Back to Control Explorer



Control Acronym



Security Assessment

CMMC Level


800-171 Control #


CMMC Description

Periodically perform red teaming against organizational assets in order to validate defensive capabilities.

CMMC Clarification

This practice focuses on red teaming an organization for the purpose of validating defensive cyber capabilities focusing on identifying or thwarting attacks. As the red team performs tests against the organization the red team is also working with the organization’s cyber defender(s) in order to help validate the defensive capabilities against the attacks used. This is a completely transparent relationship where the red team works with the organization’s cyber defenders in order to identify areas that need improvement. While large corporations may have internal teams perform this testing, a lot of small companies will lack the in-house expertise to perform red teaming properly. Third-party adversarial assessment teams can be used in this case. Rules of engagement will need to be generated prior to testing in order to define the bounds of the testing, and to make sure test teams know to what levels they may perform testing and making sure the in-bound assets are defined. The red team and cyber defense teams need to keep in mind that they are working together to find gaps, identify misconfigurations, and help improve the cyber defenses of the organization. Red teams are typically asked to test environments from outside the enterprise and work their way in. It is recommended to allow red teams to perform testing from inside the environment as well, acting as if the outer perimeter protections have been breached, even if they are considered secure. The best results will be achieved when the red team is given the architectural knowledge of the environment being tested. When completed, the organization should have a better understanding of any cyber defense shortfalls, and be able to prioritize implementing changes as needed. Example 1 You are the CISO for an organization and want to make sure your new endpoint tools are working to provide your defensive cyber operations with the information they need to identify an attack. You have an internal red team that performs several no notice attacks on a select few end user laptops. You find out that two out of three attacks are identified from capabilities already in place. You also learn that the third attack is successful and your DCO team is not provided enough information to determine it happened. You ask your security engineers to modify the configuration of the tool and have your red team rerun the tests. Your DCO now can identify the third attack, and they are based on the latest TTPs provided by your intelligence service. You are now confident in your team’s ability to see actions of this nature and trust your DCO team will identify them if they occur. Example 2 You are the CISO of a small organization and want to hire a red team to help test your security solutions in place. You find a well suited commercial company to provide you red team services. You have them perform their testing three times a year to validate your DCO team is able to identify specific attacks based on threat intelligence feeds your organization is currently receiving. The commercial red team is introduced to your defensive cyber folks and they plan the tests and start working on identifying any shortfalls in defensive cyber operations. The red team provides you a report at the end of each test phase and you use the report to plan and implement modification to your security posture for enhancement purposes.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Red Teaming is a specialized type of assessment conducted against an organization’s architecture with the goal to emulate adversary actions. This practice is focused on performing red teaming for the purpose of validating defensive capabilities in place (access controls, email protections, network segmentation, firewalls, and the defensive tools that help monitor all activities). It is recommended that red teaming events be coordinated with the defensive cyber teams of an organization in order to validate defensive cyber capabilities. This testing will help shape where defensive resources are allocated and where funding is needed to improve the overall security posture of the organization. This activity includes some vulnerability analysis, similar to a pentesting effort, but the main purpose is to validate defensive security mechanisms are providing the information needed to identify, disrupt, or thwart attacks on the network. Any and all findings need to be rolled into a prioritized security plan based on risk, cost, and time to implement.

CIS Control References

CIS Controls v7.1 20.3

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 CA-8(2)

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15