CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas. While most defense contractors will need to reach compliance for CMMC 2.0 Level 2, those that handle the most sensitive information will need to achieve the top tier of the CMMC model, Level 3 (Expert).

CMMC 2.0 Level 3 (Expert) is focused on reducing a system’s vulnerability to Advanced Persistent Threats (APTs) by requiring an organization to establish, maintain and resource a plan to manage the activities needed to implement its cyber security practices.

Level 3 (Expert) is designed for companies working with CUI on DoD’s highest priority programs. The Department of Defense (DoD) is still determining the specific security requirements for CMMC Level 3, but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

Talk to an Expert


CMMC Level 3 Practices

CMMC Level 3 is currently aligned with the practices set forth in NIST SP 800-172.

medal icon


CMMC Level 3 will incorporate a subset of NIST SP 800-172 requirements, although the full scope is still under development.

consultant icon

Highest Priority Programs

Applies to companies that handle CUI for DoD programs with the highest priority.

Government-Lead Assessment

Tri-annual government-led assessments required.

CMMC Level 3 Requirements

CMMC 2.0 Level 3 (Expert) focuses on the effectiveness of controls around protecting CUI from Advanced Persistent Threats (APT). This level is designed for companies working with CUI on DoD’s highest priority programs. Requirements are still being determined by the Cyber AB, the Department of Defense has indicated that Level 3 will be based on all 110 controls from NIST SP 800-171 plus a subset from NIST SP 800-172 controls.

CMMC Level 3 differs from the previous two levels is that it requires organizations to review and measure their controls over time to determine their effectiveness and take corrective action where necessary and inform organizationally defined personnel regularly. This plan may include goals, missions, projects, resourcing, training, and the participation of organization stakeholders.

The cybersecurity practices at Level 3 meet high standards for cyber hygiene and prioritize safeguarding Controlled Unclassified Information (CUI). Furthermore, they encompass the full spectrum of security requirements outlined in NIST SP 800-171, along with the additional 20 practices introduced in CMMC Level 2.

It’s worth noting that DFARS clause 252.204-7012 remains applicable, introducing further demands that go beyond NIST SP 800-171, particularly concerning the reporting of security incidents.

CMMC 2.0 Level 3 is tailored for companies entrusted with managing CUI within Department of Defense (DoD) programs of utmost importance. While it shares similarities with CMMC 1.02 Level 5, it’s essential to acknowledge that the specific security requirements for this level are still being developed by the DoD.

Nevertheless, it has been communicated that the CMMC Level 3 requirements will be rooted in NIST SP 800-171’s 110 controls, supplemented by a selection of controls from NIST SP 800-172.