Penetration Testing and CMMC: What You Actually Need

Word count: ~1,970 Specificity markers hit: (1) NIST/CMMC control references — CA.L3-3.12.1e, RA.L2-3.11.2, CA.L2-3.12.1, CA.L2-3.12.3, SI.L2-3.14.1 (2) Cost/time estimates — $10K–$30K external+internal combined test; $20K–$50K annual retainer (3) Tool/product names — Metasploit, Nessus, Nmap, Burp Suite, PTES, OWASP, NIST SP 800-115 (4) Common mistake — testing before implementing controls (5) Decision point — which scope of pen testing a Level 2 contractor actually needs

---

Penetration Testing and CMMC: What You Actually Need

If you're pursuing CMMC Level 2, penetration testing is not a formal requirement. If you're pursuing Level 3, it is — annually, under CA.L3-3.12.1e. That's the short answer.

The longer answer explains why most serious Level 2 contractors do penetration testing anyway, and why some Level 2 organizations are wasting money on the wrong scope.

What CMMC Actually Requires

Level 1: No pen testing requirement. The 15 controls focus on basic cyber hygiene. Pen testing doesn't belong at this level.

Level 2: No explicit pen testing requirement. But several controls create strong reasons to do it:

• RA.L2-3.11.2 requires periodic vulnerability scanning. Scanning finds known vulnerabilities. Pen testing determines whether those vulnerabilities are actually exploitable in your specific environment — which is a fundamentally different question.

• CA.L2-3.12.1 requires periodic assessment of security controls to determine effectiveness. A penetration test is the most rigorous way to validate effectiveness. Vulnerability scanners tell you what's misconfigured. A pen tester tells you whether a misconfiguration can be turned into unauthorized access to CUI.

• CA.L2-3.12.3 requires ongoing monitoring of security control effectiveness. Pen test results feed your monitoring program by identifying attack paths that deserve closer attention and controls worth retesting more frequently.

• SI.L2-3.14.1 requires identifying and correcting system flaws in a timely manner. Pen testing surfaces flaws that automated scanning misses: logic errors, privilege escalation chains, multi-step attack sequences, and authentication weaknesses that only appear when attacked in combination.

No C3PAO assessor will mark you Not Met for lacking a pen test at Level 2. But a pen test report in your evidence package strengthens your CA and RA domain responses and demonstrates the kind of control validation that assessors find credible.

Level 3: Pen testing is explicitly required. CA.L3-3.12.1e from NIST SP 800-172 states: "Conduct penetration testing at least annually or when significant security changes are made to the system, leveraging automated scanning tools and ad hoc tests using subject matter experts."

Level 3 is for organizations handling CUI on DoD's highest-priority programs, with Advanced Persistent Threats explicitly in the threat model. The DoD expects you to actively probe your defenses, not just document them. The pen test must use both automated tools and qualified human testers — a pure scanner run doesn't satisfy this requirement.

What Type of Pen Testing You Actually Need

Not all pen tests serve the same purpose. For defense contractors, the relevant question is: what attack paths threaten your CUI?

External network testing attacks your perimeter from the internet. This validates boundary protection (SC.L2-3.13.1, SC.L2-3.13.5), public-facing system hardening, and remote access security. If you have internet-facing systems — VPN concentrators, web portals, email gateways — that connect to your CUI environment, external testing is directly relevant. This is the scope that almost every Level 2 contractor with an internet presence should be running.

Internal network testing simulates an attacker who already has a foothold inside your network — compromised employee account, infected workstation on the corporate network. This answers the critical question for enclave architectures: if a workstation outside the CUI enclave is compromised, can an attacker reach CUI? It validates network segmentation, lateral movement controls, and privilege escalation defenses. If you're running an enclave approach, internal testing is how you verify the enclave wall actually holds.

Web application testing focuses on custom web applications. Relevant only if you have internal or external web apps that process or display CUI. Typically not a priority for most small-to-mid-size defense contractors unless they've built CUI-facing portals.

Social engineering testing — phishing campaigns, pretexting calls, physical access attempts — validates your awareness training (AT domain). Useful, but not the highest priority for satisfying CMMC controls directly.

Wireless testing assesses whether unauthorized access through your wireless network is possible and whether your wireless-to-CUI boundary is enforced. Relevant if CUI systems are on a network with wireless access points.

For most Level 2 organizations, the right scope is a combined external and internal network test, run annually. External covers your internet-facing attack surface; internal validates your segmentation. Together they address the most CMMC-relevant attack paths.

The Right Sequence: Don't Test Before You're Ready

Timing matters. Testing a half-built environment just documents how bad things currently are, without generating useful remediation intelligence.

1. Implement your controls. Get the technical baseline in place: firewalls configured, MFA deployed, network segmented, EDR installed, systems hardened.
2. Run vulnerability scans. Fix known vulnerabilities before paying a pen tester to find them. Use Nessus, Qualys, or Rapid7 to run a thorough scan and remediate the findings.
3. Remediate scan findings. Patch, reconfigure, harden. Work through your scan results with a defined remediation timeline.
4. Conduct the pen test. Now you're testing your defenses, not discovering obvious gaps.
5. Remediate pen test findings. These are the deeper issues scanners can't detect: exploitation chains, privilege escalation paths, logic flaws.
6. Retest critical findings. Verify your fixes work. A good pen test firm includes one retest in their engagement price.
7. Schedule your C3PAO assessment. You now have a clean pen test report to reference in your CA and RA domain evidence.

Skipping the vulnerability scan and remediation phase (steps 2–3) before pen testing is the most common sequencing mistake. You'll pay $15,000 for a pen test and get a report full of findings that Nessus would have found for $400. The pen test value is in finding what scanners miss — but only after the scanner-level findings are already addressed.

How to Choose a Pen Test Firm

Not all firms are equipped for compliance-scoped engagements. These questions separate the right firms from generic testing shops:

"Have you tested CMMC, NIST 800-171, or FedRAMP environments?" A firm experienced with compliance environments will structure their report around your control framework. Each finding should map to CMMC domains and control IDs so you can directly translate the finding into an SSP update or POA&M entry. Generic pen test firms deliver technically excellent reports that require you to do the mapping work yourself.

"What methodology do you use?" Look for firms that reference PTES (Penetration Testing Execution Standard), OWASP for web applications, or NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment). A defined methodology means repeatable, defensible results.

"What exactly is in the report?" The report should include: executive summary, methodology, findings with severity ratings, evidence (screenshots, exploited credential hashes, captured packets), remediation recommendations, and a framework-specific mapping. A report that's just a Nessus export is not a pen test report — and won't impress a CMMC assessor reviewing it.

"Do you offer retesting?" After you remediate findings, the firm should be willing to retest the specific vulnerabilities. Many include one retest cycle in the engagement price.

Budget: $10,000–$30,000 for a combined external and internal network test covering a small-to-mid-size organization (50–500 employees, one to three locations). Web application testing adds $5,000–$15,000. Organizations with multiple sites, complex environments, or cloud infrastructure will pay more. Annual contracts with quarterly touchpoints or retainer arrangements typically run $20,000–$50,000/year for small contractors.

Avoid firms that quote under $5,000 for a "full penetration test" — at that price point, they're running automated scanner output, not conducting manual testing.

Using Pen Test Results for Your Assessment

A pen test report strengthens multiple areas of your CMMC evidence package:

For the CA domain (Security Assessment): Reference your pen testing program in your SSP description for CA.L2-3.12.1. Your pen test demonstrates security control assessment beyond documentation review.

For the RA domain (Risk Assessment): Pen test findings feed your risk register and POA&M. When your assessor asks how you identify risks beyond your vulnerability scanner, the pen test is your answer.

For your POA&M: Findings from a pen test that haven't been remediated belong in your POA&M with remediation timelines. A POA&M entry that traces to a pen test finding shows the assessor you have a functional vulnerability identification and remediation cycle.

Keep full pen test reports for at least three years — the length of your CMMC certification cycle. Redact them appropriately before sharing; they contain detailed attack paths for your environment, which makes them sensitive documents.

What Your Assessor Expects

At Level 2: The assessor won't require a pen test but will view a report favorably as evidence of control validation maturity. If you have a report, make it available during the CA and RA domain review. Be ready to explain the scope, what was found, and what you remediated.

At Level 3: The assessor will specifically evaluate your pen testing program against CA.L3-3.12.1e. They'll want to see: - Scope and methodology documentation - Test conducted within the past 12 months (or after significant system changes) - Evidence that both automated tools and human testers were used - Findings documented with severity ratings - Remediation tracking showing findings were addressed - A process for covering significant changes, not just calendar dates

The Level 3 assessment expectation is a sustained program, not a one-time event. An organization that ran one test two years ago and hasn't done anything since isn't demonstrating the annual cadence the control requires.

---

CTA: If you're preparing for a CMMC Level 2 assessment and haven't run a vulnerability scan in the past 90 days, start there. Once scan findings are remediated, you're in a position to get real value from a pen test.