CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas.

Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on DoD’s highest priority programs. The Department of Defense (DoD) is still determining the specific security requirements for Level 3, but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

CMMC Level 3 Requirements

Level 3 (Expert) focuses on the effectiveness of controls around protecting CUI from Advanced Persistent Threats (APT).  This level is designed for companies working with CUI on DoD’s highest priority programs.  Requirements are still being determined by the Cyber AB, the Department of Defense has indicated that Level 3 will be based on all 110 controls from NIST SP 800-171 plus a subset from NIST SP 800-172 controls.

Level 3 differs from the previous two levels is that it requires organizations to review and measure their controls over time to determine their effectiveness and take corrective action where necessary and inform organizationally defined personnel regularly.  This plan may include goals, missions, projects, resourcing, training, and the participation of organization stakeholders.

CMMC Level 3 Practices

Level 3 is currently aligned with the practices set forth in NIST SP 800-172.

medal icon


Level 3 will incorporate a subset of NIST SP 800-172 requirements, although the full scope is still under development.

consultant icon

Highest Priority Programs

Applies to companies that handle CUI for DoD programs with the highest priority.

Government-Lead Assessment

Tri-annual government-led assessments required.