CCI-002093

The organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components.

Implementation Guidance

The organization being inspected/assessed documents and implements a process to conduct penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095. The organization must maintain a record of penetration test results.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as a sampling of the penetration test results to ensure the organization being inspected/assessed conducts penetration testing in accordance with the frequency defined in CA-8, CCI 2094 on information systems or system components defined in CA-8, CCI 2095.

Compelling Evidence

1.) Signed and dated SOP/TTP ensuring the organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components. 2.) Audit logs verifying penetration testing is being conducted

The controls below (if any) were marked by NIST as being related to CCI-002093.