NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-8(3)Facility Penetration Testing

Employ a penetration testing process that includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to the facility.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems.

Practitioner Notes

This enhancement extends penetration testing to your physical facilities — testing whether someone could gain unauthorized physical access to your servers, network equipment, or data center.

Example 1: Hire a physical penetration testing team to attempt to bypass your badge readers, tailgate through secure doors, and access your server room without authorization.

Example 2: Test whether your security guards and reception staff follow proper visitor verification procedures by sending testers posing as delivery personnel or maintenance workers.

More Assessment, Authorization, and Monitoring Controls

CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments