If your company holds a DoD contract — or is pursuing one — you already know that Cybersecurity Maturity Model Certification (CMMC) compliance is no longer a nice-to-have. It is a contract requirement. And increasingly, contracting officers are asking a pointed question early in the process: Have you had a penetration test? Understanding CMMC penetration testing requirements before your assessment window opens can be the difference between a smooth certification and a costly delay.

The answer matters. Get it wrong and you may fail your assessment, delay your certification, or — worst case — lose a contract you’ve spent months competing for.

This guide answers the CMMC penetration testing question directly. We’ll cover what CMMC 2.0 actually requires, which levels trigger penetration testing obligations, what assessors will look for, and how to find a provider that knows the difference between a standard pentest and a CMMC-aligned security assessment.

Section 1: What Is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s framework for ensuring defense contractors protect sensitive federal information. It replaced the older self-attestation model — where contractors essentially graded their own homework — with a structured certification process that includes third-party assessments.

CMMC 2.0 (the current version, finalized through the rulemaking process) organizes requirements into three levels:

Level Name Who It Applies To Assessment Type
Level 1 Foundational Contractors handling Federal Contract Information (FCI) Annual self-assessment
Level 2 Advanced Contractors handling Controlled Unclassified Information (CUI) Triennial third-party assessment (C3PAO) or annual self-assessment for non-prioritized acquisitions
Level 3 Expert Contractors on DoD’s highest-priority programs Government-led assessment

The vast majority of defense contractors fall under Level 2, which maps directly to NIST SP 800-171 Rev 2 — 110 security practices across 14 domains.

Who needs CMMC? Any organization in the Defense Industrial Base (DIB) that handles CUI. That includes prime contractors, sub-contractors, and suppliers in the supply chain. If your contract has a DFARS 252.204-7021 clause, CMMC applies to you.

Timeline: CMMC requirements are being phased into contracts. By mid-2026, new DoD solicitations are expected to include CMMC requirements at scale. The window to get certified before your next contract renewal is closing.

Section 2: Does CMMC Require a Penetration Test?

The short answer: not explicitly at Level 2, but effectively yes — for most organizations.

Here’s why.

CMMC Level 2 requires compliance with all 110 practices from NIST SP 800-171 Rev 2. Two of those practices directly address security testing and assessment:

  • CA.2.157 — “Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
  • CA.3.162 (Level 3) — “Employ a penetration testing process that includes overt, covert, and targeted testing.”

    • At Level 2, CA.2.157 does not mandate penetration testing by name — but the requirement to assess whether controls are effective is where assessors have latitude. C3PAO assessors (Certified Third-Party Assessment Organizations) routinely ask for evidence that security controls have been tested under realistic conditions. A vulnerability scan or policy review alone rarely satisfies this requirement for organizations with a meaningful attack surface.

    More importantly: your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) must document your assessment activities. Assessors review these documents. Organizations that have conducted penetration tests have significantly more credible documentation than those relying solely on automated scanning tools.

    NIST 800-171 connection: Because CMMC Level 2 maps directly to NIST 800-171, guidance from NIST SP 800-115 (Technical Guide to Information Security Testing) is relevant context. That document explicitly recommends penetration testing as a component of security assessments.

    The practical takeaway: if you’re pursuing Level 2 certification, a penetration test isn’t technically required by name — but assessors expect to see evidence of meaningful security control validation. For most organizations, a penetration test is the most defensible way to produce that evidence.

    Section 3: CMMC 2.0 Level 2 Penetration Testing Requirements

    Controls That Drive the Need for Penetration Testing

    At Level 2, the following CMMC practices collectively create the expectation of penetration testing:

  • CA.2.157 — Periodic security control assessments
  • CA.2.158 — Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities
  • RA.2.141 — Periodically assess the risk to organizational operations, organizational assets, and individuals
  • RA.2.142 — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems are identified
  • SI.2.214 — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks

    • A penetration test produces findings that directly satisfy or inform several of these practices simultaneously — which is a significant efficiency argument in your favor.

    What Assessors Look For

    When a C3PAO assessor reviews your security posture, they are looking for evidence — not just documentation that claims controls exist. Preparing your team before the engagement begins is critical to making the most of that evidence — see How to Prepare Your Team for a Penetration Test for a full pre-engagement checklist. For testing-related practices, assessors commonly ask for:

  • Scope documentation (what systems were tested, when, by whom)
  • Methodology used (manual testing, automated scanning, exploitation)
  • Findings reports, including severity ratings
  • Evidence of remediation for identified vulnerabilities
  • Updated SSP and POA&M reflecting assessment results

    • A credible penetration test from a qualified firm gives you documentation that maps directly to these evidence requirements.

    Frequency Requirements

    NIST 800-171 and CMMC guidance use the term “periodically” — which intentionally avoids specifying a fixed interval. In practice:

  • Most C3PAOs expect to see testing within the 12 months prior to your assessment
  • Annual testing is the most defensible cadence
  • After significant infrastructure changes (new cloud environments, major application deployments), testing should be repeated

    • Annual testing is a compliance floor, not a security ceiling. For context on why annual-only programs leave meaningful exposure gaps, see Why Annual Penetration Tests Are Not Enough.

    Internal vs. Third-Party Testing

    Internal security teams can perform vulnerability assessments, but third-party penetration testing is strongly preferred for CMMC purposes. The independence of an external assessor adds credibility that internal testing cannot provide. Assessors are aware of this distinction.

    Documentation You Must Maintain

  • Penetration test scope and rules of engagement
  • Methodology documentation
  • Final findings report (summary and technical detail)
  • Remediation tracking records
  • Updated SSP reflecting the assessment

    • Section 4: CMMC Level 3 Penetration Testing Requirements

    Level 3 raises the bar significantly — and penetration testing becomes an explicit requirement rather than implied best practice.

    CA.3.162 — “Employ a penetration testing process that includes overt, covert, and targeted testing” — is a Level 3 practice with no ambiguity. Organizations pursuing Level 3 certification must conduct penetration testing and must be able to demonstrate that testing covers all three modes:

  • Overt testing — Testing conducted with the knowledge and cooperation of IT staff (sometimes called “white box” testing)
  • Covert testing — Testing conducted without advance notice to operational staff, simulating an external attacker or malicious insider
  • Targeted testing — Testing focused on specific high-value assets, systems, or attack vectors

    • Government-Led Assessments

    Level 3 certifications are conducted by DCSA (Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center) — not by independent C3PAOs. This means the government itself is reviewing your security posture, and the bar for evidence is correspondingly higher.

    APT Simulation Requirements

    Level 3 maps to a subset of NIST SP 800-172 practices, which are designed to defend against Advanced Persistent Threat (APT) actors — sophisticated adversaries with significant resources and patience. At this level, a standard penetration test is often insufficient. Organizations should expect to conduct or commission adversary simulation exercises that model realistic threat actor tactics, techniques, and procedures (TTPs).

    If your company is in Level 3 territory, you likely need a firm capable of full red team operations — not just vulnerability scanning with some manual exploitation.

    Section 5: What to Look for in a CMMC Penetration Testing Provider

    Choosing a penetration testing firm is not a commodity decision, especially for CMMC purposes. The wrong provider can leave you with a report that looks impressive but fails to satisfy assessor evidence requirements.

    Penetration Testing for Defense Contractors: C3PAO vs. Independent Firm

    A C3PAO (Certified Third-Party Assessment Organization) is authorized to conduct your official CMMC Level 2 assessment. However, a C3PAO conducting your assessment cannot also be your penetration testing provider — that creates an obvious conflict of interest. Your penetration test should be conducted by an independent firm, with results feeding into your SSP before your C3PAO assessment begins.

    Qualifications to Look For

    When evaluating a penetration testing provider for CMMC readiness, prioritize firms whose team holds:

  • OSCP (Offensive Security Certified Professional) — the gold standard for hands-on pentesting skill
  • GPEN (GIAC Penetration Tester) — rigorous certification with an emphasis on methodology
  • GXPN (GIAC Exploit Researcher and Advanced Penetration Tester) — for Level 3 / adversary simulation work
  • CREST accreditation — particularly relevant if you have UK or international operations
  • Prior experience with DFARS/NIST 800-171 assessments specifically

    • Generic IT security firms that offer penetration testing as one of many services may not have the CMMC-specific knowledge your assessment requires.

    For a detailed framework covering vendor evaluation beyond CMMC-specific considerations, see our full guide on how to choose a penetration testing company — including eight questions to ask before you hire and a downloadable vendor evaluation checklist.

    Questions to Ask Before Hiring

    Before signing an engagement, ask prospective providers:

    1. Have you supported CMMC Level 2 or Level 3 assessments before? Can you share anonymized references?
    2. Will your report map findings to specific NIST 800-171 controls?
    3. How do you document scope, methodology, and evidence to satisfy C3PAO review?
    4. Do you provide remediation guidance, or just findings?
    5. What does your final deliverable include? (Executive summary, technical findings, remediation roadmap)

    Why CMMC Knowledge Matters More Than You Think

    A penetration test from a generic provider might find real vulnerabilities — but if the report doesn’t speak the language of NIST 800-171 and CMMC practices, it may not satisfy your assessor. You need a firm that understands how findings map to your SSP, how remediation evidence should be documented, and what a C3PAO assessor is actually looking for.

    ### Get Your CMMC Readiness Consultation — Free

    >

    Not sure where your organization stands before a CMMC assessment? StrikeHaven’s security team works with defense contractors at every stage of CMMC readiness — from initial gap assessments to full penetration testing aligned with NIST 800-171 controls.

    >

    Schedule a free CMMC readiness consultation →

    >

    No commitment. No sales pressure. Just a clear picture of where you stand.

    Section 6: StrikeHaven’s CMMC Security Assessment Services

    StrikeHaven Security provides penetration testing and security assessments specifically designed to support CMMC readiness. Our team holds OffSec, CREST, and related certifications, and we’ve worked with defense contractors navigating both Level 2 and Level 3 requirements.

    What makes our approach different from a standard pentest engagement:

  • NIST 800-171 control mapping — Every finding in our report is mapped to the relevant CMMC practices and NIST controls, so your SSP documentation is ready for assessor review
  • Remediation-focused reporting — We don’t just list vulnerabilities; we tell you exactly how to fix them, with evidence documentation guidance
  • Assessment preparation support — We help you understand how your findings translate into your POA&M and what remediation evidence will satisfy a C3PAO
  • Full offensive spectrum — From vulnerability assessments to adversary simulation, we cover the full range of testing required at Levels 2 and 3

    • Defense contractors don’t have time to work with a firm that has to learn CMMC on the job. Our team brings that knowledge to every engagement.

    Conclusion

    CMMC penetration testing requirements aren’t always spelled out in plain language — which is exactly why so many defense contractors get caught off guard before their assessment. If your organization also handles commercial customer data subject to SOC 2 requirements, the overlap is meaningful — see our guide on SOC 2 penetration testing requirements for a full breakdown. For a comprehensive comparison of CMMC alongside SOC 2, HIPAA, and PCI DSS, download the 2026 Penetration Testing Buyer Guide.

    Here’s what to remember:

  • Level 1 does not require penetration testing
  • Level 2 doesn’t mandate it by name, but CMMC 2.0 CA.2.157 and related controls create a strong practical expectation — and assessors expect to see credible evidence of security control testing
  • Level 3 explicitly requires penetration testing (CA.3.162), including overt, covert, and targeted modes

    • The time to schedule your penetration test is before your C3PAO assessment — not after a finding gap surfaces. Most C3PAOs expect to see testing completed within the prior 12 months, and remediation of findings takes time you may not have once your assessment window opens.

    Your DoD contracts depend on getting this right.

    ### Ready to get started?

    >

    Request a free CMMC readiness consultation from StrikeHaven →

    CMMC Penetration Testing Checklist

    Use this before your CMMC assessment to verify your penetration testing is assessment-ready:

  • ☐ Penetration test completed within the last 12 months
  • ☐ Scope documentation includes all CUI-handling systems and network segments
  • ☐ Testing methodology is documented (manual + automated components)
  • ☐ Findings report maps vulnerabilities to NIST 800-171 / CMMC controls
  • ☐ All critical and high findings are remediated or have documented POA&M entries
  • ☐ Remediation evidence is documented and available for assessor review
  • ☐ SSP has been updated to reflect assessment results and any changes made
  • ☐ POA&M is current and accurately reflects open items
  • ☐ Testing was conducted by an independent third party (not internal team only)
  • ☐ Provider qualifications are documented (certifications, relevant experience)

    • Frequently Asked Questions

    Can I use a vulnerability scan instead of a penetration test for CMMC Level 2?
    A vulnerability scan (RA.2.142) satisfies a different control than a penetration test. Scans identify known vulnerabilities — but they don’t validate whether those vulnerabilities are actually exploitable or whether your detective controls work. For CA.2.157 compliance, assessors look for evidence that controls have been tested for effectiveness. A vulnerability scan alone is rarely sufficient for organizations with meaningful CUI environments.

    How often do I need to conduct a penetration test for CMMC?
    CMMC uses the term “periodically,” which C3PAOs interpret flexibly. Annual testing is the most commonly recommended cadence. You should also test after significant infrastructure changes, major new system deployments, or following any security incident.

    Does my CMMC assessor (C3PAO) conduct the penetration test?
    No. Your C3PAO conducts the official CMMC assessment — they evaluate your security posture. Your penetration test should be performed by an independent firm before your assessment, with results incorporated into your SSP and POA&M. The C3PAO reviews that documentation as part of their assessment.

    What certifications should a CMMC-focused penetration tester have?
    Look for OSCP (Offensive Security Certified Professional), GPEN (GIAC Penetration Tester), or CREST accreditation. Also verify that the firm has specific experience with NIST 800-171 control mapping — not just general penetration testing experience.

    What’s the difference between CMMC Level 2 and Level 3 penetration testing?
    At Level 2, penetration testing is a best-practice expectation tied to control assessment requirements. At Level 3, it’s an explicit practice (CA.3.162) requiring overt, covert, and targeted testing components. Level 3 assessments are also government-led (DCSA), which raises the evidence bar considerably.

    For authoritative CMMC requirements, see the official CMMC resources from the DoD and NIST SP 800-171.