myctrl.tools
Compare

SA-11(5)Penetration Testing

>Control Description

Require the developer of the system, system component, or system service to perform penetration testing: a. At the following level of rigor: organization-defined breadth and depth of testing; and b. Under the following constraints: organization-defined constraints.

>Cross-Framework Mappings

SCF

IAO-02.2
Compare
IAO-04
Compare
TDA-09
Compare
TDA-09.5
Compare
VPM-07
Compare

>Supplemental Guidance

Penetration testing is an assessment methodology in which assessors, using all available information technology product or system documentation and working under specific constraints, attempt to circumvent the implemented security and privacy features of information technology products and systems. Useful information for assessors who conduct penetration testing includes product and system design specifications, source code, and administrator and operator manuals. Penetration testing can include white-box, gray-box, or black-box testing with analyses performed by skilled professionals who simulate adversary actions.

The objective of penetration testing is to discover vulnerabilities in systems, system components, and services that result from implementation errors, configuration faults, or other operational weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide a greater level of analysis than would ordinarily be possible. When user session information and other personally identifiable information is captured or recorded during penetration testing, such information is handled appropriately to protect privacy.

>Related Controls

CA-8
PM-14
PM-25
PT-2
SA-3
SI-2
SI-6

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What acquisition policies and procedures address the requirements of SA-11(5)?
  • How are security and privacy requirements integrated into the acquisition process?
  • Who is responsible for ensuring that acquisitions comply with SA-11(5)?

Technical Implementation:

  • How are security requirements defined and documented in acquisition contracts?
  • What mechanisms ensure that acquired systems and services meet security requirements?
  • How do you validate that vendors and service providers comply with specified security controls?
  • What secure coding practices and standards are required for developers?

Evidence & Documentation:

  • Can you provide examples of acquisition documentation that includes security requirements?
  • What evidence demonstrates that acquired systems meet security specifications?
  • Where is acquisition security documentation maintained throughout the system lifecycle?
  • Can you provide code review or static analysis results?

Ask AI

Configure your API key to use AI features.