Home Compliance StandardsCMMC CMMC Level 3 Requirements
CMMC

CMMC Level 3 Requirements

by RSI Security
written by RSI Security
CMMC Level 3 Requirements

If your organization is currently contracting with the US military or plans to compete for these lucrative contracts in the future, you’ll need to achieve CMMC compliance—possibly up to Level 3, depending on the nature of your work. Getting there starts with knowing the requirements.

Are you ready for CMMC Level 3 compliance? Schedule a consultation to find out!

 

Achieving CMMC Level 3 Certification

Organizations that partner with the Department of Defense (DoD) process large amounts of highly sensitive information. For this reason, they need to assure their DoD contracts of their cybersecurity best practices. The DoD has recently finalized the Cybersecurity Maturity Model Certification (CMMC) program, which aims to streamline the process of assurance provision.

The highest level of assurance CMMC can provide is Level 3. Achieving this requires knowing:

  • Which CMMC level is required for a given contract, and what’s in scope
  • What controls need to be installed for Level 3 (and their prerequisites)
  • How to conduct an assessment to lock in long-term Level 3 certification

Working with a dedicated compliance advisory partner will help you implement the controls you need and prepare for certified assessments, getting you into a lucrative DoD contract ASAP.

 

Get a Cyber Risk Report

 

CMMC Level 3 Scoping and Applicability

CMMC is a tiered security framework. Rather than requiring a single set of controls for all entities that are CMMC compliant, there are three distinct Levels for different use cases. The framework is designed to protect two distinct kinds of critical information. Which of these data types an organization deals in, and the risk environment in which it does, will determine what CMMC Level is needed. Additionally, DoD contracts typically specify what Level is required.

The two types of information CMMC protects are Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Both types of data are critical to military and/or government operations. However, FCI tends to be more widespread and slightly less critical, which corresponds to CMMC Level 1. CMMC Level 2 is required for any organization that processes CUI, with some subtle distinctions in assessment requirements for the kinds of CUI (see below). CMMC Level 3 is for large quantities of CUI within heightened risk environments.

In particular, organizations that process CUI in an environment in which it’s subject to Advanced Persistent Threats (APTs) will typically require Level 3 certification. Determination of APT and Level 3 eligibility is up to the discretion of the DoD entity with whom a contractor is working.

Organizations with contracts requiring Level 1 compliance may need to step up to Level 2 if information processing scales upward in their work with the DoD client. Similarly, contracts stipulating Level 2 compliance might require inroads for Level 3 compliance for future work.

In terms of where it applies, any infrastructure that comes in contact with FCI and CUI is in-scope for the purpose of CMMC implementation and assessment at all Levels.

 

CMMC Level 3 Control Requirements

The CMMC requirements at Level 3 include all of the controls needed at Levels 1 and 2, along with an additional 24 unique to Level 3. The intended workflow is stepwise; organizations are meant to install all Level 1 controls, then all Level 2 controls, and finally all Level 3 controls.

The CMMC framework as a whole is built upon existing security best practices prescribed by the National Institute of Standards and Technology (NIST). In particular, NIST’s Special Publication (SP) 800-171 stipulates 110 controls for protecting CUI in non-governmental systems. These controls are adapted for both FCI and CUI needs across CMMC Levels 1 and 2. Then, CMMC Level 3 adds 24 enhanced controls from the supplementary publication NIST SP 800-172.

So, in total, organizations that need CMMC Level 3 certification need to implement and then assess 134 total cybersecurity controls. The 110 controls that are required for Levels 1 and 2 encompass the whole of NIST SP 800-171, with subtle changes for the specific DoD use case. The 24 controls from NIST SP 800-172 that were added for Level 3 are a selection of the most critical and applicable controls from that guide (“Enhanced” protections in the NIST parlance).

Below, we’ll provide an overview of the groups of requirements (“Families” in NIST) and the scope of prerequisites in Levels 1 and 2 before breaking down each control needed for Level 3.

 

Purchase a Penetration Test

 

CMMC Levels 1 and 2 Prerequisites

For context, the following is a brief overview of the focus for each group of requirements and how many specific controls are required at CMMC Levels 1 and 2 prior to Level 3 preparation:

  • Access Control (AC) – Controls governing access to FCI and CUI, including:
      • Level 1 AC: Four Requirements
      • Level 2 AC: 22 Requirements
  • Awareness and Training (AT) – Stipulations for staff security awareness training:
      • Level 2 AT: Three Requirements
  • Audit and Accountability (AU) – Requirements for regular system-wide auditing:
      • Level 2 AU: Nine Requirements
  • Configuration Management (CM) – Baseline and advanced settings across all assets:
      • Level 2 CM: Nine Requirements
  • Identification and Authentication (IA) – Requirements for user account management:
      • Level 1 IA: Two Requirements
      • Level 2 IA: 11 Requirements
  • Incident Response (IR) – Protocols for responding to and recovering from incidents:
      • Level 2 IR: Three Requirements
    • Maintenance (MA) – Stipulations for hardware, software, and network updates:
      • Level 2 MA: Six Requirements
  • Media Protection (MP) – Controls for safe asset management and disposal:
      • Level 1 MP: One Requirement
      • Level 2 MP: Nine Requirements
  • Personnel Security (PS) – Requirements for recruitment and onboarding/offboarding:
      • Level 2 PS: Two Requirements
  • Physical Protection (PE) – Controls for physical assets and spaces housing FCI/CUI:
      • Level 1 PE: Two Requirements
      • Level 2 PE: Six Requirements
  • Risk Assessment (RA) – Standards for regular risk environment assessments:
      • Level 2 RA: Three Requirements
  • Security Assessment (CA) – Standards for security system efficacy assessments:
      • Level 2 CA: Four Requirements
  • System and Communications Protection (SC) – Safeguards for communication:
      • Level 1 SC: Two Requirements
      • Level 2 SC: 16 Requirements
  • System and Information Integrity (SI) – Integrity assurances for communication:
    • Level 1 SI: Four Requirements
    • Level 2 SI: Seven Requirements

These controls (110 in total) encompass the entirety of NIST SP 800-171, ensuring baseline protection for FCI and CUI within an organization’s orbit. They constitute minimum protection for these highly sensitive kinds of data, and some instances call for greater assurance at Level 3.

 

Download Our CMMC Whitepaper

 

CMMC Level 3 Control Implementation

With all Level 1 and 2 controls in place, organizations need to implement a set of safeguards adapted from NIST SP 800-171 for Level 3 compliance. These controls break down as follows:

  • Level 3 AC Requirements – Two final AC controls:
      • AC.L3-3.1.2e: Organizational control over assets
      • AC.L3-3.1.3e: Secure transfer of information
  • Level 3 AT Requirements – Two final AT controls:
      • AT.L3-3.2.1e: Advanced threat awareness training
      • AT.L3-3.2.2e: Practical security training exercises
  • Level 3 CM Requirements – Three final CM controls:
      • CM.L3-3.4.1e: Authoritative security repository
      • CM.L3-3.4.2e: Automated detection & remediation
      • CM.L3-3.4.3e: Automated configuration inventory
  • Level 3 IA Requirements – Two final IA controls:
      • IA.L3-3.5.1e: Bidirectional authentication controls
      • IA.L3-3.5.3e: Blockage of untrusted assets
  • Level 3 IR Requirements – Two final IR controls:
      • IR.L3-3.6.1e:  Security operations center
      • IR.L3-3.6.2e: Cyber incident response team
  • Level 3 PS Requirements – One final PS control:
      • PS.L3-3.9.2e: Adverse information management
  • Level 3 RA Requirements – Seven final RA controls:
      • RA.L3-3.11.1e: Threat-informed risk assessments
      • RA.L3-3.11.2e: Threat hunting mechanisms
      • RA.L3-3.11.3e: Advanced risk identification
      • RA.L3-3.11.4e: Security solution rationale
      • RA.L3-3.11.5e: Security solution effectiveness
      • RA.L3-3.11.6e: Supply chain risk response
      • RA.L3-3.11.7e: Supply chain risk plan
  • Level 3 CA Requirements – One final CA control:
      • CA.L3-3.12.1e: Penetration testing program
  • Level 3 SC Requirements – One final SC control:
      • SC.L3-3.13.4e: Physical or logical isolation
  • Level 3 SI Requirements – Three final SI controls:
    • SI.L3-3.14.1e: Verification of integrity
    • SI.L3-3.14.3e: Specialized asset security
    • SI.L3-3.14.6e: Threat-guided intrusion detection

With all 134 CMMC controls implemented and functional, organizations won’t be fully compliant yet; they still need to prepare for an official assessment to lock in their CMMC certification.

 

CMMC Level 3 Assessment Requirements

Just as there’s a stepwise progression in control requirements, organizations at different CMMC Levels must also conduct different kinds of audits for certification. At the entry level, organizations in Level 1 can self-assess and submit their results to the Supplier Performance Risk System (SPRS). Moving up, Level 2 introduces more complexity: some organizations may still qualify for self-assessment—specifically, those that process forms of CUI deemed less critical to DoD security. However, all other Level 2 organizations must work with a Certified Third Party Assessment Organization (C3PAO) vetted by the Cyber AB. In either case, assessments are valid for three years with annual affirmations.

At Level 3, organizations must first complete a full C3PAO assessment for Level 2 status. Then, they must undergo an additional government-led assessment through the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which validates the organization’s implementation of the Level 3 controls following Level 2 certification.

What this means is that organizations requiring Level 3 compliance will first need to complete a full C3PAO audit for Level 2 certification, then an additional DIBCAC assessment for Level 3.

 

Get Our CMMC Checklist

 

Streamline Your CMMC Level 3 Certification

For organizations newer to DoD cybersecurity compliance, it can initially seem challenging to move from asking, “What is CMMC?” to conducting a successful self (Level 1), C3PAO (Level 2), or DIBCAC (Level 3) assessment. Moreover, even for those that have previously complied with an earlier version of the framework or followed earlier editions of NIST guidelines, achieving Level 3 CMMC certification for the first time represents a significant milestone. That’s why expert guidance is essential—it makes scoping, implementing, and preparing for assessments easier, more efficient, and more sustainable.

RSI Security has helped countless organizations prepare for CMMC compliance. As a C3PAO, we actively partner with internal teams to identify and overcome compliance barriers—both short- and long-term. We know that discipline up front will unlock greater freedom to grow in the future, and we’ll work closely with you to rethink your cybersecurity to that effect.

To learn more about our CMMC compliance services, contact RSI Security today!

 

Contact Us Now!

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Understanding the Interplay Between CMMC, NIST, and DFARS

February 24, 2025

Preparing for DoD Compliance with the CMMC Framework

May 20, 2023

Cybersecurity Maturity Model Certification Accreditation Body Certifications, Explained

October 19, 2021

What Are the Different Levels of Cybersecurity Maturity...

March 11, 2020

Top Challenges for CMMC Compliance

December 24, 2020

The Basics of DoD Information Assurance Awareness Training

May 18, 2021

The Top 11 Rules of Cyber Hygiene for...

April 2, 2021

Innovations in CMMC Assessment Tools and Techniques Used...

February 10, 2025

Overview of CMMC Level 1 Requirements

December 10, 2020

Who Can Decontrol CUI?

March 12, 2024

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More