CMMC Practice CA.4.227
Periodically perform red teaming against organizational assets in order to validate defensive capabilities.
Bold Coast Security Guidance
Whether you utilize in-house experts or hire an outside firm for red team exercises, it is important to be sure this is a collaborative activity designed to test the effectiveness of controls, alerting capability, and advanced detection systems required by SI.5.222 (EDR) and SI.5.223 (UEBA).
Your policy should state whether your preference to use internal or external resources, and the frequency of testing. The plan should indicate any test environments which will be utilized, team members, and the systems specifically being tested. Report the test results to leadership to measure the effectiveness year after year.
Red Teaming is a specialized type of assessment conducted against an organization’s architecture with the goal to emulate adversary actions. This practice is focused on performing red teaming for the purpose of validating defensive capabilities in place (access controls, email protections, network segmentation, firewalls, and the defensive tools that help monitor all activities). It is recommended that red teaming events be coordinated with the defensive cyber teams of an organization in order to validate defensive cyber capabilities. This testing will help shape where defensive resources are allocated and where funding is needed to improve the overall security posture of the organization. This activity includes some vulnerability analysis, similar to a pentesting effort, but the main purpose is to validate defensive security mechanisms are providing the information needed to identify, disrupt, or thwart attacks on the network . Any and all findings need to be rolled into a prioritized security plan based on risk, cost, and time to implement.