CMMC Level 3 requirements cover 134 total security controls — the 110 requirements from NIST SP 800-171 Revision 2 that Level 2 already requires, plus 24 enhanced security requirements drawn from NIST SP 800-172.
These additional controls are specifically designed to defend against advanced persistent threats and apply only to contractors working on the most sensitive DoD programs. For the vast majority of defense subcontractors, Level 3 requirements do not apply — Level 2 is the relevant standard. But understanding what Level 3 requires, and why, is useful context for anyone trying to make sense of how the CMMC framework is structured.
Related Topic: Why DoD Cybersecurity Compliance Is Important?
Why CMMC Level 3 Requirements Go Further Than Level 2?
CMMC Level 2 is built around protecting Controlled Unclassified Information from the kinds of cybersecurity threats that most organizations face — opportunistic attackers, ransomware, phishing, credential theft, and insider mistakes. The 110 NIST SP 800-171 requirements address these threats through foundational controls: access management, endpoint protection, patch management, logging, encryption, and incident response.
Level 3 exists because some CUI is not just sensitive — it is strategically valuable to nation-state adversaries. Technical data tied to hypersonic systems, directed energy programs, advanced command and control architectures, or other critical defense technologies presents a fundamentally different threat profile. The adversaries targeting this information are sophisticated, patient, and well-resourced. The controls designed for typical cybersecurity threats are necessary but not sufficient.
CMMC 2.0 Level 3 requirements close that gap by adding 24 enhanced security requirements from NIST SP 800-172 on top of the full Level 2 foundation. These enhanced controls are not incremental improvements to existing Level 2 practices. They address capabilities and threat scenarios that Level 2 compliance does not require contractors to address.
Related Topic: How to Achieve DFARS Cybersecurity Compliance Successfully?
What the 24 Enhanced Requirements Cover
NIST SP 800-172 distributes its 24 enhanced security requirements across nine control families within the NIST SP 800-171 framework. They concentrate on the areas where the gap between baseline cybersecurity and advanced persistent threat defense is most significant.
Advanced Access Control and Least Privilege
Several of the enhanced requirements go further than Level 2’s access control provisions by requiring contractors to implement more granular restrictions on system access, enforce tighter separation between privileged and non-privileged accounts, and limit what authorized users can access even within their normal scope of work. The goal is to reduce the damage an adversary can do if they successfully compromise a credential.
Enhanced Incident Response and Threat Detection
Level 3 raises the bar on incident response by requiring contractors to demonstrate more sophisticated threat detection capabilities and more structured response processes. This includes the ability to identify adversary techniques that may not trigger conventional security tools — behavioral anomalies, lateral movement patterns, and persistence mechanisms associated with advanced persistent threats.
Configuration Management and System Hardening
The enhanced configuration management requirements address the specific ways that sophisticated adversaries exploit weakly configured systems. They go beyond patch management and standard hardening to require more rigorous control over what software can run on systems, how configurations are monitored for unauthorized changes, and how deviations from baseline are detected and remediated.
Related Topic: What Is CMMC Level 3?
Risk Management at the Organizational Level
Several enhanced requirements address cybersecurity risk management at the organizational level rather than the system level. This includes requirements for how senior leadership understands and manages cybersecurity risk, how the organization integrates cybersecurity considerations into its acquisition and supply chain decisions, and how it maintains awareness of emerging threats relevant to its programs.
System Resilience and Damage Limitation
The final category of enhanced requirements addresses what happens when defenses fail. Level 3 requires contractors to implement capabilities that limit the damage an adversary can do once inside a system — restricting lateral movement, protecting the most sensitive data even from users with legitimate access, and maintaining the ability to continue operating critical functions under degraded conditions.
The Level 3 Assessment Process
CMMC Level 3 is not assessed by a commercial C3PAO. It is assessed by the Defense Industrial Base Cybersecurity Assessment Center — a government body operated by the DoD. This is a significant distinction from Level 2.
Government assessors conduct DIBCAC assessments through document reviews, system examinations, and interviews while evaluating contractor-supported defense programs. The assessment scope covers all information systems that process, store, or transmit the CUI subject to Level 3 requirements.
Level 3 reassessment occurs every three years, consistent with Level 2 C3PAO requirements. Organizations with assessment findings can receive conditional CMMC status and must complete a closeout assessment within 180 days.
The Level 2 Prerequisite
Achieving CMMC Level 3 compliance is not possible without first achieving CMMC Level 2 certification through a C3PAO assessment. Organizations must earn Level 2 certification through a third-party assessment before DIBCAC can conduct a Level 3 assessment.
This prerequisite matters for planning. The CMMC Level 2 certification process typically takes six to eighteen months for most small manufacturers. Level 3 adds a further preparation and assessment cycle on top of that foundation. Organizations that need Level 3 should plan their certification timeline accordingly — starting with a full gap assessment that covers both the Level 2 requirements and the 24 Level 3 enhanced requirements simultaneously, so remediation work addresses both Level 2 and Level 3 requirements in parallel rather than sequentially.
Related Topic: How to Get CMMC Level 2 Certification: What Businesses Must Do First
Who Needs CMMC Level 3 Compliance
The DoD determines which contracts require Level 3 certification based on program sensitivity. The requirement is specified in contract language — if Level 3 applies to a contractor’s work, the contract will say so.
As discussed in the CMMC Level 3 overview, the DoD has estimated that fewer than 500 organizations across the defense industrial base will require Level 3 certification. Most defense subcontractors — including the overwhelming majority of small manufacturers — will not. The relevant question for most small manufacturers is not whether they need Level 3. It is whether their environment is ready for the Level 2 requirements their government contracts already carry.
The Practical Bottom Line
Organizations must implement 24 NIST SP 800-172 controls alongside 110 Level 2 controls to satisfy CMMC Level 3 requirements. The DoD applies these enhanced requirements to contractors protecting highly sensitive defense programs from advanced persistent cyber threats. For everyone else, Level 2 is the standard that matters.
If you are working toward Level 2 and want to understand what your current environment is missing, start with the RightSentry Snapshot. You’ll clearly understand your current compliance status, identify security gaps, and build a practical roadmap toward CMMC compliance.
Related Topic: How Much Does CMMC Certification Cost for Small Businesses?
Frequently Asked Questions
What Does CMMC Level 3 Require?
Organizations must implement 110 NIST SP 800-171 controls and 24 NIST SP 800-172 controls to meet CMMC Level 3. These controls strengthen protection against advanced cyber threats and require a government-led assessment by DIBCAC. Organizations must maintain compliance and renew certification every three years.
What Is CMMC Level 3 CUI?
CMMC Level 3 applies to highly sensitive Controlled Unclassified Information (CUI) associated with critical defense programs and advanced technologies. The Department of Defense identifies when Level 3 protection applies and includes those requirements within specific contract terms. Most contractors handling standard CUI only need CMMC Level 2 compliance.
What Is the Difference Between CMMC Level 2 and Level 3?
Organizations achieve CMMC Level 2 by implementing 110 NIST SP 800-171 controls, while Level 3 adds 24 advanced safeguards. Level 3 is designed to protect against advanced persistent threats (APTs) and requires a DIBCAC-led assessment. Organizations must first achieve Level 2 certification before pursuing Level 3.
Who Can Conduct a Level 3 CMMC Assessment?
Only the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) can conduct CMMC Level 3 assessments. Unlike Level 2, which may be assessed by authorized C3PAOs, Level 3 assessments are exclusively performed by government assessors.
How Much Does It Cost to Get CMMC Level 3 Certification?
CMMC Level 3 certification costs vary based on an organization’s size, environment complexity, and existing cybersecurity maturity. Organizations must first achieve Level 2 certification, driving total CMMC Level 3 costs above $300,000 for implementation and assessment.
