Explore CMMC 2.0 Level 3 essentials. Learn whether it applies to your organization and how it differs from Level 2. Dive into new security requirements, find tips to streamline the process, and download a free Level 3 control spreadsheet and task checklist.

Key Takeaways:

• Level 3 compliance adds 24 controls to Level 2's 110, targeting advanced persistent threats (APTs). It focuses on advanced access control, network segmentation, and incident response.
• The DoD assigns Level 3 compliance on a contract-by-contract basis by considering the sensitivity of the Controlled Unclassified Information (CUI). 
• Organizations must complete Level 2 certification before they can achieve Level 3 compliance.
• The DoD will begin including Level 3 requirements in contracts by mid-2025, phasing in enforcement over three years, with compliance required by late 2026 for new Level 3 contracts.
• Achieving Level 3 compliance can cost millions, but the DoD plans to account for these expenses during contract renegotiations.
  
  

What is CMMC Level 3 compliance?

CMMC Level 3 is the highest standard in the new CMMC 2.0 framework. Level 3 mandates 134 security controls to protect Controlled Unclassified Information (CUI) from advanced cyber threats. The Department of Defense requires contractors to comply with Level 3 to be eligible for some critical defense contracts.

The Cybersecurity Maturity Model Certification (CMMC) is a framework created by the Department of Defense (DoD) to enforce cybersecurity standards across its defense industrial base. In 2024, the DoD updated CMMC 1.0 to CMMC 2.0, simplifying compliance requirements while maintaining strict security standards. A key change in the updated framework reduced the original five compliance levels to three. 

The DoD requires Level 3 compliance for contracts involving sensitive data at risk of advanced threats. Only contractors who achieve Level 3 compliance can bid on these contracts. This level demonstrates that contractors have the necessary infrastructure to protect critical information effectively.

The CMMC framework draws most of its requirements from the National Institute of Standards and Technology (NIST), a federal agency that develops and promotes standards for technology and cybersecurity. CMMC and NIST are closely connected: NIST provides the detailed security guidelines, while CMMC serves as the enforcement framework. 

To achieve Level 3 compliance, contractors must implement 24 security controls outlined in the NIST SP 800-172 standard, along with meeting Level 2 compliance standards and the 110 security controls in NIST 800-11. This includes advanced techniques related to network configuration, access control, continuous monitoring, and incident response planning. Level 3 compliance also requires a triennial assessment from a government agency. 

Achieving CMMC 2.0 Level 3 compliance is a significant milestone for defense contractors. It is critical for any defense organization that wants to bid on high-stakes government contracts.

Phased implementation of CMMC Level 2 and Level 3

The DoD introduced a phased three-year rollout for CMMC 2.0 compliance. Level 3 contractors must achieve Level 2 compliance by December 2026 and meet Level 3 requirements by December 2027. This timeline allows contractors to adapt while prioritizing Level 2 compliance first.

To meet Level 3 compliance, organizations must first fully comply with Level 2. The DoD will begin to enforce Level 2 requirements first and add Level 3 requirements later. This phased approach gives contractors time to put Level 3 security measures in place, achieve Level 2 compliance as a prerequisite, and prepare for CMMC audits.

Here's an overview of the timeline for CMMC 2.0 Level 2 and Level 3:

Phase 1: Initial Implementation

• Start date: December 16, 2024
• Applicable for: New Level 2 contracts that are eligible for a self-assessment
  Organizations that eventually need Level 3 compliance cannot rely on self-assessments. The DoD will enforce its compliance requirements in a later phase.
• Requirements: None yet for Level 3 compliance
  
  

Phase 2: Certified assessments begin

• Start date: Late 2025 (one year after Phase 1 begins)
• Applicable for: New Level 2 contracts requiring a Certified Third-Party Assessor Organization (C3PAO) review. Contractors aiming for Level 3 compliance must first meet the Level 2 C3PAO assessment requirements before advancing to Level 3.
• Requirements: Obtain a Level 2 assessment by a C3PAO
  
  

Phase 3: Level 3 compliance begins

• Start date: Late 2026 (two years after Phase 1)
• Applicable for: New contracts that require Level 3 certification
• Requirements: Obtain Level 3 certification 
  
  

Phase 4: Final requirements

• Start date: Late 2027 (three years after Phase 1 starts)
• Applicable for: All DoD contracts
• Requirements: All DoD solicitations and contracts, including option periods on existing contracts, must comply with relevant CMMC requirements.

Why is CMMC Level 3 important?

CMMC Level 3 ensures that defense contractors protect Controlled Unclassified Information (CUI) from Advanced Persistent Threats (APTs). This helps prevent data breaches. Level 3 is the highest.

The DoD built CMMC Level 3 requirements based on the NIST 800-172 standard. Directly in the standard, the authors, primarily experts from NIST (National Institute of Standards and Technology), highlight why these additional CMMC Level 3 security measures are important: “The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions.”

Benefits of CMMC Level 3 certification for contractors

The main benefit of CMMC Level 3 certification is simple. When defense contractors earn it, they become eligible for valuable, long-term federal contracts that require it. 

"Earning CMMC Level 3 isn’t about gaining a competitive advantage,” Harnagel explains. "The main benefit is becoming eligible for Level 3 contracts, which include many of the most lucrative and long-lasting projects. If you perform well, you position yourself for even more of these opportunities."

Difference between CMMC Level 2 and CMMC Level 3

CMMC Level 2 includes 110 security controls that protect Controlled Unclassified Information (CUI). Level 3 adds 24 more controls that target Advanced Persistent Threats (APTs). Level 3 also requires an assessment from a government agency.

CMMC 2.0 includes three compliance levels. CMMC 2.0 Level 1 applies to contracts involving Federal Contract Information (FCI), which is less sensitive than CUI and only needs basic cyber hygiene practices. CMMC 2.0 Level 2 and Level 3 address contracts with CUI, with Level 3 typically involving more sensitive data or critical projects.

Here's a broad overview of the key differences between CMMC 2.0 Level 2 and Level 3.

Purpose and requirements

• Level 2:

• • Protect CUI with comprehensive cybersecurity

• • Comply with 110 security requirements from NIST SP 800-171

• Level 3:

• • Enhance CUI protection with high-level security, particularly against Advanced Persistent Threats (APTs)

• • Become Level 2 certified (Full compliance with 110 security requirements from NIST SP 80-171) and comply with 24 additional requirements from NIST SP 800-172
    
    

Assessment and annual affirmation

• Level 2:

• • For select contracts: CMMC self-assessment every three years

• • For most contracts: Assessment conducted by a Certified Third-Party Assessor Organization (C3PAO) every three years

• • Annual affirmation to verify compliance with 110 security requirements from NIST SP 800-171 Revision 2

• Level 3:

• • All contracts: Assessment conducted every three years by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

• • Annual affirmation required to verify compliance with 24 additional requirements from NIST SP 800-172
    
    

Conditional compliance

• Level 2: 
  • A Level 2 contract that meets a minimum threshold of compliance from NIST SP 800-171 (usually at least 80% of the 110 security controls, or a minimum of 88 controls) will receive conditional compliance
  • Organizations have 180 days from the date of receiving conditional CMMC Status to develop a Plan of Action and Milestones (POA&M) and fully implement the necessary security controls and remediate all identified deficiencies
  • C3PAO conducts closeout assessment

• Level 3:

• • Level 3 organization that meets 80% of the additional 24 requirements from NIST 800-172, a minimum of 19 controls, can receive conditional compliance
  • Level 3 organizations must first achieve a final and complete Level 2 compliance (comply with all 110 standards from NIST SP 800-172)
  • Organizations have 180 days from the date of receiving Conditional CMMC Status to develop a POA&M and fully implement the necessary security controls and remediate all identified deficiencies.
  • DIBCAC conducts closeout assessment

How CMMC Level 3 aligns with NIST requirements

CMMC Level 3 builds on NIST SP 800-171 by adding 24 advanced requirements from NIST SP 800-172. These requirements add controls that specifically address Advanced Persistent Threats (APTs).

“The difference between Level 2 and Level 3 cybersecurity requirements comes down to the scope and strength of the controls,” says Steven Bjarnason, a cybersecurity leader with over 30 years of experience and CISSP, Technical Services Manager at 360 Advanced. “Level 3 adds more advanced measures from NIST SP 800-172. These enhancements are designed for highly sensitive situations across various security domains.”

Bjarnason provides an example: “In the 'access control' domain, Level 2 includes basic measures like complex passwords, multifactor authentication (MFA), or physical tokens. Level 3 takes it further with dual authorization, where two people must be present to access the system.”

As Bjarnason explains, Level 3 controls represent a significant step up from Level 2. NIST designed these controls to better protect data from APTs and improve incident response in the event of a data breach.

Who needs CMC Level 3 compliance?

The DoD will determine which contracts require Level 3 compliance on a case-by-case basis. These contracts involve critical data needing extra protection from Advanced Persistent Threats (APTs). Level 3 will apply to only a very small number of contracts.

CMMC compliance is tied to the security needs of a particular project, not the organization or individual handling the work. While larger organizations may be more likely to handle Level 3 projects due to their resources, they are not automatically subject to Level 3 requirements. However, it’s still unclear which criteria the DoD will use to determine if a contract requires Level 3.

According to Bjarnason, CMMC Level 3 compliance will apply to a small number of contracts that support critical DoD missions. 

“These contracts will support missions like weapons development, intelligence, or secure communications,” he explains. “They might include sensitive information like technical drawings, operational plans, maintenance manuals, or research and development data. Larger companies like Boeing, Raytheon, and Lockheed Martin often handle these contracts, but smaller contractors can also be affected. In general, Level 3 contractors will make up the smallest portion of the Defense Industrial Base (DIB)."

Bjarnason also notes that the DoD has yet to clearly define what qualifies as a "critical" mission. “The DoD determines compliance obligations on a contract-by-contract basis, usually depending on how a contractor handles CUI as well as other mission needs and risks,” he explains.

During the initial proposal phase of CMMC 2.0, many stakeholders, including defense contractors, expressed concerns about these potentially vague Level 3 criteria. In the 32 CFR CMMC Final Rule, the DoD addresses these concerns and the related worry that Level 3 compliance might apply to too many contracts. 

Despite suggestions to revise the criteria, the DoD opted to maintain its approach. It clarified that Level 3 requirements would depend on the sensitivity and importance of the information in the contract, not factors like the number of contracts an organization holds, the contract’s value, or its acquisition program category.

Which defense contracts will be subject to CMMC Level 3?

The DoD plans to assign CMMC Level 3 to a small number of contracts for critical projects that need strong security against Advanced Persistent Threats (APTs). They base Level 3 decisions on the project, not the organization. By mid-2025, DoD contracts will include specific CMMC requirements.

The DoD assigns the appropriate CMMC level to each contract based on the type and sensitivity of the information it involves. In the CMMC 2.0 final rule, the DoD emphasized that Level 3 compliance provides “confidence in a contractor’s ability to safeguard certain CUI against Advanced Persistent Threats.”

According to Elliott Harnagel, Product and Compliance Strategist at Strike Graph, the specifics of Level 3 compliance are somewhat unclear because decisions are made on a case-by-case basis by the "Requiring Activity." This entity within the DoD is responsible for identifying the requirements of a contract, assessing the nature of its information, and determining whether it warrants advanced security measures like Level 3 compliance.

“In October, the DoD published Rule 32, which outlines technical requirements for CMMC, including security controls and assessment schedules,” Harnagel explains. “However, they provided little guidance on what qualifies as ‘critical’ projects or assets that would require Level 3 compliance.”

Harnagel adds that by mid-2025, the DoD will formally integrate CMMC 2.0 requirements into contracts through updates to Title 48 of the Code of Federal Regulations (CFR). 

“This update is critical,” he says, “because it will define how CMMC 2.0 fits into contracts. Once finalized, the DoD will require CMMC compliance as a condition for contract. That information will be in the contract’s Defense Federal Acquisition Regulation Supplement (DFARS) 7012 clause. At that point, contractors will face clear and enforceable requirements, eliminating any ambiguity about whether a contract needs CMMC compliance or which level applies.”

Throughout the CMMC final rule and other related resources, the DoD has reiterated its expectation that “Level 3 will affect a very small portion of the DIB,” underscoring its focus on contracts with the most critical security needs. However, it has not provided a specific estimate of what percentage of DIB contracts will need Level 3 compliance.

CMMC 2.0 Level 3 requirements

CMMC 2.0 Level 3 builds on Level 2 by adding 24 more cybersecurity measures from the NIST SP 800-172 guidelines. These measures target Advanced Persistent Threats (APTs) and improve data confidentiality, integrity, and access controls.

CMMC 2.0 Level 3 adds 24 more cybersecurity measures from the NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” to the Level 2 requirements. To get Level 3 compliance, organizations must meet all Level 2 requirements and the extra 24 controls for Level 3.

The NIST developed enhanced requirements to specifically address Advanced Persistent Threats (APTs). These requirements will help organizations protect their data from APTs and respond quickly in the case of a breach. According to the NIST, the requirements focus on three key components:

• Penetration-Resistant Architecture
• Damage-Limiting Operations
• Design for Cyber Resiliency and Survivability

Here’s a summary of the 24 enhanced security requirements, organized by the 14 security families established in NIST SP 800-171 for Level 2 compliance.

1. Access Control (AC)

• Use dual authorization for critical or sensitive operations.
• Restrict access to systems and components to organizationally owned, provisioned, or issued resources.
• Employ secure information transfer solutions between security domains.

2. Awareness and Training (AT)

• Provide awareness training on recognizing and responding to threats.
• Include practical exercises in awareness training tailored to current threat scenarios.

3. Audit and Accountability (AU)

• No additional requirements beyond Level 2 compliance (security controls in NIST SP 800-171).

4. Configuration Management (CM)

• Establish an authoritative source and repository for approved system components and configurations.
• Employ automated mechanisms to detect and handle unauthorized or misconfigured components.
• Use automated tools to maintain an accurate inventory of system components.

5. Identification and Authentication (IA)

• Authenticate systems and components using cryptographic, replay-resistant methods.
• Use automated mechanisms for password generation, rotation, and management.
• Prohibit connections from unknown or unauthenticated components.

6. Incident Response (IR)

• Establish and maintain a Security Operations Center (SOC) that can continuously monitor threats and an Incident Response Plan (IRP) to manage issues immediately.
• Deploy a Cyber Incident Response Team (CIRT) capable of rapid response to incidents.

7. Maintenance (MA)

• No additional requirements beyond Level 2 compliance (security controls in NIST SP 800-171).

8. Media Protection (MP)

• No additional requirements beyond Level 2 compliance (security controls in NIST SP 800-171).

9. Personnel Security (PS)

• No additional requirements beyond Level 2 compliance (security controls in NIST SP 800-171).

10. Physical Protection (PE)

• No additional requirements beyond Level 2 compliance (security controls in NIST SP 800-171).

11. Risk Assessment (RA)

• Regularly assess the effectiveness of security solutions based on updated threat intelligence.

12. Security Assessment (SA)

• Develop and implement plans of action to address vulnerabilities and deficiencies.

13. System and Communications Protection (SC)

• Use FIPS-validated cryptography for protecting CUI during transmission and storage.
• Prevent remote activation of collaborative computing devices and alert users of active sessions.

14. System and Information Integrity (SI)

• Monitor systems continuously to detect attacks and anomalies.
• Identify unauthorized use of systems and implement appropriate responses.
  
  

Download a list of CMMC Level 3 controls

Download this spreadsheet of the 24 additional controls for CMMC 2.0 Level 3. These controls show what you need to implement above and beyond the CMMC Level 2 controls.

Download the CMMC 2.0 Level 3 Controls Spreadsheet

Steps to get CMMC Level 3 compliance

To achieve Level 3 compliance, first complete Level 2 certification. Conduct an internal assessment to identify gaps, implement the necessary controls, and perform a self-audit. Finally, schedule a DIBCAC assessment to finalize Level 3 certification.

Here's a summary of the basic steps to get CMMC Level 3 compliance:

1. Complete Level 2 certification
   Achieving Level 2 compliance is a prerequisite for Level 3. Harnagel advises organizations to focus on solidifying Level 2 controls while awaiting confirmation from the DoD about whether their specific contract requires Level 3 compliance.
   
   “If you’re unsure about needing Level 3, focus on Level 2 for now,” he says. “The actual contract requirements won’t roll out until mid-2025, and there’s a grace period after that. Level 2 is challenging enough to tackle first. Once you receive more clarity on contract language, you’ll know if Level 3 is necessary. Since Level 3 applies to so few companies, going above and beyond now without a requirement doesn’t make much sense.”
   
   Part of this process involves identifying the scope of your CMMC controls or the systems that handle, store, or transmit CUI.
   
   
2. Conduct a gap analysis
   Conduct a gap analysis to identify differences between your current compliance status and Level 3 requirements. Refer to the DoD’s CMMC 2.0 Level 3 Scoping Guide to ensure you understand which systems you need to assess.
   
   
3. Implement the required controls
   Address identified gaps by applying Level 3 controls. Create a POA&M that outlines an action plan for addressing the gaps.
   
   
4. Perform a self-audit and remediate
   Harnagel says it’s a good idea to perform another self-assessment after remediating the issues your gap analysis identified. The DoD’s CMMC 2.0 Level 3 Assessment Guide will help you understand what to expect in the formal assessment and better inform your self-audit.
   
   
5. Schedule a DIBCAC assessment
   Once you’re confident, undergo a formal Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment to gain Level 3 certification.
   
   Harnagel recommends contacting DIBCAC well in advance. “I wouldn’t be surprised if DIBCAC had long lead times,” he says. “It’s worth reaching out early rather than waiting until you’re fully ready, as they could be booked for months or even a year. Reaching out ahead of time helps ensure you’re not delayed from qualifying for critical contracts just because an assessor isn’t available.”
   
   

Level 3 certification remains valid for three years, but organizations must submit annual affirmations confirming ongoing compliance with Level 3 requirements. After the three-year period, organizations must undergo another formal DIBCAC assessment to renew their certification.

CMMC Level 3 checklist of tasks

The CMMC Level 3.0 checklist below helps you stay on track as you work toward eventual CMMC Level 3 compliance. It outlines the most important tasks. You can also download this more detailed CMMC Level 3 checklist.

Steps for CMMC 2.0 Level 3 compliance

Download the CMMC 2.0 Level 3 compliance task checklist

How hard is CMMC 2.0 Level 3 compliance?

CMMC Level 3 compliance is the hardest CMMC 2.0 compliance level. It requires a significant investment of time, money, and other resources. Organizations that already follow NIST SP 800-172 practices may find it easier to comply.

Here's an overview of the specific challenges that affect the difficulty of CMMC Level 3.0:

• Government-led assessments:
  Level 3 compliance requires a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). According to Harnagel, these assessments are notably more rigorous. "A government-run assessment means more scrutiny, not just on your Level 3 controls but likely a more fine-toothed review of your Level 2 controls as well," he explains. “There are also fewer DIBCAC assessors than the Level 2 C3PAOs.”
  
  This heightened level of scrutiny may make the overall process more difficult.
  
  
• Focus on Advanced Persistent Threats (APTs):
  Level 3 targets protection against sophisticated adversaries like APTs. This requires implementing the 24 additional security measures from NIST SP 800-172 that go beyond basic controls, as well as complying with every Level 2 requirement. Some of these controls require a significant investment of costs and resources.
  
  Harnagel notes that some requirements may not pose significant challenges for organizations already operating at Level 2 standards. "Many organizations might already be complying with some requirements. For example, many already have an incident response plan (IRP) or perform adequate security training. In those cases, the effort mostly involves adding documentation, which isn't particularly expensive or difficult."
  
  

However, other requirements, such as dual authorization, continuous monitoring, cryptographic protections, and cyber resiliency planning, are far more complex.

"Most of the most challenging controls are in the Configuration Management (CM) domain and the Identification and Authentication (IA) domain," explains Harnagel. "These will require companies to purchase additional tools or dedicate significant man-hours to implementation.”

Here are the specific controls Harnagel highlights as potentially time-intensive:

Time needed to get CMMC Level 3 compliance

The time it takes to get CMMC Level 3 compliance depends on an organization’s size, scope, and current security posture. Organizations with advanced cybersecurity measures in place may finish in a year, while others may need up to two years.

Achieving CMMC compliance at Level 3 will be a challenging and time-intensive process. However, some organizations will need to invest less time and money than others.

Here are a few factors that affect the time it takes to get CMMC 3 compliance:

• Organization size and network complexity
  Large organizations often have intricate systems that take longer to align with CMMC requirements. However, they may already have robust security measures and even a dedicated security operations center (SOC) to manage the organization’s cybersecurity. Smaller organizations benefit from a more limited scope but may face delays due to fewer resources or less experience in implementing compliance strategies.
  
  
• Current security posture
  Some organizations might already comply with other frameworks that have overlapping requirements with CMMC, like FedRAMP (Federal Risk and Authorization Management Program), a compliance framework for government data in the cloud. CMMC and FedRAMP have similar requirements, so organizations complying with FedRAMP might already have certain CMMC Level 3 security standards in place. In contrast, organizations starting from scratch face a steeper learning curve, adding significant time to the process.
  
  
• Scope
  The broader an organization’s CMMC scope, the longer it takes to meet Level 3 requirements. Businesses can save time by segmenting networks and limiting the systems handling Controlled Unclassified Information (CUI).
  
  

Cost of CMMC 2.0 Level 3 compliance

The DoD estimates CMMC 2.0 Level 3 compliance will cost $500,000 to $21 million over three years, depending on size, scope, and current security. Costs include Level 2 and 3 assessments, with most expenses tied to implementing Level 3 security measures.

In the CMMC 2.0 final rule, the DoD offers a detailed estimate of CMMC Level 3 certification, assessment, and affirmation costs. These estimates include engineering costs to implement the additional 24 security measures from NIST SP 800-172. These estimates account for the time the organization needs to implement the security and prepare for, support, and participate in a Level 2 and Level 3 certification assessment from a DIBCAC.

The DoD’s cost estimate for Level 3 is so high because contractors were never required to implement any controls from NIST SP 800-172. As a result, the estimate includes the cost of implementing these controls, which ranges from $400,000 for small entities to tens of millions for large ones. In contrast, contractors were already expected to follow Level 2 protocols (NIST SP 800-171) before CMMC existed, so the DoD excluded implementation costs for Level 2. Bjarnason suggests Level 3 contractors renegotiate contracts to help manage the financial burden of these new requirements.

“If you have an existing contract, you’ll likely need to renegotiate it,” Bjarnason says. “Contractors won’t be expected to cover all compliance costs. These costs will be factored into the contract to ensure fairness. The Department of Defense (DoD) is also hiring staff to support compliance efforts, with many associated costs likely charged back to the government.”

Here are the factors that make the price different:

• Size of the organization
  Larger organizations typically have more complex systems and networks to protect, which can significantly increase costs. They may need to implement advanced tools, hire additional staff, or outsource services to meet the requirements. Conversely, smaller organizations often have simpler infrastructures, which can reduce the cost of compliance.
  
  

• Scope
  The scope of CMMC compliance refers to the specific systems, networks, and processes that must meet the required standards. Organizations with larger or broader operational scopes will need to apply security measures across more areas, increasing both upfront and recurring costs.
  
  
• Existing security controls
  Harnagel notes, "Organizations with Level 3 contracts probably already have the infrastructure set up to handle sensitive data regularly, so they may already have many of these security controls in place from previous contracts or projects. These organizations have likely already made substantial investments in security infrastructure, effectively spreading the expense over time. As a result, their journey to full compliance focuses more on addressing specific gaps rather than implementing controls from scratch, leading to significant cost savings.”
  
  

Here are two tips on how to potentially reduce the cost of Level 3 compliance:

• Partner with the right external service providers (ESPs)

“One way to reduce costs is by partnering with the right external or managed service provider (MSP),” Harnagel explains. “Many MSPs already have CMMC ecosystems in place, which can save you money, especially in man-hours. If you’re trying to figure this out on your own, it can be frustrating. An experienced MSP with out-of-the-box solutions for CMMC compliance will make the process much easier.”

• Reduce scope
  Another way to reduce costs is by limiting the CMMC scope so that Level 3 security requirements apply only to a small, controlled enclave of the system. This approach minimizes the compliance footprint by keeping CUI in a single, tightly managed area. However, finding the right balance between security and operational flexibility can be challenging. While reducing scope helps control costs, it requires organizations to weigh security against convenience, which may not be feasible for all operational needs.
  
  

How to time your plans for CMMC Level 2 and Level 3

CCMC Level 2 is a prerequisite for Level 3, so first focus on fully meeting Level 2 requirements. Use the grace period between the DoD’s contract announcement and Level 3 enforcement to ensure a smooth transition to Level 3 compliance.

"Start with Level 2 compliance," says Harnagel. "Right now, focusing on Level 2 makes the most sense because the actual contract requirements won’t take effect for another six months, until the DoD finalizes the enforcement mechanism that will require them to include CMMC requirements in each contract. After that, there’s a grace period, giving you additional time to address Level 3 compliance.”

He adds: “Trying to go above and beyond now, when it’s not yet required, could be premature — especially since so few companies will need to meet those higher requirements immediately. It’s more practical to tackle Level 2 first, as it’s already challenging enough. Then wait for 48 CFR to be finalized and specific contractual language to emerge."

Streamline Your CMMC Compliance with Strike Graph

To secure a DoD contract, CMMC compliance is crucial. Strike Graph’s customizable platform organizes key controls, lets you add your own, and streamlines documentation. Our experts know CMMC inside and out, so you can focus on landing the contract while we handle compliance.

CMMC 2.0 demands significant effort from your team — but Strike Graph can lighten the load. Our NIST-based framework aligns with CMMC standards to make compliance straightforward. Select common controls or customize your own, and let our VerifyAI tool flag evidence issues before they reach an assessor. The enterprise content management feature simplifies compliance further by distributing controls across divisions, eliminating redundant work.

Our experts monitor evolving compliance frameworks, keeping you informed about regulatory changes. With expert guidance and a cutting-edge platform, Strike Graph helps you reduce errors, meet CMMC standards, and secure government contracts with ease.

CMMC Level 3 compliance FAQs

Find answers to common questions about CMMC 3.0 Level 3 compliance. Learn about key topics like security requirements and assessments. Fill in gaps in your understanding to determine if you need to meet CMMC 2.0 requirements to comply with Department of Defense (DoD) standards for protecting CUI.

Is CMMC 2.0 Level 3 compliance mandatory?

CMMC 2.0 Level 3 compliance will be mandatory for contracts designated by the DoD as requiring Level 3 security standards. Only contractors who meet these standards will be eligible to bid on these contracts.

Is CMMC 2.0 Level 3 based on NIST?

Yes, CMMC 2.0 Level 3 requirements follow the federal standard NIST SP 800-172. Also, contractors pursuing Level 3 compliance must first fully comply with Level 2, which follows NIST SP 800-171.

Does CMMC Level 3 apply to subcontractors?

CMMC Level 3 applies to subcontractors if they handle Controlled Unclassified Information (CUI) that needs Level 3 security. Whether this applies depends on if Level 3 data flows from the prime contractor to the subcontractor. Subcontractors should check their contracts and talk to the prime contractor to confirm compliance.

When will DoD contracts start including CMMC Level 3 requirements?

The DoD will begin specifying Level 3 requirements in contracts in mid-2025 and gradually enforce them over three years. Contractors must comply with Level 3 for new contracts by late 2026, with full compliance required for all contracts by late 2027.

What is the 32 CFR CMMC Final Rule?

The 32 CFR codifies CMMC in the Code of Federal Regulations. It outlines mandatory security levels and requirements. It also specifies timelines to meet CMMC standards effectively.

How is the Cyber AB involved in CMMC Level 3 compliance?

The Cyber AB plays an indirect role in CMMC Level 3 compliance. It approves the Certified Third-Party Assessor Organizations that run Level 2 assessments. Level 2 is required before Level 3 assessments, which the D0D runs.

Do contractors need to get CMMC Level 2 certification before Level 3?

Yes, contractors must get CMMC Level 2 certification before qualifying for Level 3. They need to meet all 110 Level 2 security controls and pass an assessment by a Certified Third-Party Assessor Organization (C3PAO). Once certified, they can move on to Level 3.

Who performs CMMC Level 3 audits?

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts CMMC Level 3 audits. It’s part of the DoD. A DIBCAC assessor reviews an organization's cybersecurity to ensure it meets all Level 3 requirements.