CMMC Practice CA.4.164
Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
Bold Coast Security Guidance
For Level 4 compliance, the organization must have a technical testing policy, plan and demonstrate a program of measuring results of vulnerability scanning (automated) as well as penetration testing (manual tactics and techniques) designed to reveal vulnerabilities in infrastructure and software in the IT environment.
DRAFT NIST SP 800-171B (MODIFIED)
Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify weaknesses and vulnerabilities within the solution. Adversaries that obtain a foothold in a network can take advantage of any unpatched vulnerabilities. Penetration testing goes beyond automated vulnerability scanning, and the testing is conducted by penetration testing agents and teams with demonstrable skills and experience that includes technical expertise in network, operating system, and/or application level security. Penetration testing is used to validate vulnerabilities or determine the degree of penetration resistance of systems to cyber-attacks. The resistance to attacks is similar to withstanding an adversary, but with constraints. Such constraints include time, resources, and skills . Penetration testing activities can receive support by utilizing automated vulnerability identification tools that are commercially available. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and should exercise both physical and technical controls, where possible. A standard method for penetration testing includes pretest analysis based on full knowledge of the system; pretest identification of potential vulnerabilities based on pretest analysis; and testing designed to determine exploitability of vulnerabilities. All parties agree to the rules of engagement before commencement of penetration testing scenarios.
Organizations correlate the rules of engagement for penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. The penetration testing team may be organization- based or external to the organization. In either case, it is important that the team possesses the necessary skills and resources to do the job and is objective in its assessment . The findings from the penetration testing should be placed in a final report. Any and all findings need to be rolled into a prioritized security plan based on risk, cost, and time to implement.
NIST SP 800-53A provides guidance on conducting security assessments.