Testing is carried out in three areas of assessment: internal penetration, external penetration, and network vulnerability. The tests are on a staggered eighteen month rotating schedule so that each is performed in any given eighteen month period.