CMMC v2.11 Practices

CA.L3-3.12.1e  

Reference: CMMC v2.11

Family: CA

Level Introduced: 3

Title: Penetration Testing

Practice:
Conduct penetration testing at least annually or when significant security changes are made to the system, leveraging automated scanning tools and ad hoc tests using subject matter experts.

Further Discussion:
It is important that the organization has a repeatable penetration testing capability, regardless of who performs the penetration testing. This requirement entails performing tests against components of the organization’s architecture to identify cyber weaknesses and vulnerabilities. It does not mean everything in the architecture requires penetration testing. This requirement provides findings and mitigation strategies that benefit the organization and help create a stronger environment against adversary efforts. It may be beneficial for the organization to define the scope of penetration testing. The organization’s approach may involve hiring an expert penetration testing team to perform testing on behalf of the organization. When an organization has penetration testing performed, either by an internal team or external firm, they should establish rules of engagement and impose limits on what can be performed by the penetration test team(s).

Ensuring the objectivity of the test team is important as well. Potential conflicts of interest, such as having internal testers report directly or indirectly to network defenders or an external test team contracted by network defense leadership, must be carefully managed by organizational leadership.

Reports on the findings should be used by the organization to determine where to focus funding, staffing, training, or technical improvements for future mitigation strategies.

Example
You are responsible for information security in your organization. Leveraging a contract managed by the CIO, you hire an external expert penetration team annually to test the security of the organization’s enclave that stores and processes CUI [a,c]. You hire the same firm annually or on an ad hoc basis when significant changes are made to the architecture or components that affect security [b,c].

Potential Assessment Considerations
• Does the organization have internal team members who possess the proper level of expertise to perform a valued penetration testing effort [b]?
• If the penetration testing is performed by an internal team, are the individuals performing the testing objectively [b]?
• Is a penetration testing final report provided to the internal team responsible for organizational defense?
• If previous penetration tests have been conducted, can the organization provide samples of penetration test plans, findings reports, and mitigation guidance based on the findings [a,b,c]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11