Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Penetration Testing (PenTesting)

Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection

Contact: Penetration Testing Team | cmspentestmanagement@cms.hhs.gov
slack logoCMS Slack Channel
  • #ccic_sec_eng_and_soc

What is Penetration Testing? 

Penetration Testing, also known as PenTesting, is the process of identifying and exploiting vulnerabilities in a system. It helps to identify areas where security has been compromised or could be compromised in the future. These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. It often involves launching real attacks on real systems and data, using tools and techniques commonly employed by attackers. Penetration testing can help you determine:

  • How well the system tolerates real-world attack patterns
  • The likely level of sophistication an attacker needs to successfully compromise the system
  • Additional countermeasures that could mitigate threats against the system
  • How combinations of vulnerabilities can be used to exploit systems, networks, or applications
  • The defenders’ ability to detect attacks and respond appropriately
  • The overall security posture of the target system
  • Gaps in the implementation of security measures

What types of PenTesting exist? 

All teams at CMS have the ability to choose either internal or external PenTesting. 

Internal and External PenTesting – also known as Penetration Testing as a Service (PTaaS) – is managed by the Penetration Testing Team through the CMS Cybersecurity Integration Center (CCIC). This service offers an in-depth examination of security infrastructure carried out by competent security researchers. It also utilizes automated tools to simulate attacks, gain unauthorized access to systems, and elevate privileges. 

Third Party Non-CCIC PenTesting Service– also known as Penetration Testing Self Service (PTSS) – is managed by private contractors or providers outside of CMS. With this model, internal CMS Teams connect with automated testing tools to assess their systems. 

While both options meet the technical requirements for FISMA systems, it’s preferred that CMS Teams use the resources provided by the CCIC to conduct their PenTesting. The internal PTaaS is offered to CMS teams at no cost, and your team will benefit from direct support from engineers from the Penetration Testing Team. 

Schedule your PenTest

Contact the CMS Penetration Testing Team to schedule your system's PenTest today, or visit the SIGNAL's scheduling application at https://app.signal.internal.cms.gov/.

Email the team

Who manages the PenTesting process?

Within your team, the Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), and the System/Business Owner are the primary individuals responsible for the management of the PenTesting process. The Penetration Testing Team assists in the process of uploading the required files to CFACTS once the test is complete. 

Information System Security Officer (ISSO)

The following actions are completed by ISSOs during the PenTesting process: 

  • Emails the PenTest mailbox to make the initial request for a PenTest
  • Fills out the Penetration Testing Intake Form provided by the PenTest Coordinator 
  • Participates in all meetings with the Penetration Testing Team
  • In the event that the PenTest produces findings that warrant a Plan of Action and Milestones (POA&M), the ISSO assists in the remediation process

Cyber Risk Advisor (CRA)

The CRA is responsible for the following portions of the PenTesting process:

  • Serves an information resource for the ISSO
  • When necessary, assists ISSO in the collection of system-specific information and materials 
  • Confirms that the final PenTest results have been accurately uploaded to CFACTS 

System/Business Owner

The System/Business Owner completes the following activities in support of PenTesting: 

  • Participates in all meetings with the Penetration Testing Team 
  • Works with the Penetration Testing team to discuss test results and the discovery of all findings
  • Mitigates findings within one (1) week, focusing first on the highest risk findings
  • Manages the POA&M process in the event of findings that warrant a POA&M

Penetration Testing Team 

The Penetration Testing Team is responsible for the following actions: 

  • Responds to the initial request from the ISSO or CRA 
  • Schedules kick-off meeting with the ISSO, CRA, System/Business Owner, and any Contractors to determine the scope of the Penetration Test
  • Works with the System Team to determine how the system will be tested, an agreement that facilitates testing in a controlled manner that addresses potential and realized impacts on CMS operations while allowing for the most useful test results possible
  • Coordinates test timeline, scope, and strategy and documents a test plan
  • Executes test activities based on the test plan
  • Delivers status updates during test execution
  • Categorizes, prioritizes, and reports on findings and recommendations for remediation
  • Debriefs and collaborates with the System Team on findings and recommendations
  • Assists the System Team’s ISSO and CRA in creating the CAAT file that is uploaded to CFACTS 

How do I schedule a PenTest? 

Scheduling your PenTest with the Penetration Testing Team is easy. Just follow these steps: 

  • The ISSO or CRA visits the SIGNAL's scheduling application at https://app.signal.internal.cms.gov/ to fill out and submit the intake form. 
  • The PenTest Coordinator works with the ISSO and project team to review the submitted intake form. 
  • The PenTest team arranges a meeting to discuss the process and inform the ISSO and System/Business Owner of what to expect.

To avoid delays, the project should contact a PenTest Coordinator to request the assessment at least 3 months before the ATO deadline.

What are the results of PenTesting?

Immediately following a PenTest, the following actions occur: 

  • The PenTest team will notify the System Team of any issues. If an issue is not sufficiently resolved/mitigated within 5 days for critical and 25 days for all other, the team is issued a Plan of Action and Milestones (POA&M) to manage it
  • When the test results are finalized, the PenTest team uploads a completed CAAT spreadsheet to CFACTS and notifies all parties
  • The CISO mailbox is also notified that the CAAT spreadsheet is complete and available on CFACTS
  • After positive identification of security assessment, all findings/ weaknesses must be documented in a POA&M and remediated/ mitigated within the following remediation timelines:
    • Critical within 15 calendar days
    • High 30 days
    • Moderate within 90 days
    • Low within 365 days

Please note that, per the CMS Acceptable Risks and Safeguards (ARS), System Owners must, “Correct identified security-related information system flaws on production equipment within 5 days (5) business days for critical and all others within (25) calendar days.”

Related documents and resources