• Requirement

    Conduct penetration testing at least annually or when significant security changes are made to the system, leveraging automated scanning tools and ad hoc tests using subject matter experts.

  • Discussion

    Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning. It is conducted by penetration testing agents and teams with particular skills and experience that include technical expertise in network, operating system, and application-level security. Penetration testing can be used to validate vulnerabilities or determine a system’s penetration resistance to adversaries within specified constraints. Such constraints include time, resources, and skills. Organizations may also supplement penetration testing with red team exercises. Red teams attempt to duplicate the actions of adversaries in carrying out attacks against organizations and provide an in-depth analysis of security-related weaknesses or deficiencies.

    Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the specified rules of engagement before the commencement of penetration testing. Organizations correlate the rules of engagement for penetration tests and red teaming exercises (if used) with the tools, techniques, and procedures that they anticipate adversaries may employ. The penetration testing or red team exercises may be organization-based or external to the organization. In either case, it is important that the team possesses the necessary skills and resources to do the job and is objective in its assessment.

    [NIST SP 800-53A] provides guidance on conducting security assessments.

More Info

  • Title

    Penetration Testing
  • Domain

    Security Assessment
  • CMMC Level

  • Further Discussion

    It is important that the organization has a repeatable penetration testing capability, regardless of who performs the penetration testing. This requirement entails performing tests against components of the organization’s architecture to identify cyber weaknesses and vulnerabilities. It does not mean everything in the architecture requires penetration testing. This requirement provides findings and mitigation strategies that benefit the organization and help create a stronger environment against adversary efforts. It may be beneficial for the organization to define the scope of penetration testing. The organization’s approach may involve hiring an expert penetration testing team to perform testing on behalf of the organization. When an organization has penetration testing performed, either by an internal team or external firm, they should establish rules of engagement and impose limits on what can be performed by the penetration test team(s).

    Ensuring the objectivity of the test team is important as well. Potential conflicts of interest, such as having internal testers report directly or indirectly to network defenders or an external test team contracted by network defense leadership, must be carefully managed by organizational leadership.

    Reports on the findings should be used by the organization to determine where to focus funding, staffing, training, or technical improvements for future mitigation strategies.


    You are responsible for information security in your organization. Leveraging a contract managed by the CIO, you hire an external expert penetration team annually to test the security of the organization’s enclave that stores and processes CUI [a,c]. You hire the same firm annually or on an ad hoc basis when significant changes are made to the architecture or components that affect security [b,c].

    Potential Assessment Considerations

    • Does the organization have internal team members who possess the proper level of expertise to perform a valued penetration testing effort [b]?
    • If the penetration testing is performed by an internal team, are the individuals performing the testing objectively [b]?
    • Is a penetration testing final report provided to the internal team responsible for organizational defense?
    • If previous penetration tests have been conducted, can the organization provide samples of penetration test plans, findings reports, and mitigation guidance based on the findings [a,b,c]?

NIST 800-172A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!