business man in a futuristic data center

MITRE’s Response to the OMB RFI on FedRAMP Penetration Testing

MITRE’s data-driven responses to an OMB inquiry requesting review of draft FedRAMP Pen Testing Guidance.

Download Resources

What’s the issue? The Office of Management and Budget (OMB) requested review of draft updated guidance on FedRAMP penetration testing.

What did we do? The Center for Data-Driven Policy led a cross-MITRE analysis of OSTP’s posed questions, seeking to uncover data and evidence from our work in the public interest that would help them understand opportunities and develop plans that are evidence-based, actionable, and effective.

What did we find? MITRE thoroughly reviewed OMB’s draft FedRAMP guidance, providing multiple recommendations, such as:

Comprehensive Penetration Testing: MITRE recommends an expanded focus to include active vulnerability discovery and continuous monitoring, and adding a parallel thrust on threat hunting. This approach ensures a comprehensive and proactive stance toward system security.

Adversary Emulation and Predictive Threat Modeling: MITRE recommends the use of adversary emulation in pen testing and the continuous execution of predictive threat modeling. This approach helps to keep pace with evolving cloud service offerings and their innovations, and to anticipate potential threats.

Enhanced Use of Pen Testing Results: MITRE suggests that both FedRAMP continuous monitoring and pen testing results should be made available to the Cybersecurity and Infrastructure Security Agency (CISA). This would facilitate a broader government understanding and potential response, thereby strengthening national cybersecurity defenses.