As of December 2024, the United States Department of Defense (DOD) has authorization to require that contractors meet Cybersecurity Maturity Model Certification (CMMC) standards. Obtaining certification to verify adherence to these standards helps keep defense industrial base (DIB) companies, other supply chain partners, the DOD, and the people of the United States safe from cybersecurity threats.
The DOD recognizes three levels of CMMC certification, with Level 3 demonstrating the highest level of cybersecurity. This guide explains what this expert-level certification entails and how to achieve it.
The CMMC 2.0 Program’s three levels differ in the stringency of their requirements and, as a result, which proposal solicitations for which a contractor may bid. DOD solicitations may specify which level a contractor must have achieved to be eligible for that contract.
Level 1 requires a contractor to self-assess and affirm their compliance with the security standards in FAR clause 52.204-21 each year. These standards include:
Complying with these standards helps protect sensitive Federal Contract Information (FCI) not intended for public knowledge.
Level 2 requires the contractor to verify and affirm their adherence to the security standards in NIST SP 800-171 Revision 3 each year. There are two versions of Level 2 — Final Level 2 (Self) or Final Level 2 (Certified Third-Party Assessor Organization, or C3PAO). Each request for proposal (RFP) will state what level it requires.
Level 2’s standards include:
Meeting these requirements demonstrates a broad ability to protect Controlled Unclassified Information (CUI) beyond FCI.
As the highest CMMC level, Level 3 makes a contractor eligible for DOD contracts requiring the most robust cybersecurity measures. Attaining Level 3 demands first achieving Level 2 as well as the following:
A Level 3 CMMC status shows the contractor can keep CUI secure against even advanced and persistent cybersecurity threats.
Level 3 introduces “multidimensional, defense-in-depth” strategies that include:
These three strategies impact the following NIST 800-171 rev 3 requirements “families” by adding new requirements or expanding existing requirements:
A small sampling of distinctive CMMC Level 3 controls outlined in NIST SP 800-172 that build on and expand NIST SP 800-171 controls include:
Any entity aiming to win a contract with the DOD must have CMMC certification at the required level for that contract. The required level depends on the services the DOD is soliciting in a given RFP. The more sensitive the information a contractor must handle to render the solicited services, the higher the CMMC level the DOD will require them to have. Contractors needing Level 3 will typically be those who face Advanced Persistent Threat (APT) entities.
Since the CMMC Program’s first phase is only beginning to roll out, RFPs are not yet mandating Level 3 certification for contract eligibility. RFPs may begin enforcing Level 3 compliance when phase 3 begins in 2027 — 24 months after phase 1 implementation. Achieving full Level 3 certification could take many months of work and assessments, so contractors wanting to maximize their eligibility for these contracts should consider pursuing compliance now.
Organizations pursuing CMMC Level 3 certification should proceed through four steps:
Business Transformation Institute, Inc. is a CMMC compliance consultancy and C3PAO. We have an experienced team of compliance experts proficient in engineering, managing, and improving information systems to comply with CMMC standards. Among our team members are participants in the original working group that developed the CMMC.
In our CMMC consulting experience, we have assisted organizations with the strategic planning and practical implementation necessary to achieve compliance. As an authorized C3PAO, we have conducted Level 2 assessments to evaluate cybersecurity compliance and award certification. We are also a Licensed Training Provider for CMMC Professional and Assessor courses. This combination of experience with the CMMC standards from development, consulting, assessment, and training angles positions us as leading CMMC compliance experts.
CMMC compliance helps keep your organization safe from cybersecurity threats while making you eligible for high-value DOD contracts. However, achieving it requires strict adherence to dozens of controls, making it challenging to develop a viable compliance plan, let alone implement one to earn certification. If your organization is interested in Level 2 or 3 CMMC certification, BTI is your partner in attaining contract-ready compliance.
Our expert CMMC compliance consultants will meet you where you are and guide you along the path to certification. We have experience helping to develop the CMMC and supporting organizations of all sizes through cybersecurity implementation to final certification. Our consultants are also C3PAO assessors, giving them a superior grasp of what CMMA success looks like in action. This also means we can conduct the Level 2 assessment if your organization aims for Level 2 certification. Whether your final goal is Level 2 or Level 3 status, BTI can help your organization get there.
Contact us today to discuss your compliance goals so your organization can secure DOD contracts with confidence.