Home / Compliance / CMMC Penetration Testing

CMMC Level 2 Penetration Testing for Defense Contractors

CMMC 2.0 requires defense contractors to implement and validate NIST 800-171 controls for protecting Controlled Unclassified Information. Our penetration testing identifies gaps in your control implementation before your C3PAO assessment.

Book a Consultation View Service Details

Framework Overview

Understanding the compliance landscape.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense framework requiring defense contractors to demonstrate cybersecurity maturity as a condition of contract award. CMMC Level 2 requires implementation of all 110 NIST SP 800-171 security controls and third-party assessment by a CMMC Third Party Assessment Organization (C3PAO). CMMC applies to all DoD contractors and subcontractors handling Controlled Unclassified Information (CUI). The rule is being phased into new DoD contracts starting in 2025, with full implementation expected by 2028. Contractors that cannot demonstrate compliance will be unable to bid on or maintain DoD contracts.

Penetration Testing Requirements

What the framework requires and what auditors expect.

The Requirement

CMMC Level 2 requires implementation of all 110 NIST 800-171 controls, several of which directly relate to security testing. Control 3.11.2 requires scanning for vulnerabilities in organizational systems periodically and when new vulnerabilities are identified. Control 3.12.1 requires periodically assessing the security controls to determine if they are effective. While CMMC does not mandate penetration testing by name, C3PAO assessors consistently expect it as evidence of control effectiveness.

What Auditors Look For

  • Evidence that security controls are effective, not just documented (NIST 800-171 3.12.1)
  • Vulnerability scanning results and remediation evidence (3.11.2)
  • Testing of CUI boundary controls and access restrictions
  • Validation of encryption for CUI in transit and at rest
  • Assessment of multi-factor authentication implementation
  • Testing of incident detection and response capabilities

Controls We Validate

3.1.1 -Authorized access control for CUI 3.1.2 -Transaction and function-level access control 3.5.3 -Multi-factor authentication 3.11.2 -Vulnerability scanning 3.12.1 -Security control assessment 3.13.1 -Communications monitoring and protection at boundaries 3.13.8 -Cryptographic mechanisms for CUI protection 3.13.11 -FIPS-validated cryptography

How Our Testing Maps to the Framework

Direct alignment between our methodology and compliance requirements.

Our CMMC penetration testing specifically targets the NIST 800-171 control families that protect CUI. We test access control (3.1.x) by attempting to access CUI without authorization, validate authentication (3.5.x) by testing MFA implementation and bypass scenarios, assess system and communications protection (3.13.x) by testing boundary controls and encryption, and evaluate audit and accountability (3.3.x) by verifying that our testing activities are properly logged and detected. Our reports map every finding to specific NIST 800-171 controls so your C3PAO can directly assess control effectiveness.

Pricing: CMMC penetration testing engagements start at $10,000 and scale based on the size of your CUI environment, number of systems in scope, and network complexity.

Audit Partner Ecosystem

We work with CMMC consultants and Registered Practitioner Organizations (RPOs) who provide readiness assessments, SSP development, and POA&M management. If you need help preparing your System Security Plan or closing gaps before your C3PAO assessment, we can connect you with trusted partners.

Frequently Asked Questions

Common questions about CMMC Penetration Testing.

Does CMMC require penetration testing?
CMMC does not have a single requirement labeled "penetration testing," but Control 3.12.1 requires periodically assessing security controls for effectiveness, and Control 3.11.2 requires vulnerability scanning. C3PAO assessors consistently expect penetration testing as evidence that controls are not just documented but actually working. The absence of penetration testing is a significant gap that assessors will flag.
What CMMC level do we need?
If your organization handles Controlled Unclassified Information (CUI) on DoD contracts, you need CMMC Level 2, which requires all 110 NIST 800-171 controls and a C3PAO assessment. If you only handle Federal Contract Information (FCI), Level 1 self-assessment may suffice. Your contracting officer and the DFARS clause in your contract will specify the required level.
How does your testing relate to NIST 800-171?
CMMC Level 2 is directly based on NIST 800-171. Our testing validates the technical implementation of 800-171 controls by testing them the way an attacker would. Every finding maps to a specific 800-171 control, and our report can be used as POA&M input for any controls found to be insufficiently implemented.
Should we pentest before or after our C3PAO assessment?
Before -ideally 3-6 months before your scheduled assessment. A penetration test identifies gaps in your control implementation while you still have time to remediate. Going into a C3PAO assessment with unresolved security vulnerabilities risks a NOT MET finding that can delay your certification and affect contract eligibility.
Are you located near the Central Florida defense corridor?
Yes. Lorikeet Security is headquartered in the Orlando metro area, home to major defense contractors including Lockheed Martin, L3Harris, Raytheon, and Northrop Grumman. We understand the local defense supply chain and work with subcontractors across the region who are preparing for CMMC certification.

Ready for Your CMMC Penetration Test?

Book a consultation to discuss your compliance timeline, testing scope, and how we can coordinate with your audit team.

Book a Consultation
Lory waving

Hi, I'm Lory! Need help finding the right service? Click to chat!