What is the difference between security control assessment and penetration testing within RMF?

Understanding the difference between a security control assessment and penetration testing in RMF comes down to scope and purpose. A security control assessment is a broad evaluation of whether the implemented controls are adequate, correctly configured, and operating as intended, with objective evidence gathered to support an authorization decision. It looks at the overall effectiveness of the control set across the system and how those controls work together to manage risk. Penetration testing is a focused, specialized activity that simulates attacker methods to identify exploitable vulnerabilities and verify whether those vulnerabilities could be exploited in practice. It provides insight into real-world attack pathways and the potential impact, but it does not replace the broader assessment of all controls. In RMF, you use the security control assessment to establish whether controls meet requirements, and penetration testing to validate and deepen understanding of security posture within a defined scope. The other statements are inaccurate because penetration testing does not substitute for the full assessment, and assessments are not optional merely because a pen test is performed.