NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-8(1)Independent Penetration Testing Agent or Team

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing.

Practitioner Notes

This enhancement requires that penetration testers be independent — they should not be the same people who built, operate, or defend the system being tested.

Example 1: Contract with an external penetration testing firm that has no other business relationship with your organization to ensure truly unbiased results.

Example 2: If using internal testers, ensure they are from a separate red team that does not report to the same management chain as the network defenders or system administrators.

More Assessment, Authorization, and Monitoring Controls

CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments