TL;DR: CMMC 2.0 does not use the words "penetration testing" in its control requirements, but the controls it does mandate -- vulnerability scanning, security assessment, risk analysis, and flaw remediation -- are most effectively demonstrated through penetration testing. Defense contractors pursuing Level 2 or Level 3 certification should treat pentesting as a de facto requirement. Automated AI-powered testing makes it practical to maintain continuous compliance evidence rather than scrambling before each assessment. This article maps specific CMMC controls to pentesting activities, explains what assessors actually look for, and shows how to build a cost-effective testing program that satisfies both the letter and spirit of the framework.
CMMC 2.0: A Quick Primer
The Cybersecurity Maturity Model Certification program was created by the Department of Defense to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) within the defense industrial base. After the initial rollout of CMMC 1.0 drew criticism for its complexity and cost, the DoD streamlined the framework into CMMC 2.0 with three levels instead of five.
Level 1 (Foundational) applies to organizations handling FCI only. It requires 17 basic cyber hygiene practices derived from FAR 52.204-21. Self-assessment is sufficient. Penetration testing is not a meaningful factor at this level.
Level 2 (Advanced) applies to organizations handling CUI. It maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. This is where the vast majority of defense contractors land, and it is the level where penetration testing becomes relevant. Level 2 requires either self-assessment or third-party assessment by a CMMC Third Party Assessment Organization (C3PAO), depending on the sensitivity of the CUI involved.
Level 3 (Expert) applies to the highest-priority programs and adds requirements from NIST SP 800-172. Level 3 requires government-led assessments and represents the most stringent security posture in the framework.
Enforcement Timeline
CMMC requirements began appearing in defense contracts through DFARS clause 252.204-7021. The DoD's phased implementation means that by late 2026, most new contracts involving CUI will require demonstrated CMMC Level 2 compliance. For contractors who have been putting off their compliance programs, the window for preparation is closing.
Penetration testing is not a single checkbox in CMMC -- it is a testing methodology that generates evidence for multiple controls simultaneously. Here are the specific controls where penetration testing provides the strongest evidence:
RA.L2-3.11.1 -- Risk Assessments
"Periodically assess the risk to organizational operations, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI."
Penetration testing is one of the most effective methods for identifying actual risks to CUI-handling systems. Unlike theoretical risk assessments based on questionnaires and interviews, pentesting reveals real vulnerabilities that could be exploited to access CUI. Assessment findings provide concrete, evidence-based risk data that feeds directly into the risk assessment process.
RA.L2-3.11.2 -- Vulnerability Scanning
"Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified."
This control explicitly requires vulnerability scanning, and penetration testing encompasses and extends vulnerability scanning. While a standalone vulnerability scan identifies potential weaknesses based on version detection and configuration checks, penetration testing validates whether those vulnerabilities are actually exploitable in the target environment. This distinction matters to assessors who want to see not just that you scanned, but that you understand which findings represent real risk.
RA.L2-3.11.3 -- Remediation of Vulnerabilities
"Remediate vulnerabilities in accordance with risk assessments."
Penetration testing directly supports this control by providing the risk-prioritized vulnerability data that drives remediation decisions. When a pentest demonstrates that a vulnerability can be exploited to access CUI, the remediation priority becomes unambiguous. Follow-up testing then provides evidence that remediation was effective -- a finding that was exploitable in the initial test should no longer be exploitable after the fix.
CA.L2-3.12.1 -- Security Assessment
"Periodically assess the security controls in organizational systems to determine if the controls are effective in their application."
This is arguably the control most directly satisfied by penetration testing. Security controls -- firewalls, access controls, encryption, segmentation, intrusion detection -- exist to prevent unauthorized access. Penetration testing is the most rigorous method for determining whether those controls actually work as intended. An assessor reviewing evidence for this control wants to see that someone actually tested whether the controls stop real attacks, not just that the controls are configured and operational.
SI.L2-3.14.1 -- Flaw Identification and Management
"Identify, report, and correct system flaws in a timely manner."
Penetration testing identifies system flaws that automated patch management and vulnerability scanning alone might miss: misconfigurations, logic errors, access control weaknesses, and chained vulnerabilities where individual components appear secure but the combination creates an exploitable path. The testing report documents identified flaws, and remediation retesting documents their correction.
AC.L2-3.1.1 through AC.L2-3.1.22 -- Access Control Family
While not typically cited as a primary pentesting target, the Access Control family benefits significantly from penetration testing evidence. Testing whether authenticated users can access data or functions outside their authorized scope, whether session management prevents hijacking, and whether network segmentation actually isolates CUI environments are all access control validations that pentesting performs naturally.
What CMMC Assessors Actually Look For
Understanding the control language is necessary but not sufficient. What matters in practice is what C3PAO assessors expect to see when they review your compliance evidence. Based on published assessment guidance and industry experience, assessors evaluating security testing programs typically look for:
Documentation of testing scope and methodology. The assessment report should clearly define what was tested, how it was tested, and why the scope was chosen. For CMMC purposes, the scope must include all systems that process, store, or transmit CUI. If CUI-handling systems were excluded from testing, assessors will want to know why.
Evidence of findings with severity ratings. Each finding should include a clear description, evidence of the vulnerability, an assessment of exploitability, and a severity rating tied to potential CUI impact. Assessors are looking for a risk-based approach, not a raw vulnerability dump.
Remediation tracking and verification. For every finding above a defined risk threshold, assessors want to see documented remediation actions and evidence that the fixes were verified through retesting. A finding that was identified six months ago and never remediated is worse than not testing at all -- it demonstrates awareness of risk without action.
Regularity and recency. Assessors want to see that testing is periodic, not a one-time event performed the week before the assessment. Testing conducted more than 12 months before the assessment is generally considered stale. Quarterly or continuous testing programs provide the strongest evidence of ongoing security diligence.
Independence. While CMMC does not mandate third-party penetration testing, assessors view independent testing more favorably than self-assessment for obvious reasons. For organizations conducting testing in-house or through automated platforms, demonstrating that the testing methodology is comprehensive and the results are objective is important.
Evidence Artifacts for Your Assessment
A well-structured penetration testing program produces the following artifacts that map directly to CMMC assessment evidence requirements:
Frequency: How Often Is Enough?
CMMC's language around "periodically" assessing security controls leaves room for interpretation, which is both a flexibility and a risk. Organizations must define their own assessment frequency and be prepared to defend that choice to assessors.
Annual testing represents the absolute minimum that most assessors will accept. A single annual pentest provides a point-in-time snapshot and satisfies the letter of "periodic" assessment. However, for organizations with dynamic environments -- frequent deployments, infrastructure changes, or new system integrations -- annual testing leaves significant gaps in coverage.
Quarterly testing provides a much stronger compliance posture. It demonstrates a genuine commitment to ongoing security validation and catches vulnerabilities introduced by changes between annual assessments. For organizations handling sensitive CUI, quarterly testing is increasingly the expectation rather than the exception.
Continuous automated testing represents the gold standard. Running automated assessments on a weekly or monthly cadence provides near-real-time visibility into the security posture of CUI-handling systems. When combined with periodic manual deep-dive testing, continuous automated testing produces an evidence trail that is virtually unassailable during an assessment.
CMMC-Aligned Reporting with ThreatExploit
Producing CMMC-aligned evidence requires more than just running a pentest -- the output must map to the framework's control structure in a way that assessors can easily verify. ThreatExploit generates reports that include:
Control mapping. Each finding is tagged with the specific CMMC controls it relates to. An SQL injection vulnerability in a CUI-handling application maps to RA.L2-3.11.2 (vulnerability identified through scanning), CA.L2-3.12.1 (input validation control found ineffective), and SI.L2-3.14.1 (system flaw identified). This mapping eliminates the manual effort of cross-referencing findings to controls and gives assessors a clear audit trail.
CUI impact assessment. For each finding, the report assesses the specific risk to CUI confidentiality, integrity, and availability. A vulnerability that could allow unauthorized access to CUI-containing databases is rated differently than a vulnerability affecting a public-facing marketing site with no CUI connection. This risk differentiation is exactly what assessors look for when evaluating whether the organization understands its CUI exposure.
Remediation guidance with NIST SP 800-171 references. Remediation recommendations reference the specific NIST SP 800-171 requirements that the finding violates, creating a clear remediation path that doubles as a compliance roadmap.
Temporal evidence. Automated testing produces timestamped records of every test run, every finding, and every remediation verification. This temporal evidence demonstrates continuous compliance rather than point-in-time preparation.
Cost Comparison: Manual vs Automated Testing for CMMC
Defense contractors, particularly small and mid-sized manufacturers in the DIB supply chain, face real budget constraints when building CMMC compliance programs. Understanding the cost difference between manual and automated pentesting is critical for building a sustainable program.
Manual penetration testing for a typical CMMC scope -- covering the CUI enclave, boundary devices, authentication systems, and supporting infrastructure -- runs $15,000 to $35,000 per engagement. Quarterly manual testing costs $60,000 to $140,000 annually. For a small manufacturer with $10 million in defense contract revenue, this represents a significant compliance cost that directly impacts competitiveness.
Automated AI-powered testing through platforms like ThreatExploit dramatically reduces the per-assessment cost. Monthly automated testing with quarterly human-augmented deep dives can run $3,000 to $8,000 per month, or $36,000 to $96,000 annually -- comparable to or less than the cost of quarterly manual testing alone, but with twelve times the testing frequency. The continuous evidence trail is also far stronger for assessment purposes.
The hybrid approach that most organizations find optimal combines continuous automated testing for ongoing monitoring with annual or semi-annual manual testing for complex attack scenarios and business logic testing. This provides comprehensive coverage at a cost point that even smaller defense contractors can sustain.
Building Your CMMC-Ready Testing Program
For organizations preparing for CMMC Level 2 assessment, here is a practical roadmap for building a pentesting program that satisfies assessor expectations:
Step 1: Define your CUI boundary. Before testing, you must know exactly which systems handle CUI. This scoping exercise is foundational -- you cannot test what you have not defined. Document the CUI data flows, system interconnections, and boundary controls.
Step 2: Establish testing frequency. Based on the sensitivity of your CUI and the dynamism of your environment, set a testing cadence. Quarterly at minimum, monthly or continuous if budget allows. Document the rationale for your chosen frequency.
Step 3: Run your baseline assessment. Conduct a thorough initial pentest covering the full CUI enclave. This baseline identifies your current vulnerability posture and provides the starting evidence for remediation tracking.
Step 4: Remediate and retest. Address findings by severity, starting with any vulnerabilities that could directly expose CUI. Verify each remediation through targeted retesting. Document everything in your remediation tracking log.
Step 5: Maintain continuous evidence. Run automated tests on your established cadence, track findings and remediation over time, and maintain the complete evidence package for assessor review. When your C3PAO arrives, you should be able to present a continuous, documented history of testing, findings, and remediation -- not a single recent report prepared for the occasion.
The organizations that approach CMMC compliance as an ongoing security program rather than a one-time certification event are the ones that pass their assessments cleanly and maintain their competitive position in the defense industrial base.
Frequently Asked Questions
Does CMMC require penetration testing?
CMMC 2.0 does not explicitly mandate penetration testing by name, but Level 2 and Level 3 require security assessments. Controls like RA.L2-3.11.2 (vulnerability scanning), RA.L2-3.11.3 (remediation), and CA.L2-3.12.1 (security assessment) are most effectively satisfied through penetration testing, and most CMMC assessors expect it.
What CMMC controls does penetration testing satisfy?
Penetration testing addresses RA.L2-3.11.2 (scan for vulnerabilities), RA.L2-3.11.3 (remediate vulnerabilities), CA.L2-3.12.1 (periodically assess security controls), and SI.L2-3.14.1 (identify and manage flaws). It also supports evidence for RA.L2-3.11.1 (risk assessments).
How often is penetration testing needed for CMMC compliance?
CMMC requires periodic security assessments. While annual testing may satisfy minimum requirements, continuous or quarterly automated pentesting provides stronger evidence and is increasingly expected by assessors.