CMMC Requirement CA.L3-3.12.1E – Penetration Testing: Conduct penetration testing at least annually or when significant security changes are made to the system, leveraging automated scanning tools and ad hoc tests using subject matter experts.
Links to Publicly Available Resources – Coming Soon
This publication provides a methodology and set of procedures for conducting assessments of
security and privacy controls employed within systems and organizations within an effective risk
management framework. The assessment procedures, executed at various phases of the system
development life cycle, are consistent with the security and privacy controls in NIST Special
Publication 800-53, Revision 5.
Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning. It is conducted by penetration testing agents and teams with particular skills and experience that include technical expertise in network, operating system, and application-level security. Penetration testing can be used to validate vulnerabilities or determine a system’s penetration resistance to adversaries within specified constraints. Such constraints include time, resources, and skills. Organizations may also supplement penetration testing with red team exercises. Red teams attempt to duplicate the actions of adversaries in carrying out attacks against organizations and provide an in-depth analysis of security-related weaknesses or deficiencies.
Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the specified rules of engagement before the commencement of penetration testing. Organizations correlate the rules of engagement for penetration tests and red teaming exercises (if used) with the tools, techniques, and procedures that they anticipate adversaries may employ. The penetration testing or red team exercises may be organization-based or external to the organization. In either case, it is important that the team possesses the necessary skills and resources to do the job and is objective in its assessment.
[NIST SP 800-53A] provides guidance on conducting security assessments.
Further Discussion
It is important that the organization has a repeatable penetration testing capability, regardless of who performs the penetration testing. This requirement entails performing tests against components of the organization’s architecture to identify cyber weaknesses and vulnerabilities. It does not mean everything in the architecture requires penetration testing. This requirement provides findings and mitigation strategies that benefit the organization and help create a stronger environment against adversary efforts. It may be beneficial for the organization to define the scope of penetration testing. The organization’s approach may involve hiring an expert penetration testing team to perform testing on behalf of the organization. When an organization has penetration testing performed, either by an internal team or external firm, they should establish rules of engagement and impose limits on what can be performed by the penetration test team(s).
Ensuring the objectivity of the test team is important as well. Potential conflicts of interest, such as having internal testers report directly or indirectly to network defenders or an external test team contracted by network defense leadership, must be carefully managed by organizational leadership.
Reports on the findings should be used by the organization to determine where to focus funding, staffing, training, or technical improvements for future mitigation strategies.