CA-8(3): Facility Penetration Testing
(Not part of any baseline)
Control is new to this version of the control set.
Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Assignment: announced, unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility.
Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems.