Penetration testing as an explicit requirement is baked into many 2026 U.S. rules, contracts, and sources of compliance, as part of broader cybersecurity program requirements. It’s most often seen in regulated industries like defense contracting, financial services, critical infrastructure, healthcare, voting, and related fields, where controls tend to be more formalized.
1. HIPAA Security Rule Update (Health Care)
Proposed changes to the HIPAA Security Rule (likely to be finalized by mid-2026 with a compliance date on the rule) would for the first time mandate annual penetration testing for all HIPAA-covered entities (CEs) and business associates (BAs) handling electronic protected health information (ePHI). The NPRM requires regulated parties to perform penetration tests at least once every 12 months, in addition to vulnerability scans.
This is notable because HIPAA has required risk analyses for a long time, but not specifically called out or mandated any particular type of security testing. If adopted as-is, the rule would effectively make penetration testing an explicit compliance requirement for healthcare cybersecurity programs, rather than an “expected” best practice.
2. New York Department of Financial Services (NYDFS) Cybersecurity Regulation
The NYDFS cybersecurity regulation (23 NYCRR Part 500) – already in place for many covered financial institutions, and not new in 2026 – explicitly requires annual penetration testing as part of its risk assessment and testing requirements. The regulation calls out annual penetration tests and vulnerability scans as part of the security program requirements for New York State financial services firms.
NYDFS is a prime example of an enforceable state-level requirement with explicit penetration testing details.
3. DHS and Federal Agency Penetration Testing Requirements
Federal guidance and legislation are continuing to mature and make clear that government agencies themselves are expected to perform penetration testing as part of their cybersecurity programs. Updates to FISMA and related Homeland Security rules have been amended to explicitly make clear that penetration testing is required for agencies, including where that testing should leverage manual expert analysis. FISMA requires agencies to perform such tests, give advance notice and have governance over tests, and use penetration test results to help improve their overall security risk management.
Similar portions of the Cybersecurity Act of 2023 that Congress passed this year require agencies to perform penetration testing on high-value assets, including engagement on rules and the use of penetration test results to help improve cybersecurity programs.
The focus on federal agencies regulated by FISMA and related cybersecurity requirements means that penetration testing is going to be an expected compliance baseline for agencies.
4. Department of Defense and Defense Industrial Base (CMMC 2.0)
Cybersecurity requirements for the Department of Defense (DoD), which have been heavily incorporated into the Cybersecurity Maturity Model Certification (CMMC) program and in regulations codified in the Defense Federal Acquisition Regulation Supplement (DFARS) have stringent security testing requirements. CMMC Level 2 does not specifically mandate penetration testing, but CMMC Level 3 effectively requires third-party assessed testing, including a more comprehensive evaluation with many techniques frequently leveraged in penetration tests as part of a higher-assurance assessment.
The coming compliance deadline for full CMMC 2.0 implementation is in October 2026. DoD contracts now include clauses mandating CMMC certification pre-award.
While sometimes not stated as a “penetration test,” more advanced CMMC assessments that are performed at Level 3 include control requirements that effectively require penetration-type exercises, adversary emulation, and even deeper red team-style assessment.
5. Critical Infrastructure Cybersecurity Assessments (U.S. Coast Guard)
Amended federal rules for owners and operators of certain critical infrastructure and maritime operations have added penetration testing alongside cybersecurity plan renewals. Rules have been amended to also require penetration testing, documentation of a test occurrence, and a list of identified vulnerabilities for U.S.-flagged vessels and offshore facilities, and owners and operators are required to include this information in their regulatory filings.
Expanding mandatory penetration testing into areas where cybersecurity, safety, and infrastructure operations intersect.
6. Sector-Specific Standards That Are Widely Adopted and Drive Regulatory Expectations
Industry security standards, such as the PCI Data Security Standard (PCI DSS) v4.0+ framework, that are widely adopted and de facto requirements effectively expect penetration testing, even if not an explicit mandate under U.S. federal law. Widely adopted standards that regulate specific sectors or activities, like PCI DSS (payment card industry), have explicit requirements to perform regular penetration testing for all entities that store, process, or transmit payment card data.
Several U.S. states also have PCI DSS requirements or reference the standard explicitly, which can also trigger testing obligations for non-compliant businesses under those state regulations if enforcement is applied. This kind of expectation is often folded into contract obligations or needs with banks, payment processors, or individual clients, and the effective penetration testing requirements may be business continuity requirements rather than direct U.S. law.
7. Emerging Federal Incident Reporting Regimes That Will Increase Testing Expectations
Legislation enacting real requirements for reporting cyber incidents and ransomware payments, like the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA), doesn’t directly mandate penetration tests but instead requires organizations to have documented security programs with testing in place in order to be able to meet those new, real reporting requirements. To be prepared to meet CIRCIA incident reporting requirements within the required time windows, organizations will typically be expected to have had security testing programs, including penetration testing
What This Means for 2026 Compliance
The reality is that by 2026, penetration testing is going to be a required element of compliance in some regulated environments and expected as a core element of demonstrable cybersecurity programs in other environments.
If you work in healthcare, financial services, federal agencies, critical infrastructure environments, or defense supply chains, penetration testing should be explicitly on your radar and part of your compliance planning activity by name and description. But, even if you don’t currently fall into one of these regulated verticals, penetration testing is still a good practice to pursue on a regular cadence because it will still play into risk reduction and meet expectations in incident response, cyber insurance underwriting, and documented reasonable security. Additionally, if called upon, there are going to be legal risk ways to utilize penetration testing to support duty of care risk analysis (DoCRA) and demonstrate due care in board reporting or other legal settings, even if it’s not a formally prescribed requirement.
Be Our Guest at FutureCon Chicago 2026
Enjoy breakfast and lunch while connecting with colleagues and industry executives.
Session: Why AI Can’t Fix Your Cyber Risk (and Might Be Making It Worse)
Speaker: Chris Cronin, ISO 27001 Auditor | Partner, HALOCK and Reasonable Risk | Board Chair, The DoCRA Council
DATE: Thursday, January 29, 2026
WHERE: Live In Person | Virtual | Hybrid @ Chicago Marriott Oak Brook
CREDITS: Earn up to 10 CPE Credits
