CA-8 / A.8.29 NIST SP 800-53 Rev 5

Red-team scope + rules of engagement

Demonstrate that red-team activities operate under formally documented, authorized scope limitations and rules of engagement that protect business operations, comply with legal constraints, and enable controlled adversarial testing.

Description

What this control does

This control ensures that red-team exercises are conducted within explicitly defined boundaries and under documented rules of engagement (RoE) that specify in-scope systems, prohibited actions, attack vectors, timing constraints, communication protocols, and escalation procedures. The scope prevents unintended disruption to production systems, legal exposure, or testing of out-of-scope third-party environments. Rules of engagement establish authorization, notification requirements, safe words, data handling restrictions, and incident response coordination to differentiate authorized adversarial testing from actual attacks.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Red-team activities disrupt production services or customer-facing systems outside authorized testing windows
Unauthorized testing of third-party or partner systems results in legal liability or breach of contract
Security operations teams mistake legitimate red-team activity for actual intrusions, triggering unnecessary incident response and business disruption
Red-team personnel exceed authorization and access sensitive data without proper legal protections or data handling agreements
Lack of safe-word or emergency stop procedures prevents immediate cessation of testing when unintended impact occurs
Inadequate scope definition allows testing of systems with unpatched critical vulnerabilities, causing system failure or data loss
Absence of pre-approved attack vectors leads red teams to employ techniques that violate regulatory requirements or criminal statutes

Testing procedure

How an auditor verifies this control

Obtain the most recent red-team exercise documentation including the formal scope statement and rules of engagement document
Verify the scope document explicitly lists in-scope systems by hostname, IP range, application, or business unit and excludes out-of-scope assets
Review rules of engagement for prohibited actions such as denial-of-service attacks, social engineering of specific personnel, or data exfiltration limits
Confirm the RoE specifies authorized testing timeframes, blackout periods, and emergency contact procedures including safe-word protocols
Validate that the scope and RoE were formally approved by asset owners, legal counsel, and executive management prior to exercise commencement
Interview the red-team lead and security operations center staff to verify communication protocols were followed and that SOC was notified per the RoE
Examine logs or activity reports to confirm red-team actions remained within scope boundaries and did not target prohibited systems
Review any scope deviation incidents or safe-word invocations to assess whether emergency stop procedures functioned as documented

Evidence required Collect the signed scope statement and rules of engagement document with approval signatures and dates. Obtain exercise planning emails, change control tickets authorizing the engagement, and post-exercise reports detailing systems tested and any scope violations. Retain communication logs between red team and SOC showing coordination and safe-word protocols in action.

Pass criteria A formally documented, executive-approved scope statement and rules of engagement exist for each red-team exercise, all tested systems fall within the defined scope, prohibited actions were not performed, and coordination protocols were followed throughout the engagement.

Where this control is tested

Audit programs including this control

AI Red Team & Adversarial Testing

You can not trust an AI system you have not tried to break. Audit of red-team capability covering…