CMMC Level 3 Requirements

Here are the requirements for CMMC Level 3. Get up to speed on the new regulations.
cmmc level 3 government compliance
Information Center

The Cybersecurity Maturity Model Certification (CMMC) sets forth stringent cybersecurity standards for defense contractors working with the Department of Defense (DoD) to safeguard Controlled Unclassified Information (CUI). CMMC 2.0 Level 3, often called the “Expert” level, ensures the highest level of protection for CUI, particularly for defense missions. This level incorporates advanced and detailed practices, requiring companies to have well-documented and sophisticated processes in place to meet stringent security standards.

Key Takeaways

  • CMMC 2.0 Level 3 mandates advanced security practices for defense contractors to protect Controlled Unclassified Information (CUI).
  • Achieving CMMC Level 3 certification will soon be essential for bidding on DoD.
  • CMMC Level 3 aligns with NIST SP 800 171 and adds 24 additional controls to enhance cybersecurity measures.
  • Defense contractors must secure both CUI and Federal Contract Information (FCI).
  • Regular security assessments and continuous monitoring are critical components of maintaining Level 3 compliance.
  • The certification process includes self-assessment, remediation, third-party assessment, and government validation for highly sensitive contracts.

Empower your compliance journey

Get early access to the only compliance tool that truly simplifies the process.

CMMC Level 3 Objectives

CMMC 2.0 Level 3 is designed to provide the highest level of protection against advanced persistent threats (APTs) targeting the defense industrial base. The standards set forth in Level 3 are essential for maintaining the security of critical defense supply chains and supporting key defense programs. Meeting these standards will soon be a regulatory requirement. It is also a critical step in safeguarding national security.

Why is it Important to Government Contractors?

CMMC 2.0 Level 3 will soon be essential for eligibility to bid on DoD contracts. Without CMMC Level 3 certification, contractors may be ineligible to bid on contracts involving sensitive information, making it a necessary qualification for participating in high-priority defense-related projects.

What is Cybersecurity Maturity Model Certification

CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). The framework includes multiple levels of maturity, with Level 3 representing the highest standard necessary for protecting sensitive information in DoD contracts. It aims to enhance cybersecurity practices and reduce risks from threats.

Controlled Unclassified Information (CUI)

CUI requires safeguarding or dissemination controls and includes technical information, operational details, financial data, and personal information.

Federal Contract Information (FCI)

FCI, provided or generated under government contracts, includes procurement details, contract data, and performance reports. These data types are crucial for national security and defense operations.

Key Requirements and Compliance for CMMC Level 3

CMMC 2.0 Level 3 aligns with the security requirements of NIST SP 800-171 Rev. 3 and adds 24 additional controls from NIST SP 800-172. These practices are crucial for protecting CUI and ensuring the integrity and security of the defense supply chain.

Security Practices

The security practices for CMMC Level 3 are extensive and categorized into several key areas:

  • Access Control (AC): Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. Employ secure information transfer solutions to control information flows between security domains on connected systems. Example: Implement multi-factor authentication (MFA) to enhance security for system access.
  • Awareness and Training (AT): Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors. Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, aligned with current threat scenarios.
  • Audit and Accountability (AU): Maintain records of system activities to detect and respond to security incidents. Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove or quarantine the components to facilitate patching, re-configuration, or other mitigations.
  • Configuration Management (CM): Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
  • Identification and Authentication (IA): Verify identities of users, devices, and systems before granting access.
  • Incident Response (IR): Prepare for and mitigate the impact of cybersecurity incidents.
  • Maintenance (MA): Ensure secure system maintenance procedures.
  • Media Protection (MP): Protect digital and physical media containing CUI. Example: Encrypt data at rest and in transit to prevent unauthorized access.
  • Physical Protection (PE): Secure physical access to systems and data.
  • Risk Assessment (RA): Identify and assess risks to organizational operations and assets.
  • Security Assessment (CA): Evaluate the effectiveness of security controls.
  • System and Communications Protection (SC): Protect the confidentiality and integrity of transmitted information.
  • System and Information Integrity (SI): Ensure systems and data remain secure from unauthorized modifications.

Assessment and Certification

Compliance with these practices is verified through various assessments:

  • Triannual Government-Led Assessments: Mandatory for the most critical roles within the defense supply chain, conducted by the Department of Defense (DoD).
  • Annual Affirmations: Required for contractors to continually monitor and affirm their compliance with CMMC guidelines through the Supplier Performance Risk System (SPRS).

System Security Plan

A key part of meeting CMMC Level 3 requirements is the development and maintenance of a System Security Plan (SSP). This document outlines the security practices and policies in place to protect CUI and demonstrates how the organization adheres to CMMC guidelines.

Steps to Achieve CMMC Level 3 Certification

  1. Initial Self-Assessment: Contractors start with a self-assessment against the NIST SP 800-171 standards, which include 110 security practices. This self-check is crucial for identifying gaps in cybersecurity practices and planning how to address them.
  2. Remediation and Plan of Action & Milestones (POA&M): Following the self-assessment, contractors need to address any security issues identified. This step may include developing a Plan of Action & Milestones (POA&M) that outlines specific measures and timelines to fully meet the security standards.
  3. Third-Party Assessment: For Level 3, a third-party assessment conducted by an accredited CMMC Third Party Assessment Organization (C3PAO) is required. This assessment confirms that the necessary security measures and controls are in place. The results of the assessment are documented in the Supplier Performance Risk System (SPRS) to enable contracting officers to verify the offeror’s certification level and its currency.
  4. Government Validation: For contracts with highly sensitive CUI, a government-led validation may be required. This additional assessment ensures that the highest standards of cybersecurity are maintained. The Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts the validation assessment. All objectives defined in NIST SP 800-172A for the corresponding CMMC Level 3 security requirements must be met for successful implementation.

Continuous Monitoring and Annual Affirmations

Once certified, contractors must submit annual affirmations of continued compliance through the Supplier Performance Risk System (SPRS). This includes updating any necessary action plans and demonstrating ongoing adherence to the security requirements. The affirmation process ensures that contractors maintain their certification status and remain eligible for contracts involving CUI.

Detailed Implementation Guidance for CMMC Level 3

Scoping and Preparation for CMMC Level 3

The first crucial step in preparing for CMMC 2.0 Level 3 is to thoroughly understand the assessment scope. According to the CMMC Assessment Scope guidelines, this involves identifying all relevant systems, processes, and information to be evaluated. This step includes a detailed analysis of where Controlled Unclassified Information (CUI) is stored, processed, and transmitted within the organization’s network.

System and Process Identification: Organizations need to map out every system and process that handles CUI. This encompasses both digital environments and physical storage locations, ensuring that all potential security risks are identified and addressed.

Information Flow Analysis: Understanding the movement of CUI within and outside the organization is essential. This involves analyzing how information flows between systems, which is critical for implementing effective security measures.

Implementing Required Security Controls

Once the scope is defined, the next step is to implement specific security controls as outlined in NIST SP 800 171 and NIST SP 800-172. These controls are designed to protect the confidentiality, integrity, and availability of CUI across various domains.

Access Control Measures: Robust access control measures must be established to ensure that only authorized personnel can access CUI. This includes employing least privilege principles, multi-factor authentication, and careful management of user identities.

Media Protection Strategies: It is crucial to protect digital and physical media containing CUI. Strategies should include encryption, secure storage, and proper disposal methods to prevent unauthorized access and data breaches.

Incident Response Plans: Organizations must develop and test incident response plans to quickly respond to and recover from security incidents. These plans should outline roles, responsibilities, and procedures for addressing potential security breaches.

Continuous Monitoring and Improvement

Achieving CMMC 2.0 Level 3 certification is only the beginning. Ongoing efforts are necessary to maintain compliance and enhance cybersecurity measures. Continuous monitoring of implemented security controls and regular updates are crucial to keeping pace with evolving cybersecurity threats.

Regular Security Assessments: Regular security assessments help identify weaknesses and gaps in the security framework. These assessments should be both internal and external, including periodic third-party audits to ensure continued compliance.

Updating Security Measures: As technology and cyber threats evolve, security measures must also be updated. Staying informed about the latest security technologies and practices is essential to protect against advanced threats and other emerging risks.

Training and Awareness Programs: Ongoing education and training for all employees on cybersecurity best practices and threat awareness are fundamental. Regular training reduces the likelihood of security incidents caused by human error.

Future Outlook

The future of CMMC 2.0 and Level 3 compliance involves adapting to new cybersecurity challenges and evolving threats. Organizations must stay informed about changes in regulations and emerging best practices to maintain their competitive edge and ensure the security of critical defense information.

Please see the Further Research section on this page for links to official documentation and other information.

Empower your compliance journey

Get early access to the only compliance tool that truly simplifies the process.


Achieving CMMC 2.0 Level 3 compliance is essential for contractors aiming to bid on Department of Defense contracts that handle Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), and ITAR or export-controlled data. Compliance not only enhances security controls but also provides better business opportunities and a competitive edge in the defense sector. It ensures that contractors meet current regulatory requirements and are prepared for future growth and digital transformation challenges. By adhering to CMMC 2.0 Level 3 standards, contractors can demonstrate their commitment to security and support national security objectives.

What does CMMC Level 3 require for monitoring security controls?

CMMC Level 3 requires defense contractors to continuously monitor existing security controls to ensure they are effective and up-to-date with current threats.

How does CMMC Level 3 utilize cryptography or physical safeguards?

Cryptography or physical safeguards are employed to protect CUI from unauthorized access and ensure data integrity.

What measures are taken to prohibit unauthorized access under CMMC Level 3?

CMMC Level 3 mandates stringent access control measures to prohibit unauthorized access, including multi-factor authentication and strict access permissions.

How are diagnostic or test programs used in CMMC Level 3?

Diagnostic or test programs are regularly conducted to evaluate the effectiveness of security measures and identify potential vulnerabilities within the system. Diagnostic or test programs

What are the requirements for local and network access in CMMC Level 3?

CMMC Level 3 requires secure access controls to prevent unauthorized access and ensure only authorized personnel can access sensitive information.

How is relevant cyber threat intelligence incorporated into CMMC Level 3?

Cyber threat intelligence is used to update and enhance security measures, ensuring defense contractors are protected against the latest cyber threats.

How does CMMC Level 3 enable authorized access?

CMMC Level 3 ensures authorized access by implementing robust authentication mechanisms and access control policies that verify user identities before granting access.

What is the role of a security assessment in CMMC Level 3 compliance?

Security assessments in CMMC Level 3 are critical for evaluating the effectiveness of implemented controls and identifying areas for improvement to maintain compliance.

How does CMMC Level 3 enforce access restrictions?

CMMC Level 3 enforces access restrictions through the implementation of detailed access control policies that limit access to sensitive information based on user roles and responsibilities. 

Picture of Relevant Compliance

Relevant Compliance

Apply for Beta

Please fill in your details below to get early access to Relevant Compliance.  

Contact Us