FedRAMP Evaluation

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP third-party attestation is done by approved Third Party Assessor Organizations (3PAO). The testing includes both discovery and exploitation steps. See the data sheet for detailed information on each Attack Surface (Mobile, Web, API) and the FedRAMP requirements.


Data Theorem helps your applications comply to third-party assessments when it comes to attestation for certain regulation standards. We will outline what we support and what is required for penetration test or vulnerability analysis when it comes to specific regulation standards. Data Theorem supports any recommended criteria, and your organizations can operate at ease knowing that you will be ready for any third-party reviews.

FedRAMP Guidelines for Penetration Testing Selected DT Coverage in Mobile/Web/API Secure Products
Discovery (FedRAMP 5.2,5.3)
  • Public Internet Discovery/Scanning: Find potential publicly available vulnerabilities or attack vectors
  • Application Asset Discovery: Map all content and functionality, navigate through the app to determine functionality and workflow
  • Access: Authentication and Authorization checks including in Cloud Building Blocks
  • User flow through app (dynamic scans)
  • Web Secure Configuration and Certification checks on web apps
  • Exploitation (FedRAMP 5.7.2)
  • Dynamic Scans
  • Encryption checks
  • Hack & Extract, Keys to the Kingdom
  • SQLi and XSS hacking
  • Post-Exploitation (FedRAMP 5.7.2) Authorization Checks

    Securing the Mobile Work Space

    Data Theorem helped Evernote identify and close 105 security issues and remove 17 harmful 3rd-party libraries, all before releasing them to the public app stores.