Skip to main content
U.S. flag

An official website of the United States government

Penetration test authorization

If you, or a third party acting on your behalf, plan to perform a penetration test on your customer applications, please send the following information to cloud.gov support ahead of your planned test:

* Web applications under test: (e.g. _site_.agency.gov)
* Testing organization and contact/liaison information:
* Source IPs or IP ranges (for testers and their tools):
* Expected start date, (or starting immediately):
* Expected end date:
* Acknowledgement that you are abiding by the terms at https://cloud.gov/docs/compliance/pentest/

This notification is only necessary for in-depth security testing, which is a common step in agency ATO processes for customer systems. You don’t need an approval, and cloud.gov doesn’t provide approvals. Simply sending the notification is sufficient. You can always run routine automated vulnerability scans on your own applications without special notification.

When arranging a security assessment or penetration test, the system under test is your application at application-name.app.cloud.gov, not the cloud.gov infrastructure – as cloud.gov, and third-party assessors, test those continually and make the results available through FedRAMP. Your assessment must not target other cloud.gov customers, nor perform or simulate denial of service attacks or otherwise violate the Amazon AWS testing policy.