Level 5 CMMC - CMMC Practices

CA.4.164  

Reference: CMMC 1.02

Family: CA

Level Introduced: 4

Practice:
Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.

CMMC Clarification:
This practice focuses on performing penetration testing (pentesting) against organizational solutions in order to identify vulnerabilities and weaknesses. Pentesting is a crucial component to help identify vulnerabilities in solutions as well as help identify flaws in systems under development and production systems. By performing penetration testing an organization can utilize the findings as feedback for development teams to utilize while planning system patching and mitigation strategies. Pentesting teams should have full access to documentation and source code (if developed in-house) of the solutions being tested prior to running attacks. An adversary will attempt to gain full knowledge about a system prior to attacking it; this will increase their likelihood of success. The adversary does this over a period of time, which includes research, recon, and gaining an understanding about the solution prior to launching an attack. The organization should allow a pentest team to have full knowledge of the solution prior to attacking it in order to perform better vulnerability analysis against it. The findings from the pentesting team effort should be used to help build mitigation plans for the solution, which may include modification to source code, design changes, as well as architecture changes. Overall, pentesting should help identify issues that should be fixed in order to increase the overall security posture of the solution.

Penetration testing can be performed by an in-house team or a trusted third party. Penetration testing of different adversary types should be conducted over time.

Example 1
You are the CISO of an organization that has experienced pentesters and you utilize them to identify vulnerabilities in internal systems, report the findings, and have the system owners prioritize fixing problems that were identified during the testing. You have this penetration test team perform tests against various organizational assets on a round robin basis over the course of one year. This will allow the organization to perform pentesting on solutions at least annually, and the owners are expected to take the findings and implement mitigations before the next test period.

Example 2
You are the CISO of a small organization that lacks team members experienced in pentesting, but you want to perform this practice. You realize hiring fulltime team members with the penetration testing experience needed is going to be expensive for what will amount to a few weeks of testing a year. You seek out the help of an experienced pentesting organization and have them perform testing several times a year at a fraction of the cost of hiring someone. The information they provide is thorough, and you utilize it to mold your mitigation plans and security planning. The pentesting reports are your evidence this practice is performed.

3.12.1e

Conduct penetration testing [Assignment: organization-defined frequency], leveraging automated scanning tools and ad hoc tests using human experts.

Discussion:
Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by penetration testing agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Organizations may also supplement penetration testing with red team exercises. Red teams attempt to duplicate the actions of adversaries in carrying out attacks against organizations and provide an in-depth analysis of security-related weaknesses or deficiencies.

Organizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the specified rules of engagement before the commencement of penetration testing. Organizations correlate the rules of engagement for penetration tests and red teaming exercises (if used) with the tools, techniques, and procedures that they anticipate adversaries may employ. The penetration testing or red team exercises may be organization-based or external to the organization. In either case, it is important that the team possesses the necessary skills and resources to do the job and is objective in its assessment.

[SP 800-53A] provides guidance on conducting security assessments.

Source: NIST Special Publication 800-172 (Draft)

CA-8

PENETRATION TESTING

Description:
The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].

Supplemental Guidance:
Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02