CMMC 2.0 Level 2 vs. Level 3: Which Penetration Testing Requirements Apply to You?

Key Takeaways

  • CMMC Level 3 mandates annual penetration testing under NIST SP 800-172 control CA.L3-3.12.1e, while Level 2 requires periodic vulnerability scanning under NIST SP 800-171 but does not explicitly require penetration testing—though most compliance experts strongly recommend it for Level 2 organizations handling Controlled Unclassified Information (CUI).
  • Only 1% of defense contractors report full readiness for CMMC 2.0 assessments, with 80,000 organizations needing Level 2 certification against just 270 current certificate holders—making proactive penetration testing a critical differentiator for contract eligibility.
  • The aerospace and defense sector has experienced a 300% increase in cyberattacks since 2018, with average breach costs reaching $5.46 million in the defense sector—underscoring why penetration testing is increasingly viewed as a business necessity, not just a compliance obligation.

If you’re a defense contractor evaluating your CMMC 2.0 compliance strategy, one of the most consequential questions you’ll face is this: Does my organization need penetration testing? The answer depends almost entirely on whether your contracts require Level 2 or Level 3 certification—and the distinction between those two levels carries significant implications for your security program, your budget, and your ability to compete for DoD contracts.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, which became mandatory in DoD solicitations as of November 2025, fundamentally changed the rules of engagement for the defense industrial base (DIB). Gone are the days of self-attestation and trust-based compliance. In their place is a verification-driven model where organizations must demonstrate—through either self-assessment or third-party audit—that their cybersecurity controls actually work as intended.

Penetration testing sits at the heart of this shift. At Level 3, it’s an explicit, non-negotiable requirement. At Level 2, its status is more nuanced but no less important in practice. Understanding exactly where your organization falls on this spectrum—and what that means for your testing obligations—is essential for avoiding costly compliance surprises and maintaining your position in the defense supply chain.

This guide breaks down the penetration testing requirements at both CMMC 2.0 levels in detail, explains the underlying NIST standards driving those requirements, and provides actionable guidance for building a testing program that satisfies assessors and genuinely strengthens your security posture. Whether you’re a manufacturer producing defense components, a software developer building military applications, or a professional services firm supporting DoD programs, this analysis will help you determine exactly what penetration testing requirements apply to your organization—and what to do about them. For a broader overview of how penetration testing fits into the CMMC framework, we recommend starting with our comprehensive primer on that topic.

A Quick Primer on the CMMC 2.0 Framework

Before diving into the specific penetration testing differences between Levels 2 and 3, it’s worth grounding the discussion in the broader CMMC 2.0 framework. Understanding how the levels are structured—and why the DoD designed them the way it did—provides critical context for interpreting the testing requirements at each tier.

Three Levels, Three Risk Profiles

CMMC 2.0 consolidated the original five-tier model into a streamlined three-level framework. Each level corresponds to the type and sensitivity of information a contractor handles, creating a right-sized approach to cybersecurity that aligns security investment with actual risk exposure.

Level 1 (Foundational) applies to organizations handling only Federal Contract Information (FCI)—contract terms, pricing, delivery schedules, and similar non-sensitive business data. These organizations implement 15 basic security practices drawn from FAR 52.204-21 and verify compliance through annual self-assessment. Penetration testing isn’t a factor at this level.

Level 2 (Advanced) covers the majority of the defense industrial base: any organization that processes, stores, or transmits Controlled Unclassified Information (CUI). Level 2 requires implementation of all 110 security controls from NIST SP 800-171, with most organizations undergoing triennial third-party assessment by a CMMC Third Party Assessment Organization (C3PAO). This is where roughly 78% of all CMMC assessments will occur, and where the penetration testing question gets interesting.

Level 3 (Expert) is reserved for contractors supporting critical national security programs or handling CUI associated with high-value assets. Level 3 builds on the full Level 2 baseline by adding 24 enhanced security requirements from NIST SP 800-172. Assessment occurs through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and fewer than 5% of contractors are expected to require this level. This is where penetration testing becomes an explicit, mandatory requirement.

The Readiness Reality

The urgency of understanding these requirements cannot be overstated. Industry data paints a sobering picture of where the defense industrial base stands. According to the 2025 State of the DIB Report, just 1% of defense contractors feel fully prepared for CMMC assessments. The median Supplier Performance Risk System (SPRS) score sits at 60—well below the 110 required for Level 2 compliance. And while 69% of contractors claim compliance through self-assessment, only 30% have completed the kind of rigorous medium or high assessments that would validate their actual security posture.

These gaps aren’t just regulatory inconveniences. They represent real business risk. Over 80% of aerospace and defense organizations have experienced a breach in the past 12 months, and the average cost of a data breach in the defense sector has reached $5.46 million. Organizations that don’t close these gaps risk more than failed audits—they risk losing access to the $849 billion DoD contract ecosystem altogether.

CMMC Level 2: Penetration Testing Requirements Explained

Level 2 is where the bulk of the defense industrial base will focus its compliance efforts. Understanding precisely what this level requires—and doesn’t require—regarding penetration testing is essential for allocating resources effectively. Essendis provides comprehensive CMMC 2.0 Level 2 compliance services designed to help contractors navigate these requirements.

What NIST SP 800-171 Actually Says About Testing

CMMC Level 2 maps directly to the 110 controls in NIST SP 800-171. When it comes to security testing and vulnerability management, the most relevant requirements include:

Requirement 3.11.2 (RA.L2-3.11.2): "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified." This is the baseline scanning requirement. It mandates regular vulnerability scanning of all systems that create, process, store, or transmit CUI—including networks, servers, workstations, databases, applications, and cloud environments. The frequency isn’t rigidly defined, but industry best practice and most C3PAO expectations point to at least quarterly scanning.

Requirement 3.11.3 (RA.L2-3.11.3): "Remediate vulnerabilities in accordance with risk assessments." Scanning without remediation is compliance theater. This requirement demands that organizations establish remediation timelines based on severity, implement compensating controls when patches aren’t immediately available, and document risk acceptance decisions for findings that cannot be resolved.

Requirement 3.12.1 (CA.L2-3.12.1): "Periodically assess the security controls in organizational systems to determine if the controls are effective in their application." This is where things get nuanced. While the word “penetration testing” doesn’t appear in this control, the requirement to assess whether security controls are “effective in their application” strongly implies the need for testing that goes beyond automated vulnerability scanning. Many compliance advisors interpret this as a soft mandate for penetration testing—particularly for organizations with complex environments or custom applications.

Requirement 3.12.3 (CA.L2-3.12.3): "Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls." This establishes the expectation of continuous security validation—not just point-in-time assessments. While vulnerability scanning can partially satisfy this requirement, the most robust compliance posture combines automated scanning with periodic manual penetration testing.

The Bottom Line for Level 2: Not Mandatory, but Strongly Advisable

Here’s the direct answer: CMMC Level 2 does not explicitly mandate penetration testing. If you’re looking purely at the letter of NIST SP 800-171, vulnerability scanning is the stated requirement for identifying security weaknesses.

However, the practical reality is more complex. C3PAOs assessing Level 2 organizations will examine whether your security controls actually work—not just whether they exist on paper. Vulnerability management through automated scanning identifies known vulnerabilities, but it can’t test for business logic flaws, misconfigured access controls, lateral movement paths, or complex multi-step attack chains that a human tester would uncover.

Consider the scenario NIST itself acknowledges: organizations using custom-developed software to process CUI need testing approaches that go beyond basic scanning. NIST SP 800-171 recognizes that custom applications require static analysis, dynamic analysis, binary analysis, or hybrid methods—techniques that fall squarely within the penetration testing discipline. If your organization develops or uses custom software that touches CUI, penetration testing isn’t just advisable; it’s arguably necessary to satisfy the spirit of the vulnerability management requirements.

Five Practical Reasons Level 2 Organizations Should Conduct Penetration Testing

1. Prime Contractor Flow-Down Requirements. Major defense primes—Lockheed Martin, Boeing, Raytheon, Northrop Grumman—increasingly include penetration testing requirements in subcontract flow-down clauses, regardless of CMMC level. If your customer base includes Tier 1 defense primes, you may face contractual testing obligations that exceed the CMMC baseline.

2. Assessment Preparation and Risk Reduction. Conducting a penetration test before your C3PAO assessment lets you discover and remediate weaknesses on your own terms. Organizations that have already addressed their most critical vulnerabilities face far lower risk of assessment failure, costly remediation under time pressure, or the need to develop Plans of Action and Milestones (POA&Ms) that could limit their certification status.

3. Competitive Differentiation in Contract Bidding. In a market where only 1% of contractors feel fully prepared for CMMC, demonstrated security rigor becomes a competitive advantage. Presenting penetration testing reports alongside your CMMC certification signals to contracting officers that your organization takes security seriously—beyond the minimum requirements.

4. Validation of Segmentation and Enclave Architectures. Many Level 2 organizations implement CUI enclaves to limit their compliance scope. Penetration testing is the most effective way to verify that your enclave boundaries actually hold under adversarial pressure. Automated scanning can confirm that firewall rules exist; penetration testing proves they work when an attacker actively tries to circumvent them.

5. Financial Risk Mitigation. The math is straightforward. With average defense sector breach costs at $5.46 million and a comprehensive penetration test costing between $25,000 and $100,000, even a single prevented incident delivers a return on investment exceeding 50:1. For organizations already investing heavily in CMMC compliance, adding penetration testing is a relatively small incremental cost that substantially reduces residual risk.

CMMC Level 3: Penetration Testing as a Non-Negotiable Requirement

If Level 2 occupies a gray area regarding penetration testing, Level 3 eliminates all ambiguity. Penetration testing at this level isn’t a best practice recommendation or an implied expectation—it’s an explicit, mandatory requirement that DIBCAC assessors will verify during your certification assessment.

The NIST SP 800-172 Foundation

CMMC Level 3 adds 24 enhanced security requirements from NIST SP 800-172 on top of the complete Level 2 baseline (all 110 NIST SP 800-171 controls). These enhanced requirements are organized around a three-pillar protection strategy designed to counter Advanced Persistent Threats (APTs):

Penetration-Resistant Architecture (PRA): Using technology and procedures to limit the opportunities for an adversary to compromise organizational systems and maintain a persistent presence. This means designing systems that are inherently difficult to penetrate—not just defended at the perimeter.

Damage-Limiting Operations (DLO): Detecting, isolating, and limiting the scope of successful system compromises. This strategy acknowledges that breaches will happen and focuses on minimizing their impact through compartmentalization, rapid detection, and containment.

Cyber Resiliency and Survivability (CRS): Maintaining essential functions during and after cyberattacks. This ensures that even under active attack conditions, critical operations continue and recovery occurs rapidly.

The Critical Penetration Testing Control: CA.L3-3.12.1e

The specific control that makes penetration testing mandatory at Level 3 is CA.L3-3.12.1e. This enhanced assessment control requires organizations to:

"Employ penetration testing to validate the effectiveness of security controls."

This requirement is not a suggestion, a recommendation, or a best practice. It’s a hard control that DIBCAC assessors will evaluate during Level 3 certification. To achieve a MET finding, organizations must provide evidence that penetration testing:

Occurs on a defined schedule: Annual testing is the widely accepted minimum, though many Level 3 organizations test more frequently. The key is establishing a documented testing cadence that aligns with your organization’s risk profile and the operational tempo of your systems.

Covers the full assessment scope: Testing must address all systems within the CMMC Level 3 assessment boundary. This includes CUI-processing environments, supporting infrastructure, network boundaries, applications, and integration points with external systems.

Uses qualified testers: DIBCAC expects penetration testing to be conducted by qualified security professionals—either internal red team members or external penetration testing firms. Given the sensitivity of the systems involved, testers may need to be U.S. citizens or hold security clearances, depending on the specific CUI categories in scope.

Produces actionable findings: Testing reports must document vulnerabilities discovered, exploitation methods used, evidence of successful compromise, business impact assessment, and specific remediation recommendations. These reports become compliance artifacts that DIBCAC assessors will review.

Drives remediation: Level 3 organizations must demonstrate that penetration testing findings are addressed. This means tracking remediation activities, conducting validation testing to confirm fixes, and documenting risk acceptance decisions for any findings that remain unresolved.

Beyond Basic Penetration Testing: What Level 3 Really Demands

Level 3 penetration testing goes beyond the kind of routine annual testing that many organizations are accustomed to. The enhanced requirements reflect the assumption that Level 3 organizations face nation-state adversaries with sophisticated capabilities, persistent intent, and significant resources.

Threat-Informed Testing: Rather than generic vulnerability assessments, Level 3 requires testing that simulates the specific tactics, techniques, and procedures (TTPs) used by APTs targeting defense information. This means testers should map their activities to the MITRE ATT&CK framework and focus on the threat actors most relevant to your organization’s mission and data.

Red Team Exercises: While standard penetration testing focuses on identifying and exploiting vulnerabilities, Level 3 organizations benefit from full red team engagements that simulate end-to-end attack campaigns. Red teams operate with minimal rules of engagement, testing not just technical controls but also detection capabilities, incident response procedures, and personnel awareness.

Purple Team Collaboration: The most mature Level 3 organizations complement adversarial testing with purple team exercises—collaborative engagements where offensive testers work alongside defensive security teams. Purple teaming identifies detection gaps in real time, validates that security monitoring tools generate proper alerts, and ensures incident response procedures work as documented.

Penetration-Resistant Architecture Validation: NIST SP 800-172 control 3.13.2e specifically requires organizations to implement and validate a penetration-resistant architecture. This goes beyond finding individual vulnerabilities to assessing whether the system’s overall architectural design limits an adversary’s ability to gain and maintain access. Testers should evaluate network segmentation effectiveness, privilege escalation paths, lateral movement possibilities, and persistence mechanisms.

Assumed Breach Testing: Some Level 3 testing should start from the assumption that an adversary has already gained initial access. This approach tests how effectively damage-limiting operations work in practice: Can the adversary escalate privileges? Move laterally to CUI repositories? Exfiltrate data without detection? Maintain persistent access? These scenarios directly validate the DLO pillar of the NIST SP 800-172 protection strategy.

Level 2 vs. Level 3: A Side-by-Side Comparison of Penetration Testing Requirements

The following comparison crystallizes the key differences between Level 2 and Level 3 penetration testing requirements across the dimensions that matter most for compliance planning:

Dimension

CMMC Level 2

CMMC Level 3

Governing Standard

NIST SP 800-171 (110 controls)

NIST SP 800-171 + 24 controls from NIST SP 800-172

Pen Testing Requirement

Not explicitly required

Explicitly required (CA.L3-3.12.1e)

Vulnerability Scanning

Required (periodic + event-driven)

Required (inherits Level 2 baseline)

Testing Frequency

Quarterly scanning recommended

Annual pen testing minimum; quarterly scanning baseline

Assessment Body

C3PAO (third-party)

DIBCAC (government-led)

Testing Scope

All CUI-processing systems

All Level 3 boundary systems, including APT-focused scenarios

Threat Model

General cybersecurity threats

Advanced Persistent Threats (nation-state actors)

Testing Depth

Automated scanning + optional manual testing

Mandatory manual pen testing + red team exercises recommended

Architecture Validation

Not required

Penetration-resistant architecture validation required

Approximate Contractor %

~78% of all CMMC assessments

Less than 5% of contractors

Typical Cost Range

$50K–$200K (full compliance program)

$150K–$400K+ (full compliance program)

This comparison underscores a fundamental architectural difference in how the DoD approaches security validation. Level 2 trusts that well-implemented controls—verified through scanning and third-party assessment—provide adequate protection for CUI. Level 3 assumes that sophisticated adversaries will actively attempt to defeat those controls and demands proof—through penetration testing—that they can withstand real-world attacks.

Determining Which Level Applies to Your Organization

One of the most common points of confusion in CMMC compliance is determining whether your organization needs Level 2 or Level 3 certification. The answer isn’t driven by organizational preference or security ambition—it’s determined by your contracts and the type of information you handle.

You Likely Need Level 2 If:

Your contracts involve processing, storing, or transmitting CUI. This includes most manufacturers, software developers, engineering firms, professional services companies, and subcontractors in the defense supply chain. If your contract includes DFARS 252.204-7012, you’re handling CUI and Level 2 applies. This represents the vast majority of defense contractors—an estimated 80,000 organizations that need Level 2 certification.

You Likely Need Level 3 If:

According to the DoD’s assessment level guidance, Level 3 certification is required in limited, specific circumstances:

a) Your organization handles CUI associated with a breakthrough, unique, or advanced technology.

b) There is a significant aggregation or compilation of CUI in a single information system or IT environment within your organization.

c) An attack on your information system or IT environment would result in widespread vulnerability across DoD operations.

In practice, Level 3 applies primarily to prime contractors and key subcontractors on programs involving cutting-edge weapons systems, intelligence platforms, critical command-and-control infrastructure, and similar high-value defense programs. The DoD has indicated that fewer than 5% of contractors will require Level 3 certification.

Key Decision Factor: It’s Not Your Choice

An important nuance: you don’t get to choose your CMMC level. The required level will be specified in your contract solicitation. The contracting officer determines the appropriate level based on the sensitivity of the information the contract involves and the criticality of the program. Your job is to achieve certification at the level specified—and to have done the preparation work before the solicitation drops.

This makes early assessment critical. Engaging a CMMC readiness assessment provider well in advance of anticipated solicitations gives you time to identify gaps, implement controls, and—if penetration testing is warranted—conduct it and remediate findings before your formal assessment.

Building a Penetration Testing Program That Satisfies CMMC Requirements

Regardless of whether your organization falls under Level 2 or Level 3, approaching penetration testing strategically—rather than as a last-minute compliance exercise—delivers significantly better outcomes. The following framework applies to both levels, with Level 3 organizations layering additional depth and rigor onto the foundation. For organizations looking for hands-on support, Essendis offers both network penetration testing and application penetration testing services specifically aligned to CMMC compliance needs.

Step 1: Define Your CUI Boundary and Assessment Scope

Penetration testing should target the systems that matter for CMMC compliance. This starts with understanding your CUI data flows: every system that creates, processes, stores, or transmits CUI is in scope for testing. This includes file servers and databases, email and collaboration platforms, backup and disaster recovery infrastructure, development and staging environments (if they touch CUI data), cloud services and SaaS applications, network infrastructure enabling CUI transit, and remote access and VPN endpoints.

Organizations that have implemented CUI enclaves—dedicated environments for processing controlled information—should test both the enclave itself and the boundary controls separating the enclave from the broader enterprise network. Essendis’s Secure Enclave solutions are designed with this testing requirement in mind, providing architectures that are both compliant and verifiable through penetration testing.

Step 2: Select the Right Testing Methodology

The testing approach should match your CMMC level, threat model, and organizational maturity. Understanding the differences between black box, white box, and gray box testing is essential for selecting the right methodology:

For Level 2 Organizations: A gray box or white box approach typically delivers the best value. Providing testers with network diagrams, system architecture documentation, and user credentials allows for more thorough testing within a defined timeframe. External network penetration testing validates perimeter defenses, while internal testing verifies segmentation and access controls. Application testing should be included if custom software handles CUI.

For Level 3 Organizations: A combination of approaches is necessary. Threat-informed red team testing using MITRE ATT&CK TTPs should complement structured penetration testing. Include assumed breach scenarios, privilege escalation testing, lateral movement assessment, and data exfiltration simulation. Purple team exercises should validate that defensive monitoring detects testing activities in real time.

Step 3: Establish Testing Frequency and Triggers

Level 2 Baseline: Quarterly vulnerability scanning (minimum), with annual penetration testing recommended as a best practice. Trigger additional scanning or testing after significant system changes, major software deployments, detection of new high-severity vulnerabilities affecting your technology stack, or security incidents.

Level 3 Baseline: Annual comprehensive penetration testing (mandatory), quarterly vulnerability scanning, and continuous security validation through automated tools. Red team exercises should occur at least annually. Trigger additional testing after any system changes within the Level 3 boundary, new threat intelligence relevant to your sector, or findings from continuous monitoring that suggest control degradation.

Step 4: Choose the Right Testing Partner

Selecting a penetration testing partner for CMMC compliance requires evaluating several factors beyond pure technical skill. Look for partners with specific CMMC expertise who understand the nuances of NIST SP 800-171 and SP 800-172 requirements. Verify that testers can meet any U.S. citizenship or clearance requirements relevant to your CUI categories. Ensure comprehensive capabilities across network, application, wireless, and cloud testing. And prioritize firms—like Essendis—that deliver documentation-quality reports meeting CMMC assessment evidence standards, because the testing output must satisfy assessors, not just identify vulnerabilities.

Step 5: Integrate Testing into Your Broader Security Program

Penetration testing shouldn’t exist in isolation. The most effective CMMC compliance programs integrate testing results into a continuous improvement cycle. Feed findings into your managed cybersecurity operations for monitoring and detection validation. Use remediation outcomes to update your System Security Plan (SSP). Track remediation metrics to demonstrate continuous improvement to assessors. And leverage testing insights to prioritize security investments where they’ll have the greatest impact on your compliance posture.

Common Mistakes to Avoid in CMMC Penetration Testing

Working with defense contractors across the compliance spectrum, several recurring mistakes can derail even well-intentioned testing programs:

Treating Vulnerability Scanning as Penetration Testing. Automated scanning and manual penetration testing serve different purposes. Scanning identifies known vulnerabilities based on signatures and databases. Penetration testing validates whether those vulnerabilities—and unknown ones—can actually be exploited. A C3PAO or DIBCAC assessor will recognize the difference. Recent studies have shown that manual penetration testing uncovers nearly 2,000 times more unique vulnerabilities than automated scanning alone.

Scoping Too Narrowly. Testing only your internet-facing perimeter while ignoring internal networks, cloud environments, or application layers creates dangerous blind spots. Attackers don’t stop at the firewall, and assessors know this. Ensure your testing scope matches your CMMC assessment boundary.

Testing Without Remediation. A penetration testing report gathering dust in a file cabinet is worse than useless—it’s evidence that you knew about vulnerabilities and didn’t fix them. Both NIST SP 800-171 (Requirement 3.11.3) and SP 800-172 demand remediation of identified vulnerabilities. Assessors will ask to see evidence that findings were addressed.

Waiting Until Right Before Your Assessment. Conducting penetration testing weeks before a CMMC assessment leaves no time to remediate findings. Testing should occur at least six months before your planned assessment date, with a retest to validate remediation three months out. Given that CMMC preparation takes 6-18 months on average, building testing into your early preparation timeline is critical.

Using Testers Without CMMC Context. A generic penetration testing firm may deliver technically sound results that don’t align with CMMC expectations. Your testing partner should understand which NIST controls are being validated, how findings map to CMMC assessment objectives, and what documentation format assessors expect.

Neglecting Cloud Environments. As more defense contractors adopt cloud infrastructure, penetration testing must extend to cloud configurations, API security, identity and access management, and data protection controls in cloud environments. Shared responsibility models mean that the cloud provider secures the infrastructure, but you’re responsible for securing your configuration and data—and proving it through testing.

The CMMC Compliance Timeline: Where Penetration Testing Fits

Understanding the phased implementation of CMMC 2.0 is critical for planning your penetration testing activities:

Phase 1 (Active as of November 2025): Level 1 and Level 2 self-assessment requirements are being included in certain contracts. If your contracts include CMMC clauses, compliance is already required.

Phase 2 (Expected November 2026): Level 2 C3PAO certification assessment requirements will appear in contracts. This is when third-party validation becomes mandatory for most CUI-handling contractors.

Phase 3 (Expected November 2027): Level 3 DIBCAC assessment requirements will be included in applicable contracts.

Phase 4 (Expected by 2028): Full implementation across all applicable DoD contracts.

For Level 2 organizations: Conduct your first penetration test now. Use findings to remediate gaps before Phase 2 C3PAO assessments begin. Build testing into your annual security operations calendar. The organizations that start penetration testing early will be the ones with clean assessment results when the formal certification window opens.

For Level 3 organizations: Your testing program should already be established. Annual penetration testing, red team exercises, and continuous validation should be operational well in advance of the Phase 3 DIBCAC assessment requirement. Given the limited DIBCAC assessment capacity and the complexity of Level 3 evaluations, early preparation is essential.

The Strategic Value of Penetration Testing Beyond CMMC Compliance

While CMMC compliance is the immediate driver for many organizations, penetration testing delivers value that extends well beyond satisfying assessment requirements:

Supply Chain Resilience: The defense supply chain is only as strong as its weakest link. Nearly 90% of defense contractors report experiencing financial, reputational, or business losses from cyber incidents. Penetration testing identifies your organization’s weak points before adversaries exploit them, strengthening the entire supply chain ecosystem.

Insurance and Risk Management: Cyber insurance underwriters increasingly require evidence of security testing when evaluating defense contractor applicants. Regular penetration testing results can support more favorable premium rates and demonstrate due diligence in the event of a claim.

Investor and Partner Confidence: For defense contractors pursuing growth through M&A, joint ventures, or new prime contractor relationships, a documented penetration testing program signals security maturity that goes beyond checkbox compliance.

Operational Awareness: Penetration testing provides organizations with ground-truth understanding of their security posture. The insights from a skilled tester—about how defenses actually perform under adversarial conditions—are qualitatively different from the theoretical understanding provided by control implementation alone.

Talent and Culture Development: Organizations that invest in penetration testing often find that the process elevates the security awareness and capability of their internal IT and security teams. Exposure to real-world attack methodologies—through testing debriefs and remediation collaboration—builds institutional knowledge that strengthens the organization over time.

Taking the Next Step

The penetration testing requirements in CMMC 2.0 reflect a broader truth about cybersecurity in the defense industrial base: the threat environment has evolved beyond what basic controls and automated scanning can address. Whether your organization requires Level 2 or Level 3 certification, penetration testing provides the validation that separates theoretical compliance from proven security.

For Level 2 organizations, the question isn’t whether you can skip penetration testing—it’s whether you can afford to. In a market where the vast majority of contractors are scrambling toward compliance, the organizations that proactively test their defenses will be the ones with clean assessments, satisfied prime contractors, and uninterrupted access to DoD contracts.

For Level 3 organizations, the path is clear: penetration testing is mandatory, and the bar is set high. Building a mature testing program—one that incorporates threat-informed testing, red team exercises, and continuous validation—isn’t just about passing your DIBCAC assessment. It’s about genuinely defending the critical national security information entrusted to your care.

The defense industrial base stands at an inflection point. The organizations that invest in robust penetration testing now—whether driven by Level 2 prudence or Level 3 mandate—will be the ones positioned to thrive in the next era of defense contracting. Those that wait risk joining the 99% of contractors still scrambling to catch up. Essendis provides the full spectrum of CMMC compliance solutions, from initial readiness assessments through penetration testing to ongoing managed security, helping defense contractors achieve and maintain certification at every level. Contact our team to discuss your organization’s specific penetration testing and CMMC compliance needs.

Frequently Asked Questions

Does CMMC Level 2 require penetration testing?

No, CMMC Level 2 does not explicitly mandate penetration testing. The underlying NIST SP 800-171 standard requires periodic vulnerability scanning and security control assessment, but the specific words “penetration testing” do not appear as a requirement. However, many compliance experts strongly recommend penetration testing for Level 2 organizations because it provides deeper validation of security controls than automated scanning alone, helps prepare for C3PAO assessments by identifying gaps in advance, satisfies prime contractor flow-down requirements that often exceed the CMMC baseline, and effectively validates CUI enclave boundaries and segmentation architectures. For organizations using custom software to process CUI, penetration testing is arguably necessary to satisfy the spirit of the vulnerability management requirements.

What specific NIST control requires penetration testing at Level 3?

The primary control is CA.L3-3.12.1e from NIST SP 800-172, which requires organizations to “employ penetration testing to validate the effectiveness of security controls.” This is a mandatory requirement that DIBCAC assessors will evaluate during Level 3 certification. Unlike Level 2, there is no ambiguity: Level 3 organizations must conduct penetration testing and provide evidence of both the testing activities and the resulting remediation efforts.

How often should penetration testing be conducted for CMMC compliance?

For Level 2 organizations conducting voluntary penetration testing, annual testing with quarterly vulnerability scanning is considered best practice. For Level 3 organizations, annual comprehensive penetration testing is the widely accepted minimum, supplemented by quarterly vulnerability scanning, continuous security validation, and periodic red team exercises. Additional testing should be triggered by significant system changes, new high-severity vulnerability disclosures, security incidents, or major software deployments.

What’s the difference between vulnerability scanning and penetration testing for CMMC purposes?

Vulnerability scanning uses automated tools to identify known weaknesses based on signature databases—think of it as a diagnostic scan that checks for recognized problems. Penetration testing employs skilled security professionals who actively attempt to exploit vulnerabilities, chain multiple findings together, test business logic, and validate whether theoretical weaknesses can actually be leveraged by an attacker. CMMC Level 2 explicitly requires vulnerability scanning. Level 3 requires both vulnerability scanning (inherited from the Level 2 baseline) and penetration testing. The distinction matters because assessors at both levels understand the difference and may question organizations that present scanning results as penetration testing evidence.

Can we conduct penetration testing internally, or do we need an external firm?

Both approaches can satisfy CMMC requirements, provided the testers are qualified and the testing meets the expected rigor. Internal red teams offer deep organizational knowledge and can test more frequently, but may have blind spots due to familiarity with the environment. External firms bring fresh perspectives, specialized expertise, and independence that assessors may view more favorably. Many Level 3 organizations use a hybrid approach: external firms for annual comprehensive testing and internal teams for continuous validation and purple team exercises. The key factor is demonstrating competence, independence, and thoroughness regardless of whether testers are internal or external.

What happens if a penetration test finds a critical vulnerability right before our CMMC assessment?

Finding critical issues before your formal assessment is actually beneficial—it gives you the opportunity to fix them. CMMC assessors generally don’t request penetration testing reports and won’t penalize you for issues that have been remediated. If a finding can’t be fully resolved before assessment, it may be addressed through a Plan of Action and Milestones (POA&M), though this could result in conditional rather than final certification. Under CMMC 2.0, organizations can hold certain minor POA&Ms at certification, but they must score at least 80% on Level 3-specific controls and close all POA&M items within 180 days. This is why conducting testing well in advance—at least six months before your planned assessment—is strongly advised.

How much does CMMC-compliant penetration testing cost?

Penetration testing costs vary significantly based on scope, complexity, and testing depth. For Level 2 organizations conducting basic network and application penetration testing, costs typically range from $25,000 to $75,000 per engagement. For Level 3 organizations requiring comprehensive testing including threat-informed scenarios, red team exercises, and architecture validation, costs can range from $75,000 to $200,000 or more per annual testing cycle. When compared to the average defense sector breach cost of $5.46 million and the potential loss of DoD contract revenue, penetration testing represents a high-return security investment.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.