Skip to main content
    NIST SP 800-53 / SP 800-115
    ·By Budget Security

    NIST Penetration Testing Requirements

    The National Institute of Standards and Technology (NIST) publishes the control catalogues and testing methodologies that underpin most US federal and regulated-industry security programmes. Penetration testing sits inside NIST SP 800-53 as control CA-8, and NIST SP 800-115 defines how the testing itself is performed.

    This guide breaks down what NIST requires for penetration testing, how control CA-8 and the SP 800-115 methodology work, and how NIST underpins FedRAMP, FISMA, and CMMC.

    What NIST Requires for Security Testing

    NIST guidance is built from control families and companion methodologies. Several of these create a direct expectation of penetration testing for systems handling sensitive or regulated data:

    CA-8 - Penetration Testing

    The SP 800-53 control that requires penetration testing on defined systems at an organization-defined frequency

    SP 800-115 - Test Methodology

    The technical guide defining the planning, discovery, attack, and reporting phases of a professional penetration test

    RA-5 and CA-2

    Vulnerability monitoring and control assessment controls that penetration testing directly supports with real exploitation evidence

    NIST CSF Alignment

    The Cybersecurity Framework's Identify and Protect functions rely on regular testing to validate that controls work in practice

    Assessors reviewing a NIST-aligned system expect documented penetration test results that follow a recognized methodology and map findings back to the relevant controls.

    Control CA-8 and the SP 800-115 Methodology

    Two NIST references do the heavy lifting for penetration testing. Understanding how they fit together helps you scope and document your engagement:

    SP 800-53 CA-8 - The Requirement

    CA-8 requires organizations to conduct penetration testing on selected systems or components at a defined frequency. Enhancements cover the use of independent testing teams and red-team exercises. This is the control FedRAMP and FISMA systems cite as the basis for their annual pentest obligation.

    SP 800-115 - The Method

    SP 800-115 defines how the test is carried out: planning, discovery, attack (gaining access, escalating privileges, and pivoting), and reporting. Following this methodology is what makes a penetration test defensible to a NIST assessor rather than an ad hoc scan.

    Mapping Findings to Controls

    A NIST-ready report links each finding to the affected control and to the system boundary defined in your System Security Plan (SSP), so assessors can trace exploitation evidence directly to your control implementation.

    Where NIST Testing Applies

    Federal and cloud systems

    Systems following NIST 800-53 (FISMA) or seeking FedRAMP authorization must run penetration testing under CA-8, at least annually.

    Defense supply chain

    Contractors handling Controlled Unclassified Information follow NIST 800-171, the basis for CMMC, where security assessment expects penetration testing.

    Voluntary CSF adopters

    Organizations using the NIST Cybersecurity Framework as a baseline use penetration testing to validate the Protect and Detect functions.

    Evidence and cadence

    Most NIST-aligned programmes test at least annually and after significant system changes, retaining results for assessor review.

    How Budget Security Helps You Meet NIST

    Budget Security delivers penetration testing that follows the NIST SP 800-115 methodology and maps cleanly to control CA-8. Our platform lets you define scope and launch engagements on your timeline, starting at EUR 849 per day.

    1

    Scope to your system boundary

    Define which applications, networks, and APIs fall inside your System Security Plan boundary, so testing covers exactly the systems CA-8 applies to.

    2

    SP 800-115 methodology

    Our testers hold recognized offensive security certifications (OSCP, OSWE) and follow the SP 800-115 phases alongside OWASP and PTES.

    3

    Control-mapped reporting

    Every report links findings to the affected NIST controls with CVSS v3.1 scores and exploitation evidence, ready for your assessor.

    4

    Remediation tracking and retesting

    Track fixes through our vulnerability dashboard, then retest to confirm remediation and document control effectiveness.

    Get Your NIST Pentest Quote

    See exactly what your NIST-aligned penetration test would cost. Reports follow SP 800-115 and map findings to control CA-8 so your assessor can trace evidence to your System Security Plan.

    NIST Penetration Testing FAQ

    Does NIST require penetration testing?
    NIST SP 800-53 includes control CA-8 (Penetration Testing), which calls for organizations to conduct penetration testing on defined systems at a specified frequency. Systems that follow NIST 800-53, the NIST Cybersecurity Framework, or NIST 800-171 are therefore expected to run penetration tests as part of their security assessment programme. NIST SP 800-115 is the technical guide that defines how those tests should be performed.
    What is NIST SP 800-115?
    NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, is the reference methodology for security testing published by the National Institute of Standards and Technology. It defines the phases of a penetration test (planning, discovery, attack, and reporting) and is widely adopted as the baseline methodology for professional pentest engagements across US compliance regimes.
    What is NIST 800-53 control CA-8?
    CA-8 is the Penetration Testing control in NIST SP 800-53. It requires organizations to conduct penetration testing on selected systems or components at an organization-defined frequency, and it supports related controls such as CA-2 (control assessments) and RA-5 (vulnerability monitoring). CA-8 is the control most FedRAMP and FISMA systems point to for their pentest obligation.
    How often does NIST recommend penetration testing?
    NIST does not fix a single universal interval; CA-8 requires an organization-defined frequency based on risk. In practice, most NIST-aligned programmes run penetration tests at least annually and after significant changes to systems supporting sensitive or regulated data. FedRAMP systems, which build on NIST 800-53, require annual penetration testing.
    How does NIST relate to FedRAMP, FISMA, and CMMC?
    NIST SP 800-53 is the control catalogue that underpins FISMA and FedRAMP, and NIST SP 800-171 underpins CMMC for defense contractors handling Controlled Unclassified Information. Penetration testing that satisfies NIST CA-8 and follows the SP 800-115 methodology provides the evidence base these downstream frameworks rely on.
    How much does a NIST penetration test cost?
    A NIST-aligned penetration test with Budget Security starts at EUR 849 per day. Total cost depends on the number of applications, network segments, and APIs in the system boundary you are assessing. Use our pricing page to calculate an estimate tailored to the systems in your NIST assessment scope.