Penetration testing occupies a dual role for defense-oriented organizations. It is both a technical activity that exposes exploitable weaknesses and an evidentiary activity that must map back to formal assessment criteria for authorization and contract compliance. To be useful in a DoD context a penetration test must be planned, executed, and documented with standards in mind so results can support Risk Management Framework decisions, NIST assessment objectives, and contractor obligations under DFARS/CMMC practice expectations.

Start with the technical baseline. NIST Special Publication 800-115 remains the definitive technical guide for planning and conducting penetration tests and related technical assessments. It lays out the common methodologies, phases, rules of engagement, and evidence practices that assessors and organizations should use when treating tests as formal assessment activities. Use SP 800-115 to shape scoping, test types, operational constraints, and reporting expectations so a penetration test becomes reproducible and defensible as an assessment artifact.

Map tests to the security requirements being assessed. For contractor systems handling Controlled Unclassified Information the assessment baseline is expressed through NIST SP 800-171 and its assessment companion SP 800-171A. Revision 3 of SP 800-171 introduced organization-defined parameters to reduce ambiguity in how some requirements are implemented and assessed. The companion assessment guidance in SP 800-171Ar3 clarifies assessment objectives and recommended evidence for each requirement. When you plan penetration tests, document which specific SP 800-171 requirement and which assessment objective the test is intended to exercise. That mapping is how penetration evidence converts into a MET, NOT MET, or other assessment finding.

Integrate tests into RMF workflows for DoD systems. DoD Instruction 8510.01 establishes the Risk Management Framework for DoD systems and explains how authorization decisions are made and sustained. Penetration testing is not an isolated technical exercise. Under RMF the penetration test is an assessment procedure that feeds the Assess step and informs authorization-level risk decisions and monitoring. Coordinate test scheduling and reporting with the Authorizing Official and the Assessment Team so test outcomes flow directly into the system security plan, assessment report, and any Plans of Action and Milestones.

Be explicit about scope and impact. In a defense context systems routinely host or interconnect with CUI and operational technology. Scoping must identify all in-scope assets, permitted test methods, excluded devices, and acceptable risk thresholds. Use SP 800-115 guidance to distinguish safe proof-of-concept exploitation from techniques that could disrupt operations. Ensure full written authorization and incident escalation paths are in place before active exploitation. Record timestamps, tool versions, proof artifacts, and the exact commands or scripts used so evidence is auditable during an assessment.

Practical mapping examples. A few concrete correspondences are useful:

  • External network web app test mapped to SP 800-171 requirement families such as System and Communications Protection and System and Information Integrity and to specific assessment objectives in SP 800-171Ar3. Use the test to demonstrate control effectiveness for authentication, session management, and input validation.
  • Internal lateral movement/red team exercises mapped to Access Control and Audit and Accountability requirements. Results that show privilege escalation paths should be accompanied by evidence of detection, logging, and remediation timelines.
  • Supply chain or third-party hosted component testing documented against Supply Chain Risk Management and relevant ODPs in SP 800-171r3 if the DoD has specified ODP values for that environment. Where DoD has published organization-defined parameter values those values should be used in the assessment plan.

Documentation and assessment artifacts. For DoD-aligned assessments include at minimum:

  • An assessment plan that lists mapped requirements and assessment objectives from SP 800-171Ar3.
  • Rules of engagement and a signed authorization from the Authorizing Official as required by RMF.
  • Raw evidence logs, validated exploit artifacts, and a clean chain-of-custody statement suitable for auditors. Include vulnerability scanner outputs plus manual test notes to show corroboration and reduce false positives.
  • Remediation verification steps and, where applicable, POA&M entries that reference the specific assessment objective and target date. Use the RMF Assess and Monitor steps to close the loop.

Assessment rigor and independence. In contract contexts the assessor role matters. Self-tests have a place for continuous improvement, but third-party assessments or accredited assessors are a different evidentiary class when DoD or a contracting officer requires independent verification. Where SP 800-171Ar3 assessment procedures are the baseline, ensure independent assessors can reproduce testing steps and verify remediation. NIST guidance on assessing security controls identifies penetration testing as a recognized assessment technique when it is planned and executed under formal assessment plans.

Common pitfalls to avoid. First, treating a penetration test as a compliance checkbox instead of a risk-reduction activity will produce brittle artifacts. Second, failing to map test coverage to assessment objectives leads to findings that cannot be translated into authorization decisions. Third, running high-impact exploits on production CUI systems without fallback and rollback plans risks outages and reportability under incident response rules. Use controlled enclaves or production mirroring where possible and accept that some controls are better validated by configuration review and log analysis rather than destructive testing.

Forward-looking recommendations for program owners and testers. Adopt a test-driven assessment approach in which security testing and assessments are integrated into development and sustainment cycles. Keep penetration results part of continuous monitoring evidence and use automation where appropriate to annotate which NIST assessment objectives are exercised by each test case. Expect tighter specification of organization-defined parameters from sponsoring agencies and be prepared to incorporate those values into automated test plans and reporting templates. Finally invest in assessor training on the SP 800-171Ar3 assessment language so that technical findings become crisp assessment determinations.

Conclusion. In defense contexts compliance is achieved when technical testing is baked into the assessment framework rather than stuck on the edges of it. Use SP 800-115 for rigorous technical test practice, map every test to SP 800-171 assessment objectives and the RMF Assess step, and document with the level of detail that an Authorizing Official or contracting authority requires. That alignment is how a penetration test moves beyond tactical discovery and becomes a durable piece of compliance evidence that reduces risk in the hybrid cyber-kinetic systems DoD depends on.