Penetration Testing and CMMC Compliance

cmmc penetration testing featured

Penetration testing is an increasingly common security practice for many businesses using sophisticated IT or cloud systems. Under CMMC, penetration testing is even more important because achieving higher levels of responsibility and capabilities calls for some form of penetration testing. 

Here we’re discussing how penetration testing plays into CMMC regulations and when you can begin to expect it as a requirement. 

What is CMMC and Why Would I Need Penetration Testing?

CMMC is a relatively new security standard required by contractors working with the Department of Defense and other federal agencies when handling Controlled Unclassified Information (CUI). 

CUI is a unique form of data, in that it is not classified information (which would typically route through SIPRNet or other classified router networks) and yet its safety and security are important enough to warrant special protection. The classification of CUI was created under an Executive Order during the Obama administration to promote new security guidelines to protect such data. 

Accordingly, NIST Special Publication 800-171 was created to define security measures and practices to protect CUI. These regulations apply to both federal agencies and contractors working with those agencies that create, manage, transmit or store CUI. 

Since protecting CUI is such an important mission, it was decided that a security standard and model should be put into place that would normalize cybersecurity, risk management and governance maturity models for contractors working in the DoD supply chain. This standard became what we now know as CMMC, currently (as of August 2021) rolling out as a standard requirement for all DoD contracts. 

While NIST 800-171 serves as the abscess for CMMC requirements, the standard itself adds a few specific aspects in place to streamline assessment under a rigorous framework:

  1. CMMC is based on maturity. That is, an organization must not only have certain controls in place, but it must demonstrate that it can perform certain tasks like planning remediation, documenting policies and planning proactive security measures. 
  2. All CMMC maturity designations fall under 5 different maturity levels, each of which denotes an organization’s security hygiene and capabilities. Contractors are expected to meet a minimum set of practices, technologies and policies to earn certification at a particular level. 
  3. CMMC certification requires an audit and sign-off from a Certified Third-Party Assessment Organization (C3PAO). Many previous security regulations allowed self-assessment and reporting, but CMMC changed that to ensure a standardized level of testing and reporting. 

Because maturity, in this context, is defined to include both cyber hygiene and technical safeguards, it naturally includes several common security practices as requirements, including vulnerability scanning and penetration testing. 


At What Levels Do I Need Penetration Testing Under CMMC?

cmmc penetration testingAt a minimum, a contractor or subcontractor in the DoD supply chain seeking authorization to manage, store, transmit or create CUI for a federal agency must meet, at minimum, CMMC Level 3 Maturity.

CMMC maturity levels that allow for the handling of CUI include:

  1. Level 3 Maturity: At this level, the contractor demonstrates that they have “Good” cyber hygiene as defined in NIST 800-171 and CMMC guidelines. Additionally, the organization must show that the organization can, and has, established a cybersecurity plan outlining company missions, goals, projects, training and stakeholders. 
  2. Level 4 Maturity: Level 4 calls for “Proactive” hygiene in which an organization can protect CUI against Active Persistent Threats (APT) and includes enhanced requirements from NIST 800-171. Additionally, the organization will have the ability to review their cybersecurity infrastructure and make changes based on those reviews. 
  3. Level 5 Maturity: At level 5, an organization is improving their ability to detect and respond to APTs and can optimize security across their organization. 

Each level of hygiene consists of several practices collected into categories known as “domains”. Each domain covers a critical security approach like Access Control (AC), Incident Response (IR) or Security Assessment (CA).

The last of these, Security Assessment, contains specific requirements that organizations “assess security controls in organizational systems and the environments in which those systems operate.” At Levels 4 and 5, it is expected that organizations can perform, and do perform, the following practices:

  • Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts (Practice CA.4.164)
  • Periodically perform red teaming against organizational assets in order to validate defensive capabilities (Practice CA.4.227)

So, at Levels 4 and 5 you will be expected to perform scans and penetration tests as part of your overall security roadmap. 


Is a Vulnerability Scan Enough for CMMC Compliance?

At higher levels, vulnerability scans are not sufficient. 

The difference between a vulnerability scan and a penetration test is evident in the names of the practices: A vulnerability scan is an assessment of vulnerabilities, often automated, and a report on those vulnerabilities. A penetration test, and in particular a Red Team exercise, is a concerted effort, typically by human experts, to hack into a system using known and discovered vulnerabilities using techniques seen in the wild. 

At lower CMMC levels, the CMMC Authorization Board expects vulnerability scans. Specifically, CMMC Level 2 includes vulnerability scans as part of the Risk Management (RM) domain of practices. This means that at any subsequent level, vulnerability scanning is required. 

However, once you undergo auditing for CMMC Level 4 or higher, you must include penetration testing as part of your cybersecurity practices. 


CMMC Auditing and Support from Continuum GRC

CMMC security isn’t just about checking boxes… It’s about ensuring that every box checked is contributing to your business and security operations. Penetration testing is a critical aspect of the most enterprise and data-driven companies, and those seeking CMMC certification will want to consider the practice even if their security level does not require it. 


Want to Learn More About Continuum GRC and the ITAM Platform?

Call 1-888-896-6207 or complete the form below. 

Continuum GRC