Within seven years of the phased rollout of CMMC 2.0, the Department of Defense (DoD) estimates that over 220,000 entities will get assessed across Levels 1, 2, and 3. Of that total, they estimate that only 1% — less than 1,500 entities — will be required to obtain Level 3 certification. 

Why such a low percentage? Because Level 3 is designed to safeguard the most sensitive Controlled Unclassified Information (CUI) and Controlled Defense Information (CDI) against advanced persistent threats (APTs) and therefore requires a significant effort and cost to comply, it will apply only to a small percentage of defense contractors.

In this guide, we’ll break down exactly who needs to comply, what the requirements entail, how assessments work, and why achieving Level 3 can give your organization a competitive advantage. 

Who needs CMMC Level 3?

Entities that process, store, or transmit CUI and/or CDI that require enhanced protection against APTs will need to comply with CMMC Level 3. These enhanced security requirements are designed to safeguard mission critical or unique technologies and programs

The DoD estimates that very few contracts will require CMMC Level 3. In fact, in its January 2025 memo outlining how it will determine CMMC levels for its solicitations and contracts, it cautioned Program Managers against the overuse of the CMMC Level 3 requirement. 

However, there are three scenarios in which this requirement may be necessary. These are:

• Contracts involving CUI and/or CDI associated with a breakthrough, unique, and/or advanced technology
• Contracts involving a significant aggregation or compilation of CUI in a single information system or IT environment
• Contracts where an attack on a single information system or IT environment would result in widespread vulnerability across the DoD

Given these factors, Level 3 will only apply to companies working on the DoD’s most critical programs involving sensitive technologies or national security priorities. For example, contractors involved in the research and development of new and sensitive DoD technology or who collect significant amounts of CUI during performance of contracts will likely need to obtain a CMMC Level 3 certification.

If you’re not sure whether this level applies to you, don’t worry. It will be explicitly stated in your contract if you require a CMMC Status of Level 3 (DIBCAC). But even if your contract doesn’t require it, achieving CMMC Level 3 compliance and performing a self-assessment using the DoD’s assessment guide can be a powerful differentiator, demonstrating your organization’s ability to meet the highest cybersecurity standards and opening doors to future high-value contracts.

CMMC Level 2 vs Level 3

To be eligible for a Level 3 assessment, an organization must first have a Final Level 2 (C3PAO) certification/authorization for the same scope. You can’t pursue Level 2 and Level 3 certifications at the same time or skip right to a Level 3 certification. 

So if you expect your contract to have a Level 3 requirement or are interested in pursuing compliance at that level proactively, it’s important to understand the similarities and differences in security requirements, assessment requirements, and scope between these levels.

Below is an overview of the key differences to expect when going from Level 2 to 3.

• Enhanced security requirements: Level 3 contractors are required to implement all 110 requirements from NIST 800-171 Revision 2 and meet all 24 requirements from NIST 800-172 or have a Plan of Action and Milestones (POA&M) in place for requirements that are not prohibited in 32 CFR § 170.21. 
• Specified values for Organization-Defined Parameters (ODPs): CMMC Level 3 specifies values for ODPs in NIST 800-172. When left undefined, these parameters effectively ask organizations to fill in the blank in the requirements so they can implement controls to meet these requirements in a way that suits their unique risk tolerance and operational needs. The DoD defines these parameters in NIST 800-172 for Level 3 contractors. While this provides less flexibility to contractors, it ensures that they are meeting a level of security commensurate with DoD expectations and eliminates the risk of different parameters being set for different DoD programs. Since Level 2 is based on NIST 800-171 Revision 2, it does not have ODPs so organizations don’t have to meet DoD-assigned values. This will likely change if CMMC Level 2 is updated to align with NIST 800-171 Revision 3 which does include ODPs. 
• Different POA&M requirements: Since Level 3 contractors must hold a Final Level 2 (C3PAO) status, they must have closed any Level 2 POA&M items and meet all 110 requirements from NIST 800-171. If they have implemented at least 20 of the 24 requirements from NIST 800-172 and achieved a minimum assessment score of 80, Level 3 contractors can use a POA&M for certain requirements that are not prohibited in § 170.21 as long as they remediate them within 180 days of achieving their conditional status. Level 2 has a different minimum score and list of prohibited requirements.
• SPRS scoring is not varied: For CMMC Level 2, each met requirement is assigned a value of 1, 3, or 5 points and an SPRS score ranges from -203 to 110. Level 3 does not have varied scoring, so each met requirement is equally weighted as 1 point. 
• Government-led assessment: Both Level 2 and 3 require a third-party assessment to validate compliance. While Level 2 requires this assessment be conducted by a Certified Third-Party Assessment Organizations (C3PAO), Level 3 requires it be conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) given the sensitivity of the programs.
• Asset categories and scope change: There are three asset categories considered in-scope for a Level 3 assessment, as opposed to the four asset categories for Level 2. For Level 3, Contractor Risk Managed Assets (CRMAs), are categorized as CUI assets and all three asset categories—CUI Assets, Security Protection Assets (SPAs),  and Specialized Assets—must be assessed against all Level 3 requirements and may be spot checked against some Level 2 requirements. The next section covers Level 3 asset categories and scope in more depth. 

CMMC Level 3 scope and asset categories

CMMC Level 3 assessment scope is based on the specification of asset categories and their respective requirements. 

For Level 3 assessments, in-scope assets are any assets that can (whether intended to or not) or do process, store, or transmit CUI, and any that provide security protections for these assets. 

In addition to fully documenting them in your System Security Plan (SSP), asset inventory, and network diagram, all in-scope assets will be assessed against all applicable Level 3 security requirements. Assessors may choose to perform a limited check on certain assets against Level 2 requirements as well. This can significantly increase the assessment scope and cost from Level 2 to Level 3.

At Level 3, in-scope assets fall into one of three categories defined in 32 CFR § 170.19(c)(1) as:

CUI Assets

For Level 3, CUI assets are assets that:

• process, store, or transmit Controlled Unclassified Information (CUI)
• or can, but are not intended to access CUI, CDI, or Security Protection Data (SPD), nor do based on risk-managed policies and controls. 

The latter are known as Contractor Risk Managed Assets (CRMAs) in CMMC Level 2 assessments and have different assessment requirements. While Level 2 contractors should prepare for CRMAs to be assessed against all Level 2 security requirements, they may not be assessed if they are properly documented in the SSP and risk-based security policies, procedures, and practices documentation. In other words, the DoD decided to assume some risk and lessen the assurance burden for these types of assets for Level 2. 

However, the DoD did not assume this risk at Level 3 and categorizes any Level 2 CRMAs as CUI Assets at Level 3. As such, these assets are assessed against all Level 3 CMMC security requirements. The DCMA DIBCAC may also perform limited checks of Level 2 security requirements for these assets. 

Security Protection Assets

For Level 3, Security Protection Assets (SPAs) are assets that are essential to protecting CUI assets and the CUI environment by securing the controls for CMMC but don’t necessarily touch CUI. The information that is generated by or used to configure these assets is called Security Protection Data (SPD) and also falls into this asset category.

Like CUI assets, SPAs are assessed against all Level 3 requirements and there may be limited checks of Level 2 security requirements.

Specialized Assets

For Level 3, Specialized Assets are assets that can (but may not) process, store, or transmit CUI and are difficult to secure using standard methods due to their nature. These include Internet of Things (IoT) devices, Operational Technology (OT), and Government Furnished Equipment (GFE), among other types.

Like CUI assets and SPAs, Specialized Assets are assessed against all Level 3 requirements and there may be limited checks of Level 2 security requirements.

Out-of-scope Assets

For Level 3, out-of-scope assets are assets that:

• cannot process, store, or transmit CUI and/or SPD
• do not provide security protections for CUI Assets
• are physically or logically separated from CUI assets
• do not fall into any of the asset categories above

CMMC Level 3 requirements

To achieve CMMC Level 3 certification, an organization seeking certification (OSC) must meet security, assessment, and affirmation requirements as well as requirements for subcontractors, cloud service providers (CSPs), and external service providers (ESPs). Let’s cover each of these below.

CMMC Level 3 security requirements

Since CMMC Level 2 certification is required for CMMC Level 3, Level 3 technically includes a total of 134 requirements, including the 110 requirements from NIST SP 800-171 Revision 2 and 24 requirements from NIST 800-172 focused on defending against APTs.

These additional 24 requirements include enhanced practices such as:

• Operating a 24/7 security operations center (IR.L3-3.6.1e)
• Deploying a cyber incident response team within 24 hours (IR.L3-3.6.2e)
• Conducting regular threat-informed risk assessments (RA.L3-3.11.1e)
• Performing cyber threat hunting (RA.L3-3.11.2e)
• Verifying software integrity using cryptographic signatures (SI.L3-3.14.1e)

For a full list of requirements and their assigned organization-defined parameters (ODPs), download our CMMC Level 3 Compliance Checklist.

CMMC Level 3 assessment requirements

To achieve CMMC Level 3, an organization must:

1. Finalize Level 2: Hold a Final Level 2 (C3PAO) status for the exact same scope. They must have a perfect SPRS score of 110 so all Level 2 POA&M items must be closed.
2. Submit a request to DIBCAC: Email the point of contact at www.dcma.mil/DIBCAC with your Level 2 assessment ID to request a Level 3 assessment from the DCMA DIBCAC.
3. Undergo the DIBCAC assessment: This assessment will cover all 24 NIST 800-172 controls, as well as limited spot-checks of the 110 NIST 800-171 controls to verify continued conformity.
4. Receive status: Receive a final or conditional status. Let’s dive into these two possible statuses below.

If all 24 Level 3 requirements are met, then the OSC will receive a Final Level 3 Status.

If at least 80% (20 of 24) of the Level 3 controls are met—and none of the 7 critical controls listed below are missing—the organization may receive Conditional Level 3 status. This will still make them eligible for contracts including Level 3 requirements but they must meet the following requirements specified in 32 CFR § 170.21:

1. Resolve any POA&M items within 180 days.

2. Their POA&M cannot include the following critical controls:

• IR.L3–3.6.1e Security Operations Center
• IR.L3–3.6.2e Cyber Incident Response Team
• RA.L3–3.11.1e Threat-Informed Risk Assessment
• RA.L3–3.11.6e Supply Chain Risk Response
• RA.L3–3.11.7e Supply Chain Risk Plan
• RA.L3–3.11.4e Security Solution Rationale
• SI.L3–3.14.3e Specialized Asset Security

Within 180 days, the DCMA DIBCAC will perform a POA&M closeout certification assessment to determine that all NOT MET requirements that were identified with a POA&M in the initial assessment have been met. If the POA&M is successfully closed, then they will issue a Final Level 3 Status. If not, the Conditional CMMC Status will expire.

CMMC Level 3 assessment requirements with use of CSPs and/or ESPs

Using external providers does not shift responsibility from Level 3 contractors, but it does reshape it. Here are the different requirements contractors must meet if using a CSP and/or ESP that is not a CSP:

CSP requirements

• If the contractor uses a CSP to handle CUI, that CSP must be FedRAMP Moderate authorized (or higher) or meet FedRAMP Moderate equivalency. If the CSP is not FedRAMP Authorized, the organization seeking Level 3 certification is responsible for determining if the CSP meets the requirements for FedRAMP Moderate equivalency and providing a body of evidence.
• The contractor must request a Customer Responsibility Matrix (CRM) from the CSP and submit it for the Level 3 assessment. The CRM must clearly delineate which party (the contractor or the CSP) is responsible for each of the 24 Level 3 requirements as well as the 110 from NIST 800-171 for CMMC Level 2. This must be documented in the contractor’s SSP as well.

ESP that is not a CSP requirements

• If using an ESP that’s not a CSP to handle CUI, the ESP’s services fall into the contractor’s Level 3 assessment scope and may be assessed against all Level 2 and Level 3 security requirements—unless the ESP voluntarily undergoes its own separate CMMC assessment.
• The contractor must request a CRM from the ESP and submit it for the Level 3 assessment. The CRM must clearly describe the contractor’s use of the ESP, its relationship to the OSC, and the services provided. This must be documented in the contractor’s SSP as well.

CMMC Level 3 affirmation requirements

Once the OSC has completed the assessment, they have to complete some additional steps to achieve and maintain their status:

• Provide self-affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172. They must do so annually or the assessment will lapse.
• Provide a separate affirmation of Level 2 compliance annually.
• Submit affirmations into Supplier Performance Risk System (SPRS) after achieving Conditional or Final Level 3 status.

CMMC Level 3 continuous compliance requirements

CMMC Level 3 compliance isn’t a one-time event. To maintain your CMMC status and contract eligibility, organizations must:

• Undergo a Level 3 assessment by DIBCAC every three years. 
• Undergo a Level 2 certification assessment by C3PAO every three years. 
• Self-affirm compliance with Level 2 and Level 3 requirements separately in SPRS every year.

Failure to complete any of the above may result in loss of CMMC Status—and not just at the three-year mark after a government assessment. 

To help ensure contracts are maintaining L3 compliance, the DoD reserves the right to conduct a DCMA DIBCAC assessment of any contractor at any time. If the assessment shows that the contractor has failed to adhere to these requirements over time, those results will take precedence in the SPRS over pre-existing assessments to reflect the contractor is not in compliance and they will no longer be eligible for any contract awards containing a Level 3 requirement. 

CMMC Level 3 subcontractor requirements

If the OSC employs subcontractors to fulfill their contract containing Level 3 requirements, those subcontractors must have a minimum CMMC Status based on the type of data they handle:

• If FCI only, then a Level 1 self-assessment is the minimum requirement for the subcontractor.
• If CUI, then Level 2 certification assessment is the minimum requirement.

Notice that the minimum flowdown requirement is Level 2 certification. That’s because the DoD has made a risk-based decision not to mandate the flow down of Level 3 requirements to subcontractors unless explicit guidance is provided to do so.

CMMC level 3 checklist

Preparing for a CMMC Level 3 assessment is rigorous. It requires you to have met all 110 requirements from NIST 800-171, completed a Level 2 certification assessment, and meet enhanced requirements selected from NIST SP 800-172. 

To support organizations in this complex process, we’ve created a downloadable checklist that outlines each of the 24 CMMC Level 3 requirements in detail. Each requirement in the checklist includes DoD-mandated values for any applicable organization-defined parameters.

Whether you’re kicking off a gap analysis, finalizing documentation in your SSP, or ready to request a DIBCAC assessment, this checklist offers a structured way to verify alignment with all CMMC Level 3 requirements.

When will CMMC Level 3 be enforced?

With the Final Rule published in the Code of Federal Regulations (CFR) and the companion 48 CFR Part 204 CMMC Aquisition rule expected to go into effect any day now, the DoD will soon begin a phased rollout of CMMC requirements into contracts. 

Once the 48 CFR final rule goes into effect, the DoD’s phased implementation plan as described in 32 CFR § 170.3(e)(3) will begin. This is expected to happen by Q4 2025, so the estimated timeline is as follows:

• Phase 1 (2025): Level 1 and Level 2 self-assessment requirements in applicable contracts. DoD may include Level 2 C3PAO assessment requirements in contracts at its discretion. 
• Phase 2 (2026): Level 2 C3PAO certifications requirements in applicable contracts. DoD may include Level 3 DIBCAC assessment requirements in contracts at its discretion.
• Phase 3 (2027): Level 2 and 3 third-party certification requirements in applicable contracts.
• Phase 4 (2028): Full implementation of CMMC requirements in all DoD contracts.

While Phase 3 is expected to begin in 2027, that doesn’t mean contractors can wait if they think their contracts will include Level 3 requirements. In fact, the whole point of the phased rollout is to provide all contractors — but especially Level 3 contractors — with enough time to understand and implement CMMC requirements by the time contracts include them.

Here’s the main reasons L3 contractors should get ready as soon as possible:

• They have to achieve Level 2 third-party certification first, which will take time.
• Whereas CMMC Level 1 and Level 2 security requirements are based on FARS and DFARS rules that have been in effect for years, Level 3 security requirements are new. Since these are based on a subset of NIST 800-172 that are not currently required through other regulations, it will take Level 3 contractors time to implement these controls. 
• Only one DIBCAC exists to perform assessments, so early applicants may benefit from shorter queues.
• Contractors that secure Level 3 ahead of the mandate can bid on high-value, APT-focused programs sooner and have a significant advantage over non-compliant competitors. 
• The DoD may include Level 3 requirements in solicitations and contracts as soon as Phase 2. 

CMMC Level 3 cost​

Because Level 3 certification contains the most stringent requirements, including already completing a Level 2 C3PAO certification, it is also the most costly to obtain, according to DoD estimates.

Below are the DoD’s cost estimates for both a small and large entity and do not include the required cost of a Level 2 certification assessment by a C3PAO, which must be completed before a Level 3 assessment can begin.

The DoD acknowledges that the cost of achieving Level 3 certification is high, but notes that it reflects the critical national security importance of the programs that require this level of protection. The substantial cost is part of the reason that the DoD warns Program Managers against overusing the Level 3 contract requirement and estimates that only about 1% of defense contractors will require such an assessment. By restricting the requirement to a small percentage of the Defense Industrial Base, the DoD aims to balance risk with cost and implementation burden.

The high cost of Level 3 makes sense given that Levels 1 and 2 are designed to verify compliance with security requirements that have already been mandated by FAR clause 52.204-21 and DFARS clause 252.204-7012, respectively. Since Levels 1 and 2 assume baseline cybersecurity capabilities have already been implemented, cost estimates are based on completing assessment, reporting, and affirmation activities to verify implementation of existing security requirements — not to implement and maintain them.

Because Level 3 introduces new requirements from NIST SP 800-172, the cost estimates for Level 3 certification include assessment, reporting, and affirmation activities like the other levels but also the cost of implementing Level 3 security requirements, maintaining implementation of these requirements, and/or remediating a plan of action for any unimplemented requirements. 

Why choose Secureframe to simplify CMMC Level 3 Compliance

Achieving and maintaining CMMC Level 3 is a significant undertaking. Secureframe simplifies the process with:

• Out-of-the-box framework support: Securerfame supports all levels of CMMC out of the box so you know exactly what the requirements are and which controls and tests you can implement to meet them.
• Expert CMMC support: Get guided support from former federal auditors and compliance experts to help you meet all controls and assessment objectives for CMMC Levels 2 and 3.
• Automated evidence collection: Integrates with your tech stack, including AWS GovCloud, Azure Government, Microsoft GCC High, Intune GCC High, and other federal environments, to collect and organize the documentation needed for a C3PAO assessment.
• Simplified SSP and POA&M management: Generate your SSP, POA&M, and SPRS score and simplify control documentation.
• AI-powered remediation: When tests fail, Comply AI for Remediation generates recommended fixes as infrastructure-as-code so your team can quickly patch issues.
• AI Evidence Validation: This AI feature helps compliance teams verify documentation accuracy before CMMC assessments begin, reducing findings and exceptions while accelerating time to compliance.
• Continuous monitoring: Proactively identify and remediate security misconfigurations, gaps, and failing controls across your environment.
• Multi-framework mapping: Accelerate compliance with related frameworks like NIST 800-53, FedRAMP, GovRAMP, CJIS, and many more by automatically mapping your CMMC controls to shared requirements.
• In-platform training: Deliver security awareness, insider threat, and role-based training that meets CMMC Level 2 and 3 expectations and is always up-to-date.

Schedule a demo to see how Secureframe can accelerate your CMMC Level 3 readiness.