The chief information security officer shall ensure penetration testing of mission-critical, sensitive, and public-facing Agency information resources are performed on a recurring basis.
Vulnerabilities will not be validated or confirmed. The organization will be unable to assess their ability to withstand an attack directed at their information resources.
The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].
Penetration tests are performed on a recurring basis.
