Greater Orlando is not just theme parks and hospitality. It is home to one of the most concentrated defense and modeling, simulation, and training (MS&T) ecosystems in the United States. L3Harris Technologies is headquartered here. Lockheed Martin, Raytheon Technologies, and Northrop Grumman all maintain significant Central Florida operations. The University of Central Florida's Institute for Simulation and Training has made Orlando the global capital of defense simulation. And with that concentration of defense contracts comes an enormous volume of Controlled Unclassified Information (CUI)—and the federal compliance requirements that govern it.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now embedded in Department of Defense contract requirements. For Orlando's defense contractors, subcontractors, and suppliers, the pressure to demonstrate verifiable cybersecurity posture is no longer a future concern—it is a present contract condition. Penetration testing sits at the center of that verification process.
Central Florida's Defense and MS&T Ecosystem
The Orlando metropolitan area generates more than $15 billion in defense-related economic activity annually, making it one of the top defense corridors outside of the Washington D.C. beltway. The concentration of prime contractors and their supply chains creates a dense network of organizations that handle CUI—and therefore fall under CMMC obligations.
Prime Contractors with Major Orlando Presence
L3Harris Technologies, headquartered in Melbourne and with major facilities in Orlando, is one of the largest defense electronics firms in the world. Its communications systems, electronic warfare products, and ISR platforms are core to U.S. military operations globally. Suppliers and subcontractors working with L3Harris are frequently required to meet CMMC Level 2 or Level 3 requirements as a condition of participation.
Lockheed Martin's Orlando-based Missiles and Fire Control division handles some of the most sensitive programs in the DoD inventory, including the Javelin and PAC-3 missile systems. The security requirements cascading down from programs like these are some of the most demanding in the defense industrial base.
Raytheon Technologies (now RTX) operates simulation and training facilities in the Orlando area, supporting both military simulation systems and real-time training environments. Northrop Grumman similarly maintains Orlando operations tied to ISR and autonomous systems programs.
The MS&T Industry's Unique Security Surface
The modeling, simulation, and training sector presents a security profile that differs from traditional defense manufacturing. MS&T companies frequently operate distributed environments—simulation labs, range facilities, training centers—with hybrid cloud and on-premise infrastructure. They maintain large datasets of operational scenarios, adversary models, and training data that, while not always classified, represent high-value intelligence targets. Attack surface management for these organizations requires understanding both their IT infrastructure and the operational technology environments their products interact with.
Orlando by the numbers: Florida ranks among the top five states for DoD contract spending, with Central Florida receiving a disproportionate share through the simulation and training sector. UCF's research partnerships alone generate hundreds of millions in defense-funded research annually, and the surrounding ecosystem of small and mid-size businesses forms an extended supply chain that is increasingly subject to CMMC requirements.
CMMC 2.0: What Orlando Defense Contractors Actually Need to Do
CMMC 2.0 consolidated the original five-level framework into three levels. The practical reality for most Orlando defense contractors is that Level 2—full compliance with all 110 controls in NIST SP 800-171—is the operative standard. Level 3, which adds 24 controls drawn from NIST SP 800-172, applies to organizations supporting the most sensitive programs.
The Self-Attestation Trap
CMMC Level 2 permits self-attestation for some contracts—but this is a narrower option than it sounds. Self-attestation carries legal weight: a federal contractor that falsely attests to CMMC compliance can face liability under the False Claims Act. The Department of Justice's Civil Cyber-Fraud Initiative has made clear it will pursue contractors who misrepresent their cybersecurity posture in federal submissions. In that environment, the difference between genuine compliance and checkbox compliance matters—and penetration testing is one of the most reliable mechanisms for distinguishing between the two.
For contracts on the DoD's prioritized acquisition list, third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) is mandatory. Given that many of the programs run by Orlando's prime contractors fall into this category, subcontractors and suppliers need to be prepared for rigorous external scrutiny.
NIST SP 800-171 Controls That Drive Testing Requirements
Several NIST 800-171 control families create direct demand for penetration testing and related security assessments:
- Control 3.11.1 (Risk Assessment): Requires organizations to periodically assess the risk to organizational operations, assets, and individuals from the operation of organizational systems
- Control 3.11.2 (Vulnerability Scanning): Requires scanning for vulnerabilities in organizational systems and when new vulnerabilities potentially affecting those systems are identified
- Control 3.11.3 (Remediation): Requires remediating vulnerabilities in accordance with risk assessments—which means findings must be tracked and resolved, not just documented
- Control 3.12.1 (Security Assessment): Requires periodically assessing security controls in organizational systems to determine if the controls are effective—a direct mandate for technical validation
- Control 3.12.3 (System Monitoring): Requires monitoring organizational systems to detect attacks and indicators of potential attacks
Taken together, these controls describe an organization that actively tests its defenses, validates control effectiveness, and remediates identified gaps. That is the practical definition of a penetration testing program. Organizations that rely solely on automated vulnerability scanners—without manual testing to validate exploitability, chain vulnerabilities, and test detection capabilities—will struggle to satisfy assessors from a C3PAO.
Assessment reality: C3PAOs do not simply review documentation. CMMC assessments include evidence review, interviews, and technical testing. An organization that cannot produce evidence of historical security testing—vulnerability scan results, penetration test reports with remediation tracking, and documented risk acceptance decisions—is likely to receive a finding on multiple control families simultaneously.
What a CMMC-Aligned Penetration Test Covers
A penetration test scoped for CMMC compliance is not the same as a generic web application test. The scope must encompass the systems and boundaries that process, store, or transmit CUI. For most Orlando defense contractors, this means:
- External network testing: Validation of perimeter controls, identification of exposed services, and attempted exploitation of external-facing systems
- Internal network testing: Assumed-breach scenarios that simulate an attacker who has gained initial access—testing lateral movement, privilege escalation, and access to CUI stores
- Active Directory assessment: Defense contractors often rely heavily on AD for identity management. AD attack paths including Kerberoasting, pass-the-hash, and DCSync attacks are standard test cases
- Cloud environment review: For contractors using Microsoft GCC High or Azure Government environments for CUI handling, configuration review of cloud tenants is part of a complete assessment
- Segmentation validation: Verifying that CUI enclaves are actually isolated from general corporate networks—a finding that frequently appears in defense contractor assessments
The output must be a formal report with findings mapped to NIST 800-171 control numbers and remediation guidance sufficient for engineering teams to act on. Evidence of remediation—re-test results, configuration screenshots, updated procedures—must be retained for assessor review. Our penetration testing services are scoped with CMMC evidence requirements in mind from the outset.
Beyond Defense: Orlando's Broader Cybersecurity Landscape
Central Florida's security needs extend well beyond the defense corridor. The region's economic diversity—healthcare systems, hospitality technology, a growing startup ecosystem anchored by UCF—creates varied compliance and security testing requirements across industries.
Healthcare: AdventHealth, Orlando Health, and the HIPAA Imperative
AdventHealth, headquartered in Altamonte Springs, is one of the largest nonprofit health systems in the United States, operating dozens of facilities across Central Florida and beyond. Orlando Health operates a similarly large network of hospitals, cancer centers, and specialty practices. Both systems, along with their extensive networks of physician practices, vendors, and technology partners, operate under HIPAA's Security Rule—which requires regular security assessments of systems that handle protected health information.
The healthcare vendor ecosystem surrounding these systems is substantial. Electronic health record integrators, medical device companies, revenue cycle management firms, and telehealth platforms all handle PHI and need to demonstrate security posture to their health system clients. Healthcare penetration testing covers the intersection of clinical systems, patient portals, and the APIs that connect them—a technically complex environment that general-purpose testing approaches often handle poorly.
Tourism Technology and Hospitality Infrastructure
Orlando's tourism economy is the largest in the United States by visitor volume, and the technology infrastructure supporting it is enormous. Point-of-sale systems, property management platforms, loyalty program databases, and reservation systems across hotels, theme parks, and entertainment venues collectively handle hundreds of millions of payment card transactions annually. PCI DSS compliance is not optional in this sector, and PCI DSS v4.0 penetration testing requirements—which explicitly mandate both internal and external testing annually—apply to any organization that stores, processes, or transmits cardholder data.
UCF, Research Institutions, and the Startup Ecosystem
UCF's research portfolio spans defense-funded simulation work, AI research, cybersecurity programs, and biomedical engineering—creating a university environment with a diverse and complex security surface. Research data, export-controlled information, and federal grant requirements all create compliance obligations that require periodic technical validation.
The startup ecosystem surrounding UCF and the broader Orlando metro has matured significantly over the past decade. Companies coming out of UCF's incubator programs, the Tamiami Angel Fund network, and the growing venture presence in the Lake Nona Medical City corridor increasingly pursue SOC 2 certifications and face enterprise security questionnaires as they scale. For these companies, an early penetration test before product launch prevents the expensive remediation work that accumulates when security is deferred to the compliance stage.
Choosing a Penetration Testing Partner in Orlando
The Central Florida market has no shortage of IT service providers who offer some form of security assessment. The distinction between a vulnerability scan, a compliance scan, and a true penetration test matters enormously—and the difference is often obscured in vendor proposals.
| Assessment Type | What It Actually Tests | CMMC / Compliance Value |
|---|---|---|
| Automated Vulnerability Scan | Known CVEs against exposed services. No exploitation, no chaining, no logic flaws | Satisfies 3.11.2 but not 3.12.1 or assumed-breach scenarios |
| Compliance Gap Assessment | Policy review and documentation. No technical testing | Identifies control gaps on paper; no evidence of technical control effectiveness |
| Web Application Pentest | Manual exploitation of application logic, authentication, authorization, injection flaws | Required for any externally-accessible CUI-handling application |
| Network Penetration Test | External perimeter + internal assumed-breach; lateral movement, privilege escalation | Directly satisfies 3.11.2, 3.12.1; generates evidence for C3PAO review |
| CMMC-Scoped Assessment | Full technical testing of CUI enclave boundary; findings mapped to 800-171 controls | Strongest possible evidence package for self-attestation or C3PAO assessment |
What to Ask Prospective Testing Firms
When evaluating penetration testing companies for CMMC-related work, the questions that separate credible providers from checkbox vendors are specific:
- Do your reports map findings to NIST SP 800-171 control numbers, or only to generic severity ratings?
- Do you offer retesting after remediation, and is remediation evidence included in the deliverable package?
- Have your testers worked in CMMC assessment environments, or only commercial compliance frameworks?
- Can you scope testing to a defined CUI enclave boundary, rather than testing the entire corporate network?
- Do you provide a letter of attestation suitable for inclusion in a System Security Plan or C3PAO evidence package?
Lorikeet Security is headquartered in Orlando and provides CMMC-aligned penetration testing for defense contractors and their supply chains across Central Florida. Our testing methodology is built around the evidence requirements that C3PAOs look for, and our reports are structured to support both self-attestation submissions and third-party assessment preparation. Sign up for our platform to manage findings, track remediation, and generate audit-ready documentation in one place.
Timing matters: CMMC requirements are being phased into contracts on a rolling basis. Organizations that begin their assessment and remediation process now—before a contract vehicle forces an accelerated timeline—have far more flexibility to address findings methodically. A penetration test that surfaces a critical finding three weeks before a contract deadline creates a very different remediation environment than one conducted six months in advance.
Orlando's Defense Contractors Trust Lorikeet Security
We provide CMMC-aligned penetration testing, network security assessments, and compliance support for Central Florida defense contractors, healthcare organizations, and technology companies. Our reports are built for C3PAO evidence packages and enterprise security reviews.
