← All frameworks Government & Defense

CMMC & NIST 800-171 penetration testing.

Security testing aligned to NIST 800-171 controls, for defense contractors and subcontractors preparing for CMMC assessment.

$ cat cmmc-nist-800-171.txt

What CMMC actually requires.

$ ls /cmmc/services

How this maps to what we do.

NIST 800-171 Gap Assessment

An audit against the specific 110 controls, before your C3PAO assessment — so findings surface on your terms, not theirs.

Penetration Testing

The hands-on evidence assessors expect for 3.12.1 — and the explicit requirement if you're pursuing Level 3.

Remediate & Retest

We retest after you fix what we find, so you walk into assessment with verified control effectiveness, not an open findings list.

$ cat nist-800-171-families.txt

Mapped to the specific control families.

AT Family (Awareness & Training)

An append-only audit trail plus three-tier RBAC (Admin / Operator / Read-only) map directly to the Awareness & Training control family assessors check for.

AC Family (Access Control)

Role-gated access to campaign data and per-employee results, with every sensitive read logged, supports the Access Control family's least-privilege and audit-logging expectations.

FedRAMP-Aligned Architecture

Not a FedRAMP authorization — we hold none. The platform is architected around the same control families FedRAMP assessors evaluate, which shortens the gap analysis if your program later requires it.

Preparing for a C3PAO assessment?

Tell us your target level and timeline — we'll scope testing to what your assessor will actually check.

Request an assessment