Requirement text: CA.4.164: Conduct penetration testing periodically, leveraging automated scanning
tools and ad hoc tests using human experts.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B (MODIFIED)
Penetration testing is a specialized type of assessment conducted on systems or individual
system components to identify weaknesses and vulnerabilities within the solution.
Adversaries that obtain a foothold in a network can take advantage of any unpatched
vulnerabilities. Penetration testing goes beyond automated vulnerability scanning, and the
testing is conducted by penetration testing agents and teams with demonstrable skills and
experience that includes technical expertise in network, operating system, and/or
application level security. Penetration testing is used to validate vulnerabilities or determine
the degree of penetration resistance of systems to cyber-attacks. The resistance to attacks
is similar to withstanding an adversary, but with constraints. Such constraints include time,
resources, and skills. Penetration testing activities can receive support by utilizing
automated vulnerability identification tools that are commercially available. Penetration
testing can be conducted internally or externally on the hardware, software, or firmware
components of a system and should exercise both physical and technical controls, where
possible. A standard method for penetration testing includes pretest analysis based on full
knowledge of the system; pretest identification of potential vulnerabilities based on pretest
analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree
to the rules of engagement before commencement of penetration testing scenarios.
Organizations correlate the rules of engagement for penetration tests with the tools,
techniques, and procedures that are anticipated to be employed by adversaries. The
penetration testing team may be organization-based or external to the organization. In
either case, it is important that the team possesses the necessary skills and resources to do
the job and is objective in its assessment. The findings from the penetration testing should
be placed in a final report. Any and all findings need to be rolled into a prioritized security
plan based on risk, cost, and time to implement.
NIST SP 800-53A provides guidance on conducting security assessments.
CMMC CLARIFICATION
This practice focuses on performing penetration testing (pentesting) against organizational
solutions in order to identify vulnerabilities and weaknesses. Pentesting is a crucial
component to help identify vulnerabilities in solutions as well as help identify flaws in
systems under development and production systems. By performing penetration testing an
organization can utilize the findings as feedback for development teams to utilize while
planning system patching and mitigation strategies. Pentesting teams should have full
access to documentation and source code (if developed in-house) of the solutions being
tested prior to running attacks. An adversary will attempt to gain full knowledge about a
system prior to attacking it; this will increase their likelihood of success. The adversary does
this over a period of time, which includes research, recon, and gaining an understanding
about the solution prior to launching an attack. The organization should allow a pentest
team to have full knowledge of the solution prior to attacking it in order to perform better
vulnerability analysis against it. The findings from the pentesting team effort should be used
to help build mitigation plans for the solution, which may include modification to source
code, design changes, as well as architecture changes. Overall, pentesting should help
identify issues that should be fixed in order to increase the overall security posture of the
solution.
Penetration testing can be performed by an in-house team or a trusted third party.
Penetration testing of different adversary types should be conducted over time.
Example 1
You are the CISO of an organization that has experienced pentesters and you utilize them to
identify vulnerabilities in internal systems, report the findings, and have the system owners
prioritize fixing problems that were identified during the testing. You have this penetration
test team perform tests against various organizational assets on a round robin basis over the
course of one year. This will allow the organization to perform pentesting on solutions at
least annually, and the owners are expected to take the findings and implement mitigations
before the next test period.
Example 2
You are the CISO of a small organization that lacks team members experienced in pentesting,
but you want to perform this practice. You realize hiring fulltime team members with the
penetration testing experience needed is going to be expensive for what will amount to a few
weeks of testing a year. You seek out the help of an experienced pentesting organization and
have them perform testing several times a year at a fraction of the cost of hiring someone.
The information they provide is thorough, and you utilize it to mold your mitigation plans
and security planning. The pentesting reports are your evidence this practice is performed.
References
• CMMC modification of Draft NIST SP 800-171B 3.12.1e
• CIS Controls v7.1 20.2
• NIST SP 800-53 Rev 4 CA-8