CA-8(3)

Requirement

Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility.

Discussion

Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing penetration testing; procedures addressing red team exercises; assessment plan; results of red team exercises; penetration test report; assessment report; rules of engagement; assessment evidence; system security plan; privacy plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with assessment responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators].

Test

[SELECT FROM: Automated mechanisms supporting the employment of red team exercises].

ID	Assessment Objectives
CA-08(03)	the penetration testing process includes <CA-08(03)_ODP[01] frequency> <CA-08(03)_ODP[02] SELECTED PARAMETER VALUES> attempts to bypass or circumvent controls associated with physical access points to facility.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!