4. Conduct Testing Within Scope

Allowed Testing:

  • Application vulnerability scanning
  • Authentication/authorization testing
  • API security validation
  • Container security via cf ssh
  • Moderate load testing

Prohibited Testing:

5. Report Findings

If testing reveals Cloud.gov platform vulnerabilities:

  1. Stop testing that vector immediately
  2. Document vulnerability details
  3. Report via security.txt process: https://cloud.gov/.well-known/security.txt

FAQs

Q: How much notice should I provide? A: 48 hours preferred, but "starting immediately" notifications are accepted for urgent testing.

Q: Can I test during production hours? A: Yes. Choose test windows based on your application's usage patterns.

Q: What if I find a platform vulnerability? A: Stop testing that vector and report via security.txt. Do not expand testing to verify or exploit.

Q: Do I need Cloud.gov approval to proceed? A: No. Sending the notification is sufficient. We may contact you if we have concerns.

Q: Can I share my test results with Cloud.gov? A: Platform vulnerabilities must be reported. Application findings are your responsibility but may be shared for advisory purposes.

GSA.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov