Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
NIST 800-53 (r4) Supplemental Guidance:
Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2.
NIST 800-53 (r5) Discussion:
Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.
38North Guidance:
Meets Minimum Requirement:
Select an independent penetration testing team to perform penetration tests for the information system/application/component(s).
Best Practice:
Ensure that the independent penetration testing team is from an A2LA accredited 3PAO.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Evidence of accredited FedRAMP 3PAO performing the penetration test (assessment).
Latest penetration testing results/report outlining methodology, scope, and results.
Evidence of remediation actions (e.g., tickets, retest, etc).
Previous penetration testing reports, if performed by other assessors.
CSP Implementation Tips:
None.
Page updated
Report abuse