CCI-003192

The organization defines the constraints on penetration testing performed by the developer of the information system, system component, or information system service.

Implementation Guidance

The organization being inspected/assessed defines and documents the constraints on penetration testing performed by developer of the information system, system component, or information system service. Penetration testing should use all available information technology product documentation (e.g., product/system design specifications, source code, and administrator/operator manuals) and can include, for example, white, gray, or black box testing to attempt circumventing security features of the information technology product or system. Penetration testing should be performed: 1. by skilled security professionals working in controlled environments to simulate and execute adversary actions; and 2. in conjunction with automated and manual code reviews to provide greater levels of analysis than would ordinarily be possible. DoD has determined the constraints are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented constraints to ensure the organization being inspected/assessed defines the constraints on penetration testing performed by developer of the information system, system component, or information system service. DoD has determined the constraints are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) System security plan (SSP). 2.) System development life cycle (SDLC) documentation. 3.) Continuous monitoring plan must define the constraints on penetration testing the developer is required to perform.

The controls below (if any) were marked by NIST as being related to CCI-003192.