FedRAMP and PCI – A Comparison of Scanning and Penetration Testing Requirements
Blog Article Published: 07/13/2015
By Matt Wilgus, Director of Security Assessment Services, BrightLine Overview In the last 30 days, the FedRAMP Program Management Office (PMO) has published guidance for both vulnerability scanning and penetration testing. The updated guidance comes on the heels of PCI mandating the enhanced penetration testing requirements within its requirement 11.3 as part of the 3.0, now 3.1, version of the DSS. These augmented PCI requirements, introduced in the fall of 2013, took effect on June 30. For many cloud service providers this means the requirements for vulnerability scanning and penetration testing are more thorough and will require additional resources for planning, executing and remediating findings. This article will walk through the updates and discuss the differentiation between FedRAMP and the PCI Data Security Standard (DSS). Vulnerability Scanning PCI: Requirement 11.2 of the PCI DSS obliges organizations to, “Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.” Many organizations will provide their ASVs a listing of Internet facing IP addresses and/or hostnames and the scans will be performed. Internally, a similar process will occur, where a list of in-scope internal IP addresses or hostnames are provide and the scans will be performed by the ASV or an in-house team. FedRAMP: The FedRAMP document titled, “FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide” was developed for CSPs undergoing the approval via the Joint Authorization Board (JAB); however, agency authorizations can also use the guide. There are several differences with FedRAMP’s guide as compared to the PCI DSS including:
- Scans must be performed with authentication (i.e. credentialed scans), which PCI doesn’t require.
- Scans include the full system boundary, which is often, but not always, larger than the in-scope PCI environment, which consists of the cardholder data environment (CDE) and associated system components.
- Scans must be conducted monthly, where PCI is quarterly.
- CSPs musts use must use operating system and network vulnerability scanners, database vulnerability scanners and web application vulnerability scanners. PCI doesn’t provide the same level of detail and alludes to network vulnerability scanners. It is notable that web application scanning is one way to address compliance aspects of PCI DSS requirement 6.6.
- PCI DSS - (Requirement 11.2 and 11.3 starting on Page 94)
- PCI ASV Program Guide
- PCI Penetration Testing Information Supplement