Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization conducts penetration testing [FedRAMP Assignment: (M)(H) at least annually] on [Assignment: organization-defined information systems or system components].
CA-8 Additional FedRAMP Requirements and Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Penetration Test Guidance
https://www.FedRAMP.gov/documents/
NIST 800-53 (r4) Supplemental Guidance:
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate
the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12.
References: None.
NIST 800-53 (r5) Discussion:
Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing.
38North Guidance:
Meets Minimum Requirement:
Select an A2LA accredited 3PAO to perform penetration testing for the information system.
Best Practice:
See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Penetration Test Guidance (https://www.FedRAMP.gov/documents/).
Ensure that there is an agreed upon Rules of Engagement (ROE) that identifies the types of testing activities, techniques and tools utilized by the penetration testing team. This document may include information such as network access, tests to be executed with potential outcomes (honey pots, social engineering, etc.), resultant reports, etc.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Latest penetration testing results/report outlining methodology, scope, and results.
Evidence of remediation actions (e.g., tickets, retest, etc).
Previous penetration testing reports, if performed by other assessors.
CSP Implementation Tips:
None.
Page updated
Report abuse