CMMC Level 3

Expert

CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas.

Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on DoD’s highest priority programs. The Department of Defense (DoD) is still determining the specific security requirements for Level 3, but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

CMMC Level 3 Requirements

Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on DoD’s highest priority programs.  Requirements are still being determined by the Cyber AB.

CMMC Level 3 Practices

Level 3 is currently aligned with the practices set forth in NIST SP 800-172.

medal icon

Evolving

Level 3 will incorporate a subset of NIST SP 800-172 requirements, although the full scope is still under development.

consultant icon

Highest Priority Programs

Applies to companies that handle CUI for DoD programs with the highest priority.

Government-Lead Assessment

Tri-annual government-led assessments required.