PE-3(6)—Facility Penetration Testing

>Control Description

[Incorporated into CA-8]

Questions assessors commonly ask

•What documented policies and procedures address facility penetration testing?
•Who is accountable for implementing and maintaining facility penetration testing controls?
•How frequently are facility penetration testing requirements reviewed, and what triggers updates?
•What process ensures changes to systems maintain compliance with facility penetration testing requirements?
•How are exceptions to facility penetration testing requirements documented and approved?

•What technical controls enforce facility penetration testing in your environment?
•How are facility penetration testing controls configured and maintained across all systems?
•What automated mechanisms support facility penetration testing compliance?
•How do you validate that facility penetration testing implementations achieve their intended security outcome?
•What compensating controls exist if primary facility penetration testing controls cannot be fully implemented?

•What documentation proves facility penetration testing is implemented and operating effectively?
•Can you provide configuration evidence showing how facility penetration testing is technically enforced?
•What audit logs or monitoring data demonstrate ongoing facility penetration testing compliance?
•Can you show evidence of a recent review or assessment of facility penetration testing controls?
•What artifacts would you provide during an assessment to demonstrate facility penetration testing compliance?

Configure your API key to use AI features.