• External Network Testing: o Public-facing IP addresses, firewalls, VPNs, and web applications, without conflicting with USAC’s Vulnerability Disclosure Program • Internal Network Testing: o Internal servers, workstations, domain controllers, network segmentation o Wi-Fi access points, encryption protocols, rogue device detection o Remote access infrastructure and services o Identity and access management o From 800 to 1200 USAC-issued/managed laptops • Application Testing o OWASP Top 10 vulnerabilities, authentication mechanisms, input validation o Mobile applications used to access USAC resources o Web applications, both internal and mission systems • Social Engineering o Such as phishing simulations, pretext calling, physical access attempts • Cloud Service Provider Testing o Infrastructure as a Service (IaaS) for system and general services o Platform as a Service (PaaS) for certain USAC systems o Software as a Service (SaaS) when integrated with USAC systems and general services
