Penetration testing requirements for NIST SP 800-53

Request a quote
18 Feb, 2021

Penetration testing requirements for NIST SP 800-53

Year after year, security threats continue to get complicated and sophisticated. An enterprise cannot wait for the attackers to exploit vulnerabilities in their systems. It needs to adopt proactive security measures to remain a step ahead of the attackers. Penetration testing is one such exercise that seeks to test the efficiency of enterprise systems. It aims to find the existing vulnerabilities and examine the extent of the damage if successfully exploited. In our previous articles, we have discussed that not every regulation or standard mentions “penetration testing” explicitly in its requirements. However, NIST’s Special Publication 800-53 requires federal organizations to perform penetration testing under control CA-8.

What is NIST SP 800-53 (Rev. 4)?

This publication lays down security and privacy controls for federal information systems and organizations. It contains guidelines and standards for US federal agencies and their contractors to comply with the Federal Information Security Management Act of 2002. Considered a standard, many private and non-governmental organizations have adopted NIST SP 800-53 to improvise their security posture. It divides security control into three categories based on their impact – low, moderate, and high. It splits them into 18 families of security controls.

Figure 1: Families of security control in NIST SP 800-53

Is there a control for penetration testing?

Control CA-8 focuses on penetration testing, and NIST has designated this control as a high-impact control. A general interpretation of the control description tells that an organization shall conduct penetration testing at an organization-defined frequency on the organization-defined system or system components. An organization should rely on risk assessment results while deciding the frequency and coverage of penetration tests.

The supplemental guidance further elaborates on what is penetration testing. It states that penetration testing is a special assessment conducted on information systems or their components for identifying vulnerabilities that can be exploited by adversaries. A penetration testing exercise can also validate the existing vulnerabilities or assess the defensive capability of enterprise systems. An ideal penetration test should replicate the actions of adversaries while launching cyberattacks on organizations. The results of vulnerability scans should drive a penetration testing exercise. The scope of a penetration test can include software, hardware, and firmware components along with physical and technical security.

It specifies the following three components of a penetration test:

  1. Pretest analysis based on complete knowledge of the target system(s)
  2. Pretest identification of potential vulnerabilities
  3. Testing to determine the exploitability of identified vulnerabilities

Before starting penetration testing exercises, all parties should agree on the rules of engagement. These rules of engagement must be correlated with the tools, techniques, and procedures (TTPs) employed by adversaries.

Are there any additional controls?

NIST SP 800-53 also prescribes two control enhancements for CA-8: CA-8(1) and CA-8(2). The former deals with independent penetration testing, and the latter talks about red team exercises.

CA-8(1): Independent penetration agent or team

This control states that an organization shall employ an independent penetration testing agent/team for performing penetration tests. Here, “individual” can be interpreted to mean “external” parties who will be free from any perceived or actual conflicts of interest. Conflict of interest may occur during the development, operation, management, or maintenance of information systems. Internal security teams may hide vulnerabilities to present that the efficiency of their defensive measures. However, an external agent/team are generally free of any such biases.

CA-8(2): Red team exercises

This control pushes organizations to go beyond the practice of penetration testing by conducting red team exercises. The control statement gives flexibility to organizations to select the red team exercises and rules of engagement. The supplemental guidance recommends that red team exercises should reflect a simulated adversarial attempt to compromise information systems and provide a detailed assessment of an organization’s security posture. Penetration testing is analogous to lab-based testing, while red team exercises are closer to real-world conditions. Red team exercises do include not only technology-focused attacks but also cover social engineering attacks.

Ending notes

NIST Special Publication 800-53 Revision 4 (or NIST SP 800-53r4) is a mandatory framework for federal organizations. With the first version coming out in 2005, NIST published the latest version in 2013. With each revision, it has been renamed and upgraded to address the existing threat environment. The fifth revision was due in September 2019, and it sought to remove the word “federal” to indicate the applicability of the framework to all organizations. While potential disagreements between US agencies have delayed its publication, NIST SP 800-53 continues to be a framework to look up to.