Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: CA

Level Introduced: 4

Periodically perform red teaming against organizational assets in order to validate defensive capabilities.

CMMC Clarification:
This practice focuses on red teaming an organization for the purpose of validating defensive cyber capabilities focusing on identifying or thwarting attacks. As the red team performs tests against the organization the red team is also working with the organization’s cyber defender(s) in order to help validate the defensive capabilities against the attacks used. This is a completely transparent relationship where the red team works with the organization’s cyber defenders in order to identify areas that need improvement. While large corporations may have internal teams perform this testing, a lot of small companies will lack the in-house expertise to perform red teaming properly. Third-party adversarial assessment teams can be used in this case. Rules of engagement will need to be generated prior to testing in order to define the bounds of the testing, and to make sure test teams know to what levels they may perform testing and making sure the in-bound assets are defined. The red team and cyber defense teams need to keep in mind that they are working together to find gaps, identify misconfigurations, and help improve the cyber defenses of the organization.

Red teams are typically asked to test environments from outside the enterprise and work their way in. It is recommended to allow red teams to perform testing from inside the environment as well, acting as if the outer perimeter protections have been breached, even if they are considered secure. The best results will be achieved when the red team is given the architectural knowledge of the environment being tested. When completed, the organization should have a better understanding of any cyber defense shortfalls, and be able to prioritize implementing changes as needed.

Example 1
You are the CISO for an organization and want to make sure your new endpoint tools are working to provide your defensive cyber operations with the information they need to identify an attack. You have an internal red team that performs several no notice attacks on a select few end user laptops. You find out that two out of three attacks are identified from capabilities already in place. You also learn that the third attack is successful and your DCO team is not provided enough information to determine it happened. You ask your security engineers to modify the configuration of the tool and have your red team rerun the tests. Your DCO now can identify the third attack, and they are based on the latest TTPs provided by your intelligence service. You are now confident in your team’s ability to see actions of this nature and trust your DCO team will identify them if they occur.

Example 2
You are the CISO of a small organization and want to hire a red team to help test your security solutions in place. You find a well suited commercial company to provide you red team services. You have them perform their testing three times a year to validate your DCO team is able to identify specific attacks based on threat intelligence feeds your organization is currently receiving. The commercial red team is introduced to your defensive cyber folks and they plan the tests and start working on identifying any shortfalls in defensive cyber operations. The red team provides you a report at the end of each test phase and you use the report to plan and implement modification to your security posture for enhancement purposes.

Red Teaming is a specialized type of assessment conducted against an organization’s architecture with the goal to emulate adversary actions. This practice is focused on performing red teaming for the purpose of validating defensive capabilities in place (access controls, email protections, network segmentation, firewalls, and the defensive tools that help monitor all activities). It is recommended that red teaming events be coordinated with the defensive cyber teams of an organization in order to validate defensive cyber capabilities. This testing will help shape where defensive resources are allocated and where funding is needed to improve the overall security posture of the organization. This activity includes some vulnerability analysis, similar to a pentesting effort, but the main purpose is to validate defensive security mechanisms are providing the information needed to identify, disrupt, or thwart attacks on the network. Any and all findings need to be rolled into a prioritized security plan based on risk, cost, and time to implement.

Source: CMMC v1.02

CA-8 (2)


The organization employs [Assignment: organization-defined red team exercises] to simulate attempts by adversaries to compromise organizational information systems in accordance with [Assignment: organization-defined rules of engagement].

Supplemental Guidance:
Red team exercises extend the objectives of penetration testing by examining the security posture of organizations and their ability to implement effective cyber defenses. As such, red team exercises reflect simulated adversarial attempts to compromise organizational mission/business functions and provide a comprehensive assessment of the security state of information systems and organizations. Simulated adversarial attempts to compromise organizational missions/business functions and the information systems that support those missions/functions may include technology-focused attacks (e.g., interactions with hardware, software, or firmware components and/or mission/business processes) and social engineering-based attacks (e.g., interactions via email, telephone, shoulder surfing, or personal conversations). While penetration testing may be largely laboratory-based testing, organizations use red team exercises to provide more comprehensive assessments that reflect real-world conditions. Red team exercises can be used to improve security awareness and training and to assess levels of security control effectiveness.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02