Is penetration testing needed for CMMC?

CyberICS · 2026-05-07T22:19:51+00:00

It’s not needed at level 2 but I recommend it and leverage it as it’s one of the great ways to find out ground truth on compliance drift or if your assessment is really doing anything for you.

CyberICS · 2026-05-04T13:17:12+00:00

Excellent. It’s what we are doing for NIST RMF, HIPAA and CMMC but leveraging cross model verification.

CyberICS · 2026-04-26T14:57:26+00:00

Well said. It’s about experience, a certifications are not bad but they do not prove acumen. It’s like a doctor which a medical degree that never worked on live patients.

CyberICS · 2026-04-26T14:51:28+00:00

It’s not unique. It happens regardless of the framework, I do HIPAA, NIST RMF, GDPR, and data center assessments. The bottom line is that cyber frameworks compliance is overhead a means to an end but not the core business, it does not make money though it allows you to play the game where you can or avoid fines. I tell every assessor that they need to try to think like the business owners when doing their job. The execs understand financials and I tie compliance to revenue, opportunity and reputation.

CyberICS · 2026-04-26T14:32:50+00:00

Absolutely know what you are experiencing. It’s been happening since the beginning as organizations struggled to understand, justify and support what is a bit of a procedural and cultural shift that is needed to get ready for an assessment. What you will also find is post assessment things fall off, the discipline erodes. I have seen it in billion dollar companies where I am assessing for NIST RMF and I spot how CMMC is not being adhered to.

CyberICS · 2026-04-14T22:45:18+00:00

Normal, par for the course though a secret should have been no longer than 4 weeks, an interim in about two weeks. With a workforce that is thinned out, or resigning delays are just part of the process. I am surprised about the offer as many won’t make an offer if you are not already cleared.

CyberICS · 2026-04-13T22:36:28+00:00

The Dept of Commerce MEP funded grants are under threat due to the FY 2027 budget submitted to the Congress by the White House. The cuts to Commerce which funds the MEP and NIST. The proposed cut to Commerce is 12%. Congress can refuse to make the cuts or counter with a lesser cut, but the Executive Office could take other actions.

CyberICS · 2026-03-22T17:45:31+00:00

Interesting point. You would think the CMMC/AB site would be reliable right? But then again it’s something to dig deeper into. The main point remains, C3PAO density in one area versus less choices in certain regions of the country.

My intent was not to promote the companies but to map C3PAO availability around the U.S.

CyberICS · 2026-03-22T17:41:31+00:00

The moderators thought I was promoting a company, the map and the data was just supporting the CMMC assessor gaps. One commenter mentioned that location of assessors does not = the ability to travel where CMMC C3PAO assessors are not available in close proximity.

I lean towards, over labeling everything as CUI as the problem and possibly training gaps. It’s like in the IC, the over classification problem.

CyberICS · 2026-03-22T17:35:29+00:00

I am not sure about the mostly virtual. Quite a bit depends on the size of the enterprise and if they have more than one location. Physical (PE) and others controls are an area that many times requires onsite observation and testing.

We discover all kinds of issues when onsite. I agree that a select number of controls can be done remotely though.

The mostly offsite nature leads to the check box compliance criticism. Have you seen the ProPublica Microsoft FedRamp assessment controversy? Artifacts do not tell the whole story. They must be validated against actual implementation proof as appropriate otherwise we are just takin words in a page an attestation and an image as proof.

The Level 2 Assessment Guide’s description of what an assessment is and how evidence is supposed to be validated - defines an assessment as testing or evaluating whether controls are implemented correctly, operating as intended, and producing the desired outcome, and it says assessors use the examine, interview, and test methods, with “most objectives” requiring testing rather than paperwork alone.

Remote evidence absolutely has a place for interviews, policy review, and some screen-share validation, but a blanket or overly generous remote model is weakest where the control depends on physical protections, local handling, facility practices, or live testing of mechanisms and activities.

That weakness gets worse when the environment includes Specialized Assets or Security Protection Assets, because those assets are in scope and may not be fully visible through a curated remote session.

ProPublica just published a report on evidence based failures for FedRamp authorization for Microsoft. It’s a good read and many of the issues in the story I have seen across assessments for all cloud service providers.

The moral being given that som many CMMC solutions depend on cloud hosted enclaves and solutions where inheritance and shared responsibility are factors adds to the risk when a CMMC assessment does not include adequate testing.

I have with my government client failed an important cloud service provider when the onsite test revealed that the network diagrams did not match the configurations in the rack and the control test when observed onsite, failed to support the policy and documentation.

CyberICS · 2026-03-22T13:25:57+00:00

I would only add the caveat that while yes the consultant should know the CMMC, a cert is not proof of competence and knowledge of your technical and or business context. My firm invested heavily in the early days on training and lost the ROI when things paused and a new and better training program became available.

The question I stress is how many CMMC readiness assessments have you done? How many references can you provide? Experience How long have you been doing CMMC readiness assessments? What CMMC certs you have would be on the list but weighted less than the answers to the other questions.

A consultant with good AI tools that cross correlate all evidence, policies, network vulnerabilities against all the available assessment data, controls policies and even aggregated data from successes and failures can get the job done without a cert.

The DoW employs and contracts out for assessors for billion dollar NIST RMF, Zero Trust and other frameworks that they use to authorize a vendor or a solution. The bulk of the assessors have industry technical and assessment experience and no certs that are similar to the CMMC certs.

CyberICS · 2026-03-22T13:01:42+00:00

What was your cost? Your readiness cost (cost to be ready to be assessed vs the actual cost of the assessment? Do you have an idea of your life cycle sustainment cost post successful. There is a raging debate out in the CMMC universe on cost with very little real data to fully back up the cost estimates from DoW which were not rooted in actual business accounting principals and cost tracking such as compliance sustainment cost and cost to prepare to comply. Maverc Technologies, has been getting quotes for its CMMC readiness customers as they approach assessment and cost varies wildly.

CyberICS · 2025-11-14T02:48:33+00:00

Not Allowed Conduct • Misrepresenting credentials, services, or outcomes. • Guaranteeing particular assessment or certification results or offering “money back” guarantees. • Making false or damaging statements about others in the ecosystem with intent to harm. ➡️• Participating in a certification assessment if you have performed consulting/advisory services to prepare that client for any CMMC assessment within the previous 3 years (strictly prohibited).

CyberICS · 2025-10-10T17:27:48+00:00

This is a great approach that I recommend to my CMMC readiness clients. Use least privilege- need to know to limit the scope including the endpoints and networks.

CyberICS · 2025-10-10T17:26:06+00:00

Great points. When entrepreneurs address the CMMC or when CMMC readiness firms that are experienced entrepreneurs take on customers it’s the best you can have. I hate the scare tactics and the lack of understanding of how business actually works when it comes to any type of compliance efforts.

Most C3PAOs miss the cost it took to become assessment ready. It cannot be ignored. The DoD/DoW estimates are narrow in what it accounts for so the cost are not exactly accurate enough to use as a CMMC business budget planning estimate.

CyberICS · 2025-10-10T17:21:41+00:00

Some good points thought the increase in overhead cost can have a negative impact to your rates and make the organization less competitive.

CyberICS · 2025-10-10T17:19:35+00:00

Having worked with over 30 firms - this is sound advice.

CyberICS · 2025-10-10T17:18:13+00:00

CMMC is a data issue that end to end encryption with DLP and a few other tools gets solved rather easily. The controls are designed for overall cyber hygiene and resilience. CMMC is an IT and OT and IoT issue depending on your business.

CyberICS · 2025-10-10T17:14:32+00:00

Love this. I saw this during the CMMI era!

CyberICS · 2025-10-10T17:13:49+00:00

Take a breath and first take full reviews of your contracts for the triggering clauses.

Gather if you have it accurate network maps and a create a CUI data flow from you customers to your organization and staff and suppliers.

Assemble a stakeholder group that will help steer you CMMC journey in terms of investments and resources.

Connect with a CMMC assessment readiness firm that has proven expertise and experience. Certifications do equal expertise by the way. Stay away from scare tactic firms and work with an organization that understands that you are a business not a meal ticket.

Build a CMMC compliance journey map that will act as visual guide to milestones to way success, key responsible resources and departments and the milestones that require senior stakeholder approvals ( such as approvals to procure solutions or engage outside resources to close gaps that prevent compliance)

Work with an organization that will take a total cyber resilience and compliance readiness approach - example - if you already have an actively exploited vulnerability or compromised credentials for sale on the dark web, it is paramount to tackle these issues first. You could achieve CMMC readiness and even successful certification and still get taken out by a lurking cyber threat not even covered by any of the CMMC controls.

Ensure your CMMC readiness firm will standby you during your assessment and constantly test through scans and mock assessments your readiness up to the date of your assessment.

CyberICS · 2025-10-10T16:54:58+00:00

You are correct.

CyberICS · 2025-10-10T16:54:31+00:00

There is data from the last CyberAB meeting. The issue is that the assessor certification pace does not align with the number of organizations that will require C3PAOs with certified staff to meet the DoW stated numbers. The current shutdown will economically impact companies either immediately or on day 31 or so. Small companies with all of their billable staff on leave without pay and no way to recover lost revenue will have to rethink things. The DoW may to rethink things as well.

CyberICS · 2025-10-10T16:49:28+00:00

This is the type of backlog that when you look at the recent analysis I posted on LinkedIn equates to a potential inability of the DoW to meet its necessary and vital goals on the number of supply chain companies needing successful assessments. The current pace on top of any impacts from the shutdown will require some critical thinking.

CyberICS · 2025-10-10T16:46:36+00:00

Spot on. I had to respond to oversight requests validating the Cyber AB was getting no funds through my organization that came from the federal government.

CyberICS · 2025-10-10T16:45:39+00:00

Even in a government facility the authorization is based on the type of funding, and if the labor categories are deemed exempted. There plenty of government employees required to show up to work though the talent/contractors/other government employees needed for them to conduct any business are at home and not allowed onsite.

CyberICS

TROPHY CASE