CCI-002094

The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components.

Implementation Guidance

The organization being inspected/assessed defines and documents the frequency for conducting penetration testing on organization-defined information systems or system components. DoD has determined the frequency is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented frequency to ensure the organization being inspected/assessed defines the frequency for conducting penetration testing on organization-defined information systems or system components. DoD has determined the frequency is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated SOP/TTP defining the frequency for conducting penetration testing on organization-defined information systems or system components 2.) Penetration testing results

The controls below (if any) were marked by NIST as being related to CCI-002094.