masthead-background-img

A Guide to CMMC Level 3 Requirements

01 A Guide To Cmmc Level 3 Requirements1

As of December 2024, the United States Department of Defense (DOD) has authorization to require that contractors meet Cybersecurity Maturity Model Certification (CMMC) standards. Obtaining certification to verify adherence to these standards helps keep defense industrial base (DIB) companies, other supply chain partners, the DOD, and the people of the United States safe from cybersecurity threats.

The DOD recognizes three levels of CMMC certification, with Level 3 demonstrating the highest level of cybersecurity. This guide explains what this expert-level certification entails and how to achieve it.

CMMC Level 1 vs. Level 2 vs. Level 3

The CMMC 2.0 Program’s three levels differ in the stringency of their requirements and, as a result, which proposal solicitations for which a contractor may bid. DOD solicitations may specify which level a contractor must have achieved to be eligible for that contract.  

What Is CMMC Level 1?

Level 1 requires a contractor to self-assess and affirm their compliance with the security standards in FAR clause 52.204-21 each year. These standards include:

  • Limiting access to authorized users.
  • Authenticating user identities to confirm their authorization before granting access.
  • Performing regular system scans and malicious code protection system updates.

Complying with these standards helps protect sensitive Federal Contract Information (FCI) not intended for public knowledge.

What Is CMMC Level 2?

Level 2 requires the contractor to verify and affirm their adherence to the security standards in NIST SP 800-171 Revision 3 each year. There are two versions of Level 2 — Final Level 2 (Self) or Final Level 2 (Certified Third-Party Assessor Organization, or C3PAO). Each request for proposal (RFP) will state what level it requires.

Level 2’s standards include:

  • Only allowing people the minimum level of authorization necessary to complete assigned tasks.
  • Developing a supply chain risk management plan to proactively address cybersecurity weaknesses arising from supply chain partners’ systems.
  • Applying systems security engineering principles to developments or updates of information systems and their components.
  • Any many more . . . .

Meeting these requirements demonstrates a broad ability to protect Controlled Unclassified Information (CUI) beyond FCI.

What Is CMMC Level 3?

As the highest CMMC level, Level 3 makes a contractor eligible for DOD contracts requiring the most robust cybersecurity measures. Attaining Level 3 demands first achieving Level 2 as well as the following:

  • Building on NIST SP 800-171 revision 3 requirements by verifying and affirming compliance with NIST SP 800-172 requirements each year.
  • Passing a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment every third year.

A Level 3 CMMC status shows the contractor can keep CUI secure against even advanced and persistent cybersecurity threats. 

CMMC Level 3 Requirements

Level 3 introduces “multidimensional, defense-in-depth” strategies that include:

  • Penetration-resistant architecture.
  • Damage-limiting operations.
  • Cyber resiliency.

These three strategies impact the following NIST 800-171 rev 3 requirements “families” by adding new requirements or expanding existing requirements:

  • Access Control.
  • Awareness and Training.
  • Audit and Accountability.
  • Configuration Management.
  • Identification and Authentication.
  • Incident Response.
  • Maintenance.
  • Media Protection.
  • Personnel Security.
  • Risk Assessment.
  • Security Assessment and and Monitoring.
  • System and Communications Protection.
  • System and Information Integrity.
  • Planning.
  • System and Services Acquisition.
  • Supply Chain Management.
  • Cyber resiliency.

A small sampling of distinctive CMMC Level 3 controls outlined in NIST SP 800-172 that build on and expand NIST SP 800-171 controls include:

02 Employ Threat Intelligence1

  • Access control: Dual (two-person) authorization for privileged commands and other organization-defined actions.
  • Awareness training: Training on advanced persistent threat, on recognizing suspicious communications and anomalous behavior in systems, cyber threat environment.
  • Configuration management: Implement automated mechanisms for maintaining  the currency, completeness, accuracy, and availability of the current and baseline system components inventory.
  • Identification and authentication: Bidirectional cryptographic authentication.
  • Incident response: Establish a 24/7 security operations center and a cyber-incident response team deployable within 24 hours.
  • Risk assessment: Employ threat intelligence and ongoing threat hunting to detect, track, and disrupt any threats that get past existing controls. At least annually and after any relevant cybersecurity incidents or intelligence findings, assess the effectiveness of current security controls to address anticipated risks.

Who Needs CMMC Level 3 Certification?

Any entity aiming to win a contract with the DOD must have CMMC certification at the required level for that contract. The required level depends on the services the DOD is soliciting in a given RFP. The more sensitive the information a contractor must handle to render the solicited services, the higher the CMMC level the DOD will require them to have. Contractors needing Level 3 will typically be those who face Advanced Persistent Threat (APT) entities.

Since the CMMC Program’s first phase is only beginning to roll out, RFPs are not yet mandating Level 3 certification for contract eligibility. RFPs may begin enforcing Level 3 compliance when phase 3 begins in 2027 — 24 months after phase 1 implementation. Achieving full Level 3 certification could take many months of work and assessments, so contractors wanting to maximize their eligibility for these contracts should consider pursuing compliance now.

How to Achieve CMMC 2.0 Level 3

Organizations pursuing CMMC Level 3 certification should proceed through four steps:

  1. Comply with all requirements of NIST SP 800-171 Revision 3.
  2. Achieve Level 2 certification by passing a C3PAO assessment.   
  3. Meet all NIST SP 800-172 requirements. 
  4. Obtain Level 3 certification by passing the DIBCAC assessment.   

Why Trust Us for CMMC Compliance?

Business Transformation Institute, Inc. is a CMMC compliance consultancy and C3PAO. We have an experienced team of compliance experts proficient in engineering, managing, and improving information systems to comply with CMMC standards. Among our team members are participants in the original working group that developed the CMMC.

In our CMMC consulting experience, we have assisted organizations with the strategic planning and practical implementation necessary to achieve compliance. As an authorized C3PAO, we have conducted Level 2 assessments to evaluate cybersecurity compliance and award certification. We are also a Licensed Training Provider for CMMC Professional and Assessor courses. This combination of experience with the CMMC standards from development, consulting, assessment, and training angles positions us as leading CMMC compliance experts.

03 Achieve Cmmc Compliance With Bti1

Achieve CMMC Compliance With BTI 

CMMC compliance helps keep your organization safe from cybersecurity threats while making you eligible for high-value DOD contracts. However, achieving it requires strict adherence to dozens of controls, making it challenging to develop a viable compliance plan, let alone implement one to earn certification. If your organization is interested in Level 2 or 3 CMMC certification, BTI is your partner in attaining contract-ready compliance.

Our expert CMMC compliance consultants will meet you where you are and guide you along the path to certification. We have experience helping to develop the CMMC and supporting organizations of all sizes through cybersecurity implementation to final certification. Our consultants are also C3PAO assessors, giving them a superior grasp of what CMMA success looks like in action. This also means we can conduct the Level 2 assessment if your organization aims for Level 2 certification. Whether your final goal is Level 2 or Level 3 status, BTI can help your organization get there.

Contact us today to discuss your compliance goals so your organization can secure DOD contracts with confidence.

Previous ArticleA Guide to CMMC CUI for Government Contractors Next ArticleHow CMMC Will Affect Remote Workers