CMMC & NIST 800-171 penetration testing.
Security testing aligned to NIST 800-171 controls, for defense contractors and subcontractors preparing for CMMC assessment.
What CMMC actually requires.
CMMC Level 2 requires implementing all 110 controls in NIST SP 800-171, followed by third-party assessment from an accredited C3PAO. CMMC doesn't name "penetration testing" as its own line-item requirement — but two controls get you there in practice: 3.11.2 requires periodic vulnerability scanning, and 3.12.1 requires periodically assessing whether your security controls are actually effective, not just documented.
C3PAO assessors consistently expect penetration testing as the evidence behind 3.12.1. An organization that shows up with policies but no testing history is a common finding — "controls exist on paper, effectiveness unverified" is exactly the kind of gap that stalls a certification.
If you're working toward CMMC Level 3 (which layers in NIST SP 800-172), the requirement becomes explicit: penetration testing at least annually, or after any significant security-relevant change, combining automated scanning with hands-on testing from qualified people.
How this maps to what we do.
NIST 800-171 Gap Assessment
An audit against the specific 110 controls, before your C3PAO assessment — so findings surface on your terms, not theirs.
Penetration Testing
The hands-on evidence assessors expect for 3.12.1 — and the explicit requirement if you're pursuing Level 3.
Remediate & Retest
We retest after you fix what we find, so you walk into assessment with verified control effectiveness, not an open findings list.
Mapped to the specific control families.
AT Family (Awareness & Training)
An append-only audit trail plus three-tier RBAC (Admin / Operator / Read-only) map directly to the Awareness & Training control family assessors check for.
AC Family (Access Control)
Role-gated access to campaign data and per-employee results, with every sensitive read logged, supports the Access Control family's least-privilege and audit-logging expectations.
FedRAMP-Aligned Architecture
Not a FedRAMP authorization — we hold none. The platform is architected around the same control families FedRAMP assessors evaluate, which shortens the gap analysis if your program later requires it.
Preparing for a C3PAO assessment?
Tell us your target level and timeline — we'll scope testing to what your assessor will actually check.