CCI-003890

Implementation Guidance

Determine if the penetration testing process includes [CA-08(03)_ODP[01]; frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined] [CA-08(03)_ODP[02]; one or more of the following PARAMETER VALUES is/are selected: {announced; unannounced}] attempts to bypass or circumvent controls associated with physical access points to facility.

Validation Procedures

Examine: [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing penetration testing; procedures addressing red team exercises; assessment plan; results of red team exercises; penetration test report; assessment report; rules of engagement; assessment evidence; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with assessment responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. Test: [SELECT FROM: Automated mechanisms supporting the employment of red team exercises].