The Schellman Blog

The release of FedRAMP’s Revision 5 has raised many questions, including those regarding the addition of a red team exercise requirement for those seeking FedRAMP authorization. As the #1 provider of FedRAMP assessments on the Marketplace who have extensive experience in offensive security, we have insight to offer.

As cyber threats continue to grow more complex and difficult to defend against, regulatory cybersecurity requirements are becoming increasingly stringent—the Digital Operational Resilience Act (DORA) is the latest, and it demands your attention. The law comes into full effect in just a few short months—January 2025—and an independent assessment could help ensure you achieve full compliance in time.

As they’re now two of the most popular compliance initiatives in the world, many organizations often choose to pursue either a SOC 2 report or ISO/IEC 27001 compliance, while others tackle both. In fact, there are strategic benefits to be gained in undergoing both a SOC 2 examination and achieving ISO 27001 certification, especially as you can do both at the same time.

Historically, PCI DSS has treated most service accounts as shared administrator accounts that had to be authorized with specific privileges using strong authentication factors. But now, version 4.0 of the PCI DSS has greatly expanded the scope of authentication and authorization requirements—while you’ll still need to secure those administrator accounts, you’ll now also need to implement controls to protect any application and service accounts in your environment.

For as long as the concept of cybersecurity has been around, much of the focus has centered on sophisticated technical controls—firewalls, password strength, network segmentation, endpoint protection, encryption, etc. And while implementation and regular testing of all these measures does better safeguard your organization, you also need to secure your people. In that, a social engineering campaign can help immensely.

Looking back, 2024 was a significant year for the Department of Defense (DoD). Not only did they release the 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Final Rule, but the DoD also published a pivotal memorandum titled Federal Risk and Authorization Management Program (FedRAMP) Moderate Equivalency for Cloud Service Provider’s (CSP) Cloud Service Offerings (CSOs).

Whether you’ve already completed your first audit or you’re planning your compliance calendar for the new year, you know that compliance is more than a bullet point on a strategy slide deck—it’s a serious investment and a process that will recur year-over-year, so you can’t drop the ball in between assessments, especially amidst an ever-evolving cyberthreat landscape. To help your organization remain safeguarded between your audit cycles, you should seek to strengthen and streamline your compliance—the good news is, there are ways to do that.

Did you recently implement a new artificial intelligence (AI) feature within your application and now your customers are starting to ask for AI-specific penetration tests? Are you curious as to how an assessment like that would work? As with all these exercises, it starts with scoping.