CMMC Level 3 Requirements

If your organization contracts with the U.S. military, or plans to compete for these high-value contracts, you must achieve CMMC Level 3 compliance. This is the highest level of the Cybersecurity Maturity Model Certification, designed for organizations that handle large amounts of Controlled Unclassified Information (CUI).

Achieving CMMC Level 3 compliance ensures your organization meets strict cybersecurity standards required by the Department of Defense. It starts with understanding which requirements apply to your operations and how to implement them effectively.

Ready to secure your CMMC Level 3 compliance? Schedule a consultation today and get expert guidance to streamline your path to certification.

 

Achieving CMMC Level 3 Certification

Organizations that partner with the Department of Defense (DoD) handle large amounts of highly sensitive information. To win and maintain DoD contracts, your organization must achieve CMMC Level 3 compliance, demonstrating that your cybersecurity practices meet the highest standards.

The CMMC program was created to streamline how contractors prove their cybersecurity readiness. Level 3 certification provides the highest assurance that your organization can protect Controlled Unclassified Information (CUI) and other critical data.

To achieve CMMC Level 3 compliance, you need to understand:

• Which CMMC level applies to your specific contract and the scope of your responsibilities.
• What Level 3 controls must be implemented, including prerequisites from Levels 1 and 2.
• How to prepare for assessments that confirm your organization meets all Level 3 requirements.

Partnering with a dedicated compliance advisory firm can simplify the process. Experts will help implement controls, prepare for certified assessments, and position your organization to secure lucrative DoD contracts faster.

 

CMMC Level 3 Scoping and Applicability

The CMMC framework is a tiered cybersecurity standard designed to protect sensitive DoD information. Instead of a single set of requirements for all contractors, CMMC has three distinct levels, each tailored to different use cases. Determining which level applies depends on:

• The type of data your organization processes.
• The risk environment in which the data is handled.
• Specific requirements outlined in DoD contracts.
  

CMMC protects two types of information:

1. Federal Contract Information (FCI): Less sensitive, more widespread data, typically requiring CMMC Level 1 compliance.
2. Controlled Unclassified Information (CUI): Highly sensitive data that requires enhanced security, often mandating CMMC Level 2 or Level 3 compliance, depending on volume and risk.

Organizations handling large quantities of CUI in environments vulnerable to Advanced Persistent Threats (APTs) generally require CMMC Level 3 compliance. Eligibility for Level 3 certification is determined by the contracting DoD entity.

Additionally:

• Contractors with Level 1 obligations may need to upgrade to Level 2 if the scope of CUI processing increases.
• Level 2 contractors may need to prepare for Level 3 compliance for future work.
• Any infrastructure interacting with FCI or CUI falls within the scope for CMMC implementation and assessment.
  

Achieving CMMC Level 3 compliance ensures your organization meets the highest DoD cybersecurity standards and is prepared for rigorous audits and assessments

 

CMMC Level 3 Control Requirements

Achieving CMMC Level 3 compliance requires implementing all controls from Levels 1 and 2, plus an additional 24 unique controls specific to Level 3. The implementation follows a stepwise workflow:

1. Install all Level 1 controls.
2. Implement all Level 2 controls.
3. Complete the 24 Level 3-specific controls.

The CMMC framework is based on the National Institute of Standards and Technology (NIST) best practices. Specifically:

• NIST SP 800-171 defines 110 controls to protect Controlled Unclassified Information (CUI) in non-governmental systems.
• These controls cover both Federal Contract Information (FCI) and CUI needs at Levels 1 and 2.
• NIST SP 800-172 adds 24 enhanced controls for Level 3, focusing on the most critical protections required in high-risk environments.

In total, organizations pursuing CMMC Level 3 certification must implement and assess 134 cybersecurity controls. The combination of NIST SP 800-171 and SP 800-172 ensures comprehensive protection of sensitive DoD data.

Below, we provide an overview of the control groups (or “Families” in NIST terminology) and highlight the prerequisites from Levels 1 and 2 before detailing each Level 3 control

 

CMMC Levels 1 and 2 Prerequisites

Before achieving CMMC Level 3 compliance, organizations must first implement the controls required at Levels 1 and 2. These controls establish a solid cybersecurity foundation for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Here’s an overview of each control family and the number of requirements at Levels 1 and 2:

• Access Control (AC): Governs access to FCI and CUI
  • Level 1: 4 Requirements
  • Level 2: 22 Requirements
• Awareness and Training (AT): Staff security awareness training
  • Level 2: 3 Requirements
• Audit and Accountability (AU): Regular system-wide auditing
  • Level 2: 9 Requirements
• Configuration Management (CM): Baseline and advanced settings across assets
  • Level 2: 9 Requirements
• Identification and Authentication (IA): User account management
  • Level 1: 2 Requirements
  • Level 2: 11 Requirements
• Incident Response (IR): Responding to and recovering from incidents
  • Level 2: 3 Requirements
• Maintenance (MA): Hardware, software, and network updates
  • Level 2: 6 Requirements
• Media Protection (MP): Safe asset management and disposal
  • Level 1: 1 Requirement
  • Level 2: 9 Requirements
• Personnel Security (PS): Recruitment, onboarding, and offboarding
  • Level 2: 2 Requirements
• Physical Protection (PE): Physical assets and spaces
  • Level 1: 2 Requirements
  • Level 2: 6 Requirements
• Risk Assessment (RA): Regular assessment of the risk environment
  • Level 2: 3 Requirements
• Security Assessment (CA): Efficacy of security systems
  • Level 2: 4 Requirements
• System and Communications Protection (SC): Safeguards for communication
  • Level 1: 2 Requirements
  • Level 2: 16 Requirements
• System and Information Integrity (SI): Communication and data integrity
  • Level 1: 4 Requirements
  • Level 2: 7 Requirements

These 110 controls from NIST SP 800-171 form the baseline for FCI and CUI protection and are essential prerequisites for achieving CMMC Level 3 compliance. Some situations may require additional safeguards at Level 3 to handle higher-risk environments and advanced threats.

 

CMMC Level 3 Control Implementation

Once all Level 1 and 2 controls are in place, organizations must implement Level 3 controls adapted from NIST SP 800-171 to achieve CMMC Level 3 compliance. These controls cover multiple domains and are designed to protect high-risk Controlled Unclassified Information (CUI).

Level 3 Controls by Domain:

• Access Control (AC) – 2 Controls:

  • AC.L3-3.1.2e: Organizational control over assets

  • AC.L3-3.1.3e: Secure transfer of information

• Awareness and Training (AT) – 2 Controls:

  • AT.L3-3.2.1e: Advanced threat awareness training

  • AT.L3-3.2.2e: Practical security training exercises

• Configuration Management (CM) – 3 Controls:

  • CM.L3-3.4.1e: Authoritative security repository

  • CM.L3-3.4.2e: Automated detection & remediation

  • CM.L3-3.4.3e: Automated configuration inventory

• Identification and Authentication (IA) – 2 Controls:

  • IA.L3-3.5.1e: Bidirectional authentication controls

  • IA.L3-3.5.3e: Blockage of untrusted assets

• Incident Response (IR) – 2 Controls:

  • IR.L3-3.6.1e: Security operations center

  • IR.L3-3.6.2e: Cyber incident response team

• Personnel Security (PS) – 1 Control:

  • PS.L3-3.9.2e: Adverse information management

• Risk Assessment (RA) – 7 Controls:

  • RA.L3-3.11.1e to RA.L3-3.11.7e: Threat-informed risk assessments, threat hunting, supply chain risk planning, and solution evaluation

• Security Assessment (CA) – 1 Control:

  • CA.L3-3.12.1e: Penetration testing program

• System and Communications Protection (SC) – 1 Control:

  • SC.L3-3.13.4e: Physical or logical isolation

• System and Information Integrity (SI) – 3 Controls:

  • SI.L3-3.14.1e: Verification of integrity

  • SI.L3-3.14.3e: Specialized asset security

  • SI.L3-3.14.6e: Threat-guided intrusion detection

In total, implementing all 134 Level 1–3 controls ensures your organization meets the technical requirements for CMMC Level 3 compliance.

CMMC Level 3 Assessment Requirements

Achieving compliance also requires formal assessments:

• Level 1: Organizations can self-assess and submit results to the Supplier Performance Risk System (SPRS).

• Level 2: Some low-risk CUI organizations may self-assess, but most must work with a Certified Third Party Assessment Organization (C3PAO).

• Level 3: Organizations must first complete a full C3PAO assessment for Level 2. Then, they undergo a government-led assessment through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to validate Level 3 controls.

This stepwise audit process ensures that organizations not only implement all required controls but are also formally verified for CMMC Level 3 compliance.

 

Streamline Your CMMC Level 3 Certification

For organizations new to DoD cybersecurity compliance, moving from “What is CMMC?” to a successful assessment can feel overwhelming. Whether it’s a self-assessment for Level 1, a C3PAO assessment for Level 2, or a DIBCAC assessment for Level 3, the process requires careful planning and execution.

Even organizations familiar with earlier versions of the framework or NIST guidelines may find achieving CMMC Level 3 compliance for the first time a significant milestone. That’s why expert guidance is crucial, it helps you scope, implement, and prepare for assessments efficiently and sustainably.

At RSI Security, we have helped countless organizations achieve CMMC compliance. As a certified C3PAO, we partner with internal teams to identify and overcome compliance challenges, both short- and long-term. Our disciplined approach ensures your organization is prepared not just for certification, but for secure, scalable operations in the future.

Get a clear roadmap to CMMC Level 3 compliance. Download our checklist today and prepare for certification with confidence.

Download Our CMMC Checklist