By the time a DoD contractor calls us about CMMC 2.0 Level 2 pentest evidence, the audit date is usually 60 to 90 days out. There is no margin for a rejected report. The C3PAO assessor needs specific artifacts, in a specific format, mapped to specific controls. This is a field report on what they actually want, written from working with a half-dozen C3PAOs on real Level 2 assessments.

What CMMC 2.0 Level 2 actually requires for pentest evidence

Level 2 is approximately 110 controls drawn from NIST SP 800-171 Rev 2 plus a small set of additional CMMC-specific practices. Of those, pentest evidence directly supports the following control families:

• Access Control (3.1.x): pentest validates that access boundaries actually hold under adversary pressure, not just that they are documented.
• System and Communications Protection (3.13.x): pentest evidence of network segmentation, encryption-in-transit, and boundary protection effectiveness.
• System and Information Integrity (3.14.x): pentest validates that vulnerability identification, monitoring, and incident response work in practice.
• Risk Assessment (3.11.x): pentest IS the risk assessment evidence for technical exposure.

C3PAOs do not just want a pentest report. They want artifacts that map findings to these control families, so the assessor can document control effectiveness in their assessment report.

The five things C3PAO assessors actually check

1. Scope statement that names the CUI boundary

A pentest report that says "we tested the corporate network" is not evidence of Level 2 control effectiveness. The assessor needs the report to name the CUI boundary explicitly: which subnets, which workstations, which applications, which data flows handle Controlled Unclassified Information. If the pentest scope does not match the CUI boundary, the assessment fails or requires a re-scope mid-audit.

2. Methodology citation

The methodology section must cite a recognized standard. NIST SP 800-115 is the safest. PTES (Penetration Testing Execution Standard), OWASP Testing Guide for application-heavy scopes, or OSSTMM for thorough operational coverage all work. A report without an explicit methodology citation reads as ad hoc and gets flagged.

3. Finding-by-finding traceability

Every finding in the report must trace to a specific NIST 800-171 control. "SQL injection in the procurement portal" is not enough. The assessor wants "SQL injection in procurement portal violates 3.13.5 (Implement subnetworks for publicly accessible system components) and 3.14.1 (Identify, report, and correct system flaws)." This traceability is what lets the assessor write the assessment report cleanly.

4. Severity classification using a recognized scheme

CVSS v3.1 is the standard. Each finding gets a base score. Critical, High, Medium, Low classifications align with NIST recommendations. C3PAOs reject reports that use vendor-invented severity schemes like "P1/P2/P3" without CVSS scores.

5. Remediation re-test evidence

This is the most-missed requirement. Finding a vulnerability and recommending a fix is half the work. The pentest evidence package must include re-test results that confirm the remediation worked. C3PAOs treat the original pentest as the "test of design" and the re-test as the "test of operating effectiveness." Without both, the control evidence is incomplete.

The CMMC pentest mistakes we see most

Mistake 1: testing the corporate network and not the CUI boundary

A defense manufacturer is required to protect CUI on engineering workstations, in the PLM system, and through the supplier portal. A pentest that hits the corporate network but skips the engineering workstation environment misses the actual CMMC scope.

Mistake 2: no re-test in scope

Pentest vendors often quote re-test as a separate engagement, billed at 25-40% of original cost. C3PAOs view re-test as required evidence. If the contractor cannot produce re-test results, the audit either fails or stalls until they fund a second engagement, blowing the audit timeline.

Mistake 3: report format that does not map to NIST 800-171

Many pentest reports list findings sequentially without mapping to controls. C3PAOs have to do that mapping themselves, which delays assessment and frequently produces gaps. The assessor cannot certify control effectiveness if the pentester did not establish the control linkage.

Mistake 4: missing the supplier integration scope

If a manufacturer integrates supplier data through APIs, EDI, or shared portals, those integration points handle CUI. A CMMC 2.0 pentest scope that stops at the firewall misses where CUI actually flows. Real CMMC pentesting tests the integration seams.

What this means for your audit timeline

If you have a CMMC 2.0 Level 2 audit on the calendar in the next 90 days, the pentest needs to start now. An 8-week engagement (scoping through re-test) leaves 4 weeks for C3PAO assessment prep. A 12-week engagement leaves no margin. If your audit is sooner, work backwards from the date.

If you do not have an audit date yet but your DoD prime is asking when you will be Level 2, run the pentest before the contract is contingent on it. Audit timelines compress fast when a prime puts a date on the table.

The honest pentest pricing range

For Level 2 scope (small to mid-sized DoD contractor, 1-3 manufacturing sites, CUI on engineering workstations + PLM + supplier integrations), pentest evidence packages run $28K to $55K. Includes external + internal pentest, engineering workstation testing, NIST 800-171 mapping, written report, and remediation re-test.

Lower than $28K usually means re-test is excluded or the scope is too narrow to produce defensible evidence. Higher than $55K usually means red-team scope or multiple manufacturing sites at distance requiring multiple on-site weeks.

Level 3 scope (NIST 800-172 enhanced security requirements, ~134 controls) adds red-team, APT simulation, and supply chain attack vector testing. Engagements run $65K to $120K.

If you are starting this conversation now

Three things to nail down before requesting quotes:

1. Define your CUI boundary on paper. Which systems handle CUI? Which do not? If you cannot answer this, the pentest cannot be scoped accurately.
2. Identify your C3PAO if you have one. Some C3PAOs have format preferences. Sharing those in scoping eliminates rework.
3. Set the audit date or the prime contract date. The pentest engagement schedule works backwards from the assessment date. Without a date, scoping wobbles.

If you want a confidential briefing on what your CMMC 2.0 Level 2 pentest evidence package would look like for your specific CUI boundary, we do those weekly. See the full CMMC 2.0 pentest service page or send a briefing request.