Navigate

CA-8(3)

CA-8(3): Facility Penetration Testing

Employ a penetration testing process that includes [frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined;] [one or more of "announced"/"unannounced"] attempts to bypass or circumvent controls associated with physical access points to the facility.

Supplemental

Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems.

CIA Levels
Confidentiality	high
Integrity	high
Availability	high

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CA-8(3).

Control	Description
CA-2	a: Select the appropriate assessor or assessment team for the type of assessment to be conducted; b: Develop a control assessment plan that describes the scope of the assessment including: 1: Controls and control enhancements under assessment; 2: Assessment procedures to be used to determine control effectiveness; and 3: Assessment environment, assessment team, and assessment roles and responsibilities; c: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d: Assess the controls in the system and its environment of operation [the frequency at which to assess controls in the system and its environment of operation is defined;] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e: Produce a control assessment report that document the results of the assessment; and f: Provide the results of the control assessment to [individuals or roles to whom control assessment results are to be provided are defined;].
PE-3	a: Enforce physical access authorizations at [entry and exit points to the facility in which the system resides are defined;] by: 1: Verifying individual access authorizations before granting access to the facility; and 2: Controlling ingress and egress to the facility using [one or more of "{{ insert: param, pe-03_odp.03 }} "/"guards"]; b: Maintain physical access audit logs for [entry or exit points for which physical access logs are maintained are defined;]; c: Control access to areas within the facility designated as publicly accessible by implementing the following controls: [physical access controls to control access to areas within the facility designated as publicly accessible are defined;]; d: Escort visitors and control visitor activity [circumstances requiring visitor escorts and control of visitor activity are defined;]; e: Secure keys, combinations, and other physical access devices; f: Inventory [physical access devices to be inventoried are defined;] every [frequency at which to inventory physical access devices is defined;] ; and g: Change combinations and keys [one of ] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Control

Description

CA-2

a: Select the appropriate assessor or assessment team for the type of assessment to be conducted;

b: Develop a control assessment plan that describes the scope of the assessment including:
- 1: Controls and control enhancements under assessment;
- 2: Assessment procedures to be used to determine control effectiveness; and
- 3: Assessment environment, assessment team, and assessment roles and responsibilities;

c: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;

d: Assess the controls in the system and its environment of operation [the frequency at which to assess controls in the system and its environment of operation is defined;] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

e: Produce a control assessment report that document the results of the assessment; and

f: Provide the results of the control assessment to [individuals or roles to whom control assessment results are to be provided are defined;].

PE-3

a: Enforce physical access authorizations at [entry and exit points to the facility in which the system resides are defined;] by:
- 1: Verifying individual access authorizations before granting access to the facility; and
- 2: Controlling ingress and egress to the facility using [one or more of "{{ insert: param, pe-03_odp.03 }} "/"guards"];

b: Maintain physical access audit logs for [entry or exit points for which physical access logs are maintained are defined;];

c: Control access to areas within the facility designated as publicly accessible by implementing the following controls: [physical access controls to control access to areas within the facility designated as publicly accessible are defined;];

d: Escort visitors and control visitor activity [circumstances requiring visitor escorts and control of visitor activity are defined;];

e: Secure keys, combinations, and other physical access devices;

f: Inventory [physical access devices to be inventoried are defined;] every [frequency at which to inventory physical access devices is defined;] ; and

g: Change combinations and keys [one of ] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

Enhancements

The controls below (if any) add on to the requirements of CA-8(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CA-8(3).

CCI	Definition
CCI-003889	Employ a penetration testing process, on an organization-defined frequency, that includes announced or unannounced attempts to bypass or circumvent controls associated with physical access points to the facility.
CCI-003890	Defines the frequency the penetration testing process will be employed.