An organization must comply with a new regulation that requires the organization to determine if an external attacker is able to gain access to its systems from outside the network. Which of the following should the company do to meet the regulation's criteria?

To meet the regulation's criteria of determining whether an external attacker can gain access to the organization's systems from outside the network, contracting for a black box penetration test is the most effective approach.

A black box penetration test simulates an attack from an external perspective without prior knowledge of the system, effectively mimicking how a real-world attacker would attempt to breach the organization's defenses. This type of test enables the organization to assess its vulnerabilities and understand the potential threats posed by external attackers. The results of such a test provide a clear assessment of the system's security posture and whether attackers could exploit any weaknesses.

While regular employee training and antivirus software are essential components of a comprehensive security strategy, they do not directly assess the external threat landscape or the organization's exposure to external attacks. Installing a firewall is crucial for network security, yet it is primarily a preventive measure rather than an evaluative one. Firewalls control incoming and outgoing traffic based on predetermined security rules, but they do not provide an assessment of vulnerabilities or real-world attack scenarios.

Thus, contracting for a black box penetration test directly aligns with the regulation's requirement to identify external access vulnerabilities, making it the correct choice.