CMMC Level 3 Requirements: 24 Controls, Final Level 2, and the DIBCAC Assessment Path
CMMC Level 3 requirementscome down to one demanding combination: a Final Level 2 (C3PAO) certification covering the Level 3 CMMC Assessment Scope — with every one of the 110 NIST SP 800-171 Revision 2 requirements met — plus 24 enhanced security requirements selected from NIST SP 800-172 (the February 2021 version) — 134 requirements in total — assessed not by a commercial auditor but by the government itself, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC). The result is recorded in the CMMC instance of eMASS and transmitted automatically to SPRS. Status lasts three years with an annual affirmation. No C3PAO can grant it.
Here is the part most pages bury. Level 3 is built for a small subset of the defense industrial base — the most sensitive programs and highest-value assets, the ones advanced persistent threats actually hunt — and the single most expensive mistake is companies building toward it before their contract requires it, or before they’ve locked a Level 2 scope that can survive Level 3 scrutiny.
Quick answer
| Question | Direct answer |
|---|---|
| How many Level 3 requirements? | 24 selected NIST SP 800-172 (Feb. 2021) requirements, on top of Final Level 2’s 110. Common shorthand: “134 total.” |
| Is Level 2 required first? | Yes. A Final Level 2 (C3PAO) status for the Level 3 scope is a hard prerequisite. |
| Who assesses Level 3? | DCMA DIBCAC — a government team. Not a C3PAO. |
| Is a self-assessment enough? | No. Self-assessment can help you prepare, but only a DIBCAC result yields Conditional or Final Level 3. |
| How long is status valid? | Three years, with annual affirmation in SPRS. |
| Can you use a POA&M? | Yes, narrowly. You need at least 20 of 24, and seven specific requirements can never be deferred. |
One honest caveat before you spend a dollar.Most people who land on this page do not need Level 3 — they need Level 2. Level 3 is reserved for a sliver of the DIB working the most sensitive programs. Chasing it before a contract requires it (or before you are Level 2 certified) is the kind of seven-figure detour that wrecks budgets. That is not a reason to leave — it is the reason this page exists. Send us the CMMC language, your current Level 2 status, and where your CUI actually lives, and we’ll point you to source-checked provider options for the right level →
What are the CMMC Level 3 requirements?
CMMC Level 3 requires a current Final Level 2 (C3PAO) status for the Level 3 assessment scope, plus all 24 Level 3 requirements selected from NIST SP 800-172 (February 2021) and codified in Table 1 to 32 CFR § 170.14(c)(4). The assessment is performed by DCMA DIBCAC, recorded in the CMMC instance of eMASS with automated transmission to SPRS, and renewed every three years with an annual affirmation.
CMMC has three levels. Level 1 covers Federal Contract Information (FCI) with 15 basic safeguards. Level 2 covers Controlled Unclassified Information (CUI) and maps exactly to the 110 requirements in NIST SP 800-171 Revision 2. Level 3 sits on top of Level 2 and adds 24 enhanced security requirements targeting the advanced persistent threat (APT) risk that a subset of the DIB faces on the most sensitive programs.
You’ll hear Level 3 described as “134 controls.” That’s a useful shorthand, but the cleaner regulatory framing is: Final Level 2’s 110 NIST SP 800-171 Rev. 2 requirements, plus 24 Level 3 requirements(32 CFR § 170.14). They aren’t a separate stack you tackle in isolation — Level 3 is built on a fully met Level 2 foundation. If you’re still working toward Level 2, start with our CMMC Level 2 requirements guide; this page assumes Level 2 is on your radar.
| Level 3 at a glance | Detail |
|---|---|
| Prerequisite | Final Level 2 (C3PAO) for the same (or broader) scope |
| Added requirements | 24, selected from NIST SP 800-172 (Feb. 2021) |
| Where they’re codified | Table 1 to 32 CFR § 170.14(c)(4) |
| Assessor | DCMA DIBCAC (government) |
| Scoring companions | NIST SP 800-171A (Jun. 2018) and NIST SP 800-172A (Mar. 2022) |
| Status types | Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC) |
| Validity | Three years; annual affirmation in SPRS |
One distinctive wrinkle: Level 3 is the only CMMC level that uses Organization-Defined Parameters (ODPs)set by DoD. NIST normally lets each organization define those values; for Level 3, DoD fixes them in the rule (for example, “at least annually,” “within 24 hours,” “24/7”). Levels 1 and 2 don’t use ODPs at all. You’ll see exactly where they land in the requirements matrix below.
Do you actually need CMMC Level 3 — or are you really on a Level 2 path?
Most companies researching Level 3 will not need it. Level 3 applies only when a solicitation, contract, or prime flow-down requires a CMMC Status of Level 3 (DIBCAC). Under 32 CFR § 170.3(d), the DoD program manager or requiring activity — not the contracting officer — selects the required CMMC Status based on the sensitivity of the FCI or CUI involved. If your contract doesn’t call for Level 3, you are almost certainly on a Level 2 path.
In its rulemaking, DoD designed Level 3 for a small subset of the DIB — the programs and high-value assets where APT risk is highest: sensitive research and development, critical technologies, and the contracts a program office specifically designates. The overwhelming majority of CUI-handling contractors land at Level 2.
The trigger is never “we handle CUI, so we must need the top level.” The trigger is the contract language. Here’s how to read it:
| What your contract or flow-down says | Your likely path | What not to do |
|---|---|---|
| Level 1 (Self) | FCI only; annual self-assessment against the 15 FAR 52.204-21 safeguards | Don’t build a Level 3 program |
| Level 2 (Self) | CUI; self-assessment against NIST SP 800-171 Rev. 2, posted to SPRS | Don’t hire a C3PAO unless the contract requires it |
| Level 2 (C3PAO) | Readiness, then a third-party assessment by an authorized C3PAO | Don’t treat your readiness consultant as your assessor |
| Level 3 (DIBCAC) | Final Level 2 first, then Level 3 readiness, then a government DIBCAC assessment | Don’t ask a C3PAO to “certify” you at Level 3 — they can’t |
If you’re staring at a solicitation and can’t tell which status it’s invoking, that ambiguity is exactly the kind of thing worth resolving before you commit budget. Confirm the clause, verify your current Level 2 standing, and map your scope — in that order. If the assessment typeis the part that’s fuzzy, our CMMC self-assessment vs. C3PAO explainer breaks down who can assess what.
Reading a clause you can’t quite parse?Send us the CMMC language, your current Level 2 status, and where your CUI actually lives, and we’ll point you to source-checked provider options for the rightlevel — before you spend on the wrong one. Get matched with source-checked provider options →
The 24 CMMC Level 3 controls from NIST SP 800-172 (full list + readiness matrix)
The 24 Level 3 requirements are the selected NIST SP 800-172 (February 2021) requirements codified in Table 1 to 32 CFR § 170.14(c)(4). They span 10 domains and cover controlled access, secure information transfer, threat-focused training, authoritative inventory, automated discovery, a 24/7 security operations capability, a 24-hour incident response team, threat hunting, supply-chain risk management, annual penetration testing, system isolation, software-integrity verification, and threat-indicator-driven detection.
| CMMC ID | Domain | Plain-English job (DoD params in italics) | Primary evidence owner | Proof to prepare | Provider category that may help | Common failure mode |
|---|---|---|---|---|---|---|
| AC.L3-3.1.2e | Access Control | Limit access to organization-owned, provisioned, or issued resources | IT / IAM | Device inventory, MDM policy, conditional access, exception log | MSP / IAM / enclave architect | BYOD or contractor devices still touch CUI systems |
| AC.L3-3.1.3e | Access Control | Control information flows between security domains using secure information transfer solutions | Security architecture | Data-flow diagram, boundary-control design, transfer workflow | CUI enclave / secure collaboration | CUI moves through email/file paths outside the boundary |
| AT.L3-3.2.1e | Awareness & Training | Train on social engineering, APTs, and breaches upon hire, after a significant cyber event, and at least annually | Security / HR | Role-based training records, update cadence | vCISO / training provider | Generic annual training ignores APT and social-engineering scenarios |
| AT.L3-3.2.2e | Awareness & Training | Add practical exercises, tailored by role (general, specialized, privileged), with feedback | Security / HR | Exercise records, role mapping, supervisor feedback | vCISO / tabletop provider | No practical exercise or feedback trail |
| CM.L3-3.4.1e | Configuration Mgmt | Maintain an authoritative source/repository for approved components | IT operations | CMDB, approved-component repository, owner/approval fields | MSP / GRC / endpoint mgmt | Inventory exists, but no trusted source of approved components |
| CM.L3-3.4.2e | Configuration Mgmt | Detect and remove or quarantine misconfigured/unauthorized components | IT / SOC | Detection rules, quarantine workflow, remediation records | MSP / MSSP / EDR | Tools detect issues but can’t prove quarantine/remediation |
| CM.L3-3.4.3e | Configuration Mgmt | Use automated discovery and management tools for inventory | IT operations | Discovery output, reconciliation cadence, completeness evidence | MSP / endpoint mgmt | A spreadsheet can’t prove current automated discovery |
| IA.L3-3.5.1e | Identification & Auth | Authenticate systems/components where possible before connection (bidirectional, crypto, replay-resistant) | IAM / network | Device-certificate/NAC approach, mutual-auth evidence | IAM / MSP / network security | User MFA exists, but device/component auth is weak |
| IA.L3-3.5.3e | Identification & Auth | Block unknown or untrusted components from connecting | Network / IT | NAC rules, allowlist, trust profile, exception handling | MSP / network security | Unknown devices can still join in-scope networks |
| IR.L3-3.6.1e ★ | Incident Response | Maintain a security operations center capability operating 24/7, remote/on-call allowed | Security operations | SOC schedule, escalation procedures, monitoring coverage | MSSP / MDR / SOC | “Business-hours monitoring” is treated as enough — it isn’t |
| IR.L3-3.6.2e ★ | Incident Response | Maintain an incident response team deployable within 24 hours | Security / exec sponsor | IR roster, deployment SLA, after-hours escalation, tabletop evidence | MSSP / IR retainer / vCISO | A plan exists, but no deployable 24-hour team is evidenced |
| PS.L3-3.9.2e | Personnel Security | Protect systems when adverse information arises about people with CUI access | HR / security | Insider-risk workflow, access-review triggers, termination procedure | HR/security advisor | HR events aren’t tied to access-removal workflows |
| RA.L3-3.11.1e ★ | Risk Assessment | Use threat intelligence (open/commercial plus any DoD-provided) to guide architecture, monitoring, hunting, and response | vCISO / risk | Threat-intel sources, risk assessment, architecture rationale | vCISO / GRC / MSSP | Risk assessment is a template with no threat-intel input |
| RA.L3-3.11.2e | Risk Assessment | Conduct threat hunting on an ongoing aperiodic basis or when indicated | SOC / MSSP | Hunt plans, hypotheses, findings, cadence records | MSSP / MDR / threat hunting | Alert monitoring is mislabeled as threat hunting |
| RA.L3-3.11.3e | Risk Assessment | Use advanced automation/analytics to help analysts identify risk | SOC / security eng | SIEM/UEBA analytics, detection logic, analyst workflow | MSSP / SIEM / MDR | Tools are deployed but not tied to an analyst workflow |
| RA.L3-3.11.4e ★ | Risk Assessment | Document the selected security solution, rationale, and risk determination in the SSP | vCISO / SSP owner | SSP sections, architecture rationale, residual-risk approval | vCISO / GRC | SSP lists tools but never justifies the solution or risk decision |
| RA.L3-3.11.5e | Risk Assessment | Assess solution effectiveness at least annually, or on new threat info, or after a relevant incident | Risk / security | Effectiveness reviews, incident-triggered reviews, change log | vCISO / GRC / MSSP | The stack is never re-evaluated against threat changes |
| RA.L3-3.11.6e ★ | Risk Assessment | Assess, respond to, and monitor supply-chain risk | Procurement / security | Supplier risk register, monitoring, response records | SCRM / GRC / vCISO | Supplier risk is a procurement task, not security-monitored |
| RA.L3-3.11.7e ★ | Risk Assessment | Maintain a supply-chain risk plan; update at least annually, on new threat info, or after an incident | Procurement / security | SCRM plan, update cadence, supplier mapping | SCRM / GRC / vCISO | No living SCRM plan tied to systems and components |
| CA.L3-3.12.1e | Security Assessment | Conduct penetration testing at least annually or after significant changes | Security testing | Pen-test scope, report, remediation, retest evidence | Pen-test firm / vCISO | A vulnerability scan is treated as a penetration test |
| SC.L3-3.13.4e | System & Comms Protection | Employ physical and/or logical isolation techniques | Architecture / network | Segmentation diagrams, firewall rules, boundary evidence | Enclave architect / MSP | A “separate SharePoint site” is treated as isolation without proof |
| SI.L3-3.14.1e | System & Info Integrity | Verify integrity of security-critical and essential software (root of trust / signatures) | IT / security eng | Secure-boot/code-signing validation records | MSP / endpoint / software security | Integrity is assumed from vendor trust, not verified |
| SI.L3-3.14.3e ★ | System & Info Integrity | Bring specialized assets (IoT, IIoT, OT, GFE, Restricted Information Systems, test equipment) into scope or segregate them | OT / IT / program owner | Specialized-asset inventory, segregation evidence | OT security / enclave architect | OT, IoT, GFE, and test gear are ignored until scoping review |
| SI.L3-3.14.6e | System & Info Integrity | Use threat indicators (open/commercial plus any DoD-provided) to drive detection and hunting | SOC / MSSP | Indicator sources, detection updates, hunt and mitigation records | MSSP / MDR / threat intel | Threat intel arrives but never becomes detections or hunts |
The original finding worth internalizing: of the 24 requirements, seven fall in the Risk Assessment family — far more than any other domain. Configuration Management and System and Information Integrity carry three each; Access Control, Awareness and Training, Identification and Authentication, and Incident Response carry two each; Personnel Security, Security Assessment, and System and Communications Protection carry one apiece. The practical translation: Level 3 is less about more checkboxes and more about standing up intelligence-led security operations— threat intel, threat hunting, supply-chain risk, advanced analytics. That’s where most Level 2-mature shops have the widest gap and the largest spend.
CMMC Level 3 checklist: 10 things to verify before DIBCAC
Use this as a fast readiness gate. Every item is a real gate in 32 CFR Part 170 or a direct consequence of it.
- Contract trigger confirmed — the solicitation or flow-down actually requires CMMC Status of Level 3 (DIBCAC).
- Final Level 2 (C3PAO) achieved for the Level 3 scope, with all 110 requirements met and no open Level 2 POA&M.
- Scope locked — your Level 3 scope is equal to, or a subset of, your Final Level 2 scope.
- All 24 requirements mapped to owners, evidence, and gaps (use the matrix above).
- The seven non-deferrable requirements are fully met — SOC, 24-hour incident response, threat-informed risk, security-solution rationale, supply-chain risk response, supply-chain risk plan, specialized-asset security.
- CSP/ESP inheritance documented in a CIS/CRM and Body of Evidence.
- Specialized assets handled — IoT, IIoT, OT, GFE, Restricted Information Systems, and test equipment are in scope or segregated.
- Evidence hashed and retained with a NIST-approved algorithm (six-year retention).
- Affirmation owner assigned for the initial and annual SPRS affirmations.
- DIBCAC initiation package ready — including your Level 2 certification (CMMC UID).
You can see the requirements — now turn them into a work plan. Tell us which of these you’ve already operationalized (24/7 SOC, threat hunting, SCRM) and which are gaps, and we’ll point you to the provider categories that close architecture, monitoring, and documentation gaps. Compare provider categories for Level 3 readiness →
How is CMMC Level 3 different from CMMC Level 2?
Level 2 is the 110 NIST SP 800-171 Rev. 2 requirements for protecting CUI; it can be self-assessed or assessed by a C3PAO depending on the contract. Level 3 requires Final Level 2 first, adds 24 NIST SP 800-172 requirements for the most sensitive CUI, and is assessed only by DCMA DIBCAC. The jump is not “more documentation” — it’s a jump into continuously operated security capabilities.
| Category | Level 2 | Level 3 |
|---|---|---|
| Primary target | CUI | Higher-risk CUI on critical programs / APT exposure |
| Requirement source | NIST SP 800-171 Rev. 2 (110) | Final Level 2 + 24 selected NIST SP 800-172 (Feb. 2021) |
| Count | 110 | 134 total (110 + 24) |
| Assessor | Self or C3PAO, per contract | DCMA DIBCAC only |
| Self-assessment certify? | Sometimes (Level 2 Self) | No |
| Scoring | Weighted 1, 3, or 5 points; max 110 | 1 point each; max 24; score = number met |
| Uses DoD-set ODPs? | No | Yes |
| Recurrence | Three years + annual affirmation | Three years (+ Level 2 reassessment every 3 years) + annual affirmation |
| Main failure mode | Weak scope or thin evidence | Treating Level 3 as paperwork rather than security operations |
The honest distinction: at Level 2, you’re proving a control framework is implemented. At Level 3, you’re proving an organization can detect, hunt, respond to, and recover from advanced threats — and prove it on a government assessor’s timeline. Many of the 24 requirements describe ongoing capabilities (a 24/7 SOC, a 24-hour incident response team, recurring threat hunts), not one-time configurations. You can’t screenshot your way through that.
What does the Final Level 2 (C3PAO) prerequisite really mean?
A contractor cannot initiate a Level 3 assessment without a Final Level 2 (C3PAO) status for the Level 3 scope, and the scoring rule requires a maximum score on that Level 2 assessment — all 110 requirements met — before Level 3 can begin. The Level 3 scope must be equal to, or a subset of, the Final Level 2 scope. This prerequisite, set in 32 CFR §§ 170.18 and 170.24, is the real first step for nearly everyone reading this page.
“Final,” not “Conditional.” A Conditional Level 2 — one carrying an open Plan of Action and Milestones (POA&M) — does not qualify you to start Level 3. You must close every Level 2 POA&M item and reach Final Level 2 first. And under the scoring methodology in 32 CFR § 170.24, a maximumLevel 2 score is required to be eligible to initiate Level 3.
“Same scope or a subset.”This is the scope trap. If your Level 2 environment was scoped narrowly — say, a tight enclave built only to clear a Level 2 self-assessment — and your Level 3 obligation reaches assets that environment doesn’t cover, you can be forced to re-scope, re-document, and re-assess. Worse, the rule lets DIBCAC perform limited checks of Level 2 requirementsfor assets that changed category between your Level 2 and Level 3 assessments. If DIBCAC finds a Level 2 requirement NOT MET during those checks, the Level 3 assessment may be paused for remediation, placed on hold, or terminated outright (32 CFR § 170.18(c)).
The lesson is sequencing. If there’s any real chance Level 3 is in your future, your Level 3 scope should be considered beforeyou finalize your Level 2 assessment — not after. For how the four paths fit together, see our CMMC certification process overview.
Not Final Level 2 yet? Don’t buy a Level 3 plan first. For nearly everyone, the Level 2 path isthe next move — and it’s where most of the budget and timeline live. Tell us your scope and current score, and we’ll help you compare Level 2 readiness, C3PAO assessment, and enclave-scoping categories before you commit. Compare Level 2 readiness provider categories →
Who performs the CMMC Level 3 assessment?
DCMA DIBCAC — the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center — performs CMMC Level 3 certification assessments on behalf of DoD. A C3PAO performs the prerequisite Level 2 assessment, but no C3PAO performs the Level 3 assessment. There is no commercial Level 3 certification.
- A C3PAOcan perform your Level 2 (C3PAO) certification assessment. That’s their lane. It’s required — but it’s the prerequisite, not the Level 3 assessment.
- DCMA DIBCACperforms the Level 3 certification assessment. It’s a government function (32 CFR § 170.18).
- Readiness providers(RPOs, CMMC-focused MSPs and MSSPs, vCISOs, documentation specialists) can prepare you — build the SSP, stand up the SOC, design the enclave, run mock assessments. They cannot grant a CMMC status.
- No oneshould tell you they will “certify” or “guarantee” you at Level 3. A readiness firm prepares you. A C3PAO assesses Level 2. DIBCAC assesses Level 3. Anyone blurring those lines is a red flag.
There’s a practical consequence to this structure: at Level 3, there is no C3PAO assessment fee, because the government performs the assessment. Your Level 3 spend goes into implementation, tooling, consulting, and the Level 2 prerequisite — not a commercial certification invoice.
What is the CMMC Level 3 assessment process?
The Level 3 process starts only after Final Level 2 (C3PAO) for the Level 3 scope. The contractor initiates it by emailing a request to the DCMA DIBCAC point of contact and including the Level 2 certification assessment unique identifier (the CMMC UID). DIBCAC validates the Level 2 status, schedules the assessment, assesses against NIST SP 800-171A and NIST SP 800-172A, uploads results to the CMMC instance of eMASS, and communicates findings through a CMMC Assessment Findings Report.
Here’s the sequence from 32 CFR § 170.18(c):
- Confirm the requirement. Verify the solicitation, contract, or flow-down actually requires a CMMC Status of Level 3 (DIBCAC).
- Define the Level 3 scope — equal to or a subset of your Final Level 2 scope.
- Achieve Final Level 2 (C3PAO) for that scope, with all 110 requirements met and no open POA&M.
- Implement the 24 Level 3 requirements across every environment where CUI is processed, stored, or transmitted.
- Assemble the evidence — SSP, network and data-flow diagrams, asset inventory, CIS/CRM and Body of Evidence for cloud inheritance, SOC and IR records, threat-hunting and SCRM artifacts, pen-test reports, and hashed artifact files.
- Initiate with DIBCAC by email, including your Level 2 certification UID. DIBCAC validates and schedules.
- Undergo the assessment. DIBCAC scores against the methodology in 32 CFR § 170.24. A NOT MET requirement can be re-evaluated during the assessment and for 10 business days after the active assessment period — but only if new evidence is available, it doesn’t disturb already-assessed requirements, and the Findings Report hasn’t been delivered.
- Close any POA&M within 180 days if you receive a Conditional status.
- Affirm in SPRS at the time of assessment and annually thereafter.
- Maintain compliance and reassess on the three-year cycle — and remember a Level 2 (C3PAO) reassessment is also required every three years to keep Level 3 alive.
That last point is the one teams forget: Level 3 isn’t a single event. To keep a Final Level 3 (DIBCAC) status current, you carry botha three-year Level 3 cycle and a three-year Level 2 (C3PAO) cycle, plus annual affirmations in between.
What is in scope for CMMC Level 3?
The Level 3 assessment scope is the set of information systems within the Level 3 CMMC Assessment Scope, and it must be equal to or a subset of your Final Level 2 (C3PAO) scope. Level 3 treats certain asset categories more strictly than Level 2 — particularly specialized assets, security protection assets, and any asset that changed category between the two assessments — under the scoping rules in 32 CFR § 170.19.
- Enclave vs. enterprise.Many contractors reduce cost and risk by isolating CUI into a dedicated enclave rather than dragging the whole enterprise into scope. Done right, with documented boundaries, that’s smart. Done as a “separate site” with no real isolation proof, it fails. See our CMMC secure enclave guide for the architecture trade-offs.
- CUI assets and security protection assets. Systems that handle CUI are in scope; so are the assets that protect them (your security stack, your management plane).
- Specialized assets— IoT, Industrial IoT, OT, GFE, Restricted Information Systems, and test equipment — must be brought into the enhanced scope or properly segregated. This is one of the seven requirements you cannot defer (SI.L3-3.14.3e), and it’s a frequent blind spot for manufacturers and labs.
- Contractor Risk Managed Assets (CRMAs).Where an asset’s category shifts between your Level 2 and Level 3 assessments, expect DIBCAC’s limited Level 2 re-checks. Plan for it.
The recurring theme: a Level 2 scope built without an eye toward Level 3 can force expensive re-scoping later. If Level 3 is plausibly in your future, design the scope once, for both. See also: CMMC scoping guide and CMMC scope reduction.
Can you use a POA&M for CMMC Level 3?
Yes, but only narrowly. To earn a Conditional Level 3 (DIBCAC), your assessment score divided by 24 must be at least 0.8 — meaning at least 20 of the 24 requirements met — and seven specific requirements can never appear on the POA&M. DCMA DIBCAC must confirm closeout of any deferred items within 180 days, or the conditional status expires. This is set in 32 CFR §§ 170.21(a)(3) and 170.18.
Because every Level 3 requirement is worth exactly one point, the math is simple: you can carry at most fourof the 24 on a POA&M, and none of those four can come from the prohibited list.
| POA&M rule (Level 3) | Answer |
|---|---|
| Is a POA&M allowed? | Yes, under 32 CFR § 170.21(a)(3) |
| Minimum score to qualify | Score ÷ 24 ≥ 0.8 (at least 20 of 24 met) |
| Maximum deferrable | 4 requirements — none from the prohibited 7 |
| Closeout deadline | 180 days from the Conditional CMMC Status Date |
| Who confirms closeout? | DCMA DIBCAC |
| If not closed in time | Conditional status expires; ineligible for further Level 3 awards on that system until a new status is achieved |
The seven requirements you are not allowed to defer
(32 CFR § 170.21(a)(3)(ii)):
- IR.L3-3.6.1e — Security Operations Center
- IR.L3-3.6.2e — Cyber Incident Response Team
- RA.L3-3.11.1e — Threat-Informed Risk Assessment
- RA.L3-3.11.4e — Security Solution Rationale
- RA.L3-3.11.6e — Supply Chain Risk Response
- RA.L3-3.11.7e — Supply Chain Risk Plan
- SI.L3-3.14.3e — Specialized Asset Security
Notice the pattern: four of the seven are Risk Assessment requirements.DoD has effectively designated threat intelligence and supply-chain risk management as capabilities that must be fully operational on the day of assessment — no “we’ll finish it later.” If your Level 3 plan assumes you can stand up the SOC, the 24-hour incident response team, threat-informed risk, your SCRM program, the security-solution rationale, or specialized-asset security after the fact, rebuild the plan now.
How do cloud services, ESPs, GCC High, GovCloud, and CUI enclaves affect Level 3?
Cloud and external service providers can support a Level 3 environment, but they never remove your obligation to implement the 24 Level 3 requirements. Under 32 CFR § 170.18, a cloud service provider (CSP) used for CUI must meet the FedRAMP Moderate (or higher) baseline — or, if not FedRAMP authorized, security requirements equivalent to FedRAMP Moderate under DoD policy. Inherited controls must be proven through a Customer Implementation Summary/Customer Responsibility Matrix (CIS/CRM) and a Body of Evidence (BOE), and your on-premises infrastructure that connects to the cloud stays in scope.
- A CSP must meet FedRAMP Moderate or equivalent. Picking the right platform matters, but the platform is not the finish line.
- Inheritance must be documented, not assumed. If you inherit any of the 24 requirements from a CSP, the BOE has to state clearly which requirements the CSP meets and which you meet. DIBCAC assesses against that evidence.
- External service providers that aren’t CSPs are assessed within your assessment against all Level 2 and Level 3 requirements, and the relationship must be documented in your SSP and the provider’s CRM.
- Your on-prem still counts. The infrastructure connecting to a CSP or ESP is part of the assessment scope.
- GCC High and AWS GovCloud are tools, not solutions. They can host a compliant environment; they do not satisfy Level 3 by themselves.
Stuck between an enclave, whole-enterprise scope, an MSSP, and a GRC platform? Tell us where your CUI lives and which cloud and ESP services touch it, and we’ll point you to source-checked provider categories that fit your scope and inheritance model. Compare enclave, managed-security, and GRC categories →
What evidence should you prepare for a Level 3 DIBCAC assessment?
A DIBCAC assessment is evidence-driven. The results recorded in the CMMC instance of eMASS include the assessment date and level, assessor names and government organization, all relevant CAGE codes, the SSP name/date/version, the CMMC Status Date, the result for each requirement objective, POA&M usage, and a list of hashed artifacts. Under 32 CFR § 170.18, the hashed artifacts used as assessment evidence must be retained for six years from the CMMC Status Date, hashed with a NIST-approved algorithm.
Build your evidence binder around what DIBCAC actually records and checks:
- SSP, with version history
- Final Level 2 (C3PAO) status evidence and your Level 2 certification UID
- Complete asset inventory, including specialized assets
- Network and data-flow diagrams
- CIS/CRM and Body of Evidence for any CSP or ESP inheritance
- SOC procedures and monitoring coverage records (IR.L3-3.6.1e)
- 24-hour incident response team roster and deployment evidence (IR.L3-3.6.2e)
- Threat-hunting plans, hypotheses, and findings (RA.L3-3.11.2e)
- Threat-intelligence sources and how they feed decisions (RA.L3-3.11.1e, SI.L3-3.14.6e)
- SCRM plan and supplier-risk monitoring (RA.L3-3.11.6e, RA.L3-3.11.7e)
- Penetration-test reports and remediation evidence (CA.L3-3.12.1e)
- Specialized-asset inventory and segregation evidence (SI.L3-3.14.3e)
- The hashed artifact list and your retention process (six years)
- A named owner and process for the annual affirmation
The artifact-hashing requirement is easy to overlook and expensive to retrofit. Set up the hashing process before the assessment, not during it.
Don’t assemble this at the last minute. We’ve turned the requirements above into a free Level 3 Evidence Binder Outline — every section DIBCAC expects, mapped to the requirement it supports, so your SSP, diagrams, CSP/ESP evidence, SOC records, SCRM artifacts, pen-test results, and hashed artifacts are organized before you initiate. Download the Level 3 Evidence Binder Outline →
How much does CMMC Level 3 cost?
There is no single price, and notably no C3PAO assessment fee — DIBCAC performs the Level 3 assessment, so your spend is implementation, tooling, consulting, and the Level 2 prerequisite. In its regulatory cost analysis for the CMMC final rule, DoD estimated a contractor’s cost to support a Level 3 certification assessment and initial affirmation at about $39,021 for an other-than-small entity (roughly $44,445 over three years, including two annual reaffirmations of $2,712 each) and about $9,050 for a small entity(roughly $12,802 over three years, including two annual reaffirmations of $1,876 each). Those are contractor support-and-affirmation estimates — not a commercial DIBCAC fee — and they are the small part of the bill.
Why is the assessment the small part? Because the real money is in implementing the 24 enhanced requirements — and no prior DoD rule required the NIST SP 800-172 enhanced requirements, so for most contractors they’re entirely new with CMMC Level 3. A 24/7 monitoring capability, a deployable incident response team, threat hunting, threat intelligence, supply-chain risk management, advanced analytics, isolation, and pen testing are mostly people and process, not a one-time license.
Separate the bill into what DoD’s analysis estimates and what depends entirely on you:
- Assessment support and affirmation (DoD’s regulatory estimates): roughly $39,000–$44,000 over three years for other-than-small entities; roughly $9,000–$13,000 for small entities. Concrete, but small.
- Implementing the 24 enhanced requirements: the dominant, scope-dependent cost — SOC/MDR, threat hunting, SCRM, analytics, enclave architecture, pen testing, GRC/evidence tooling, and internal labor.
- The Level 2 prerequisite: you must reach Final Level 2 (C3PAO) first, which carries its own readiness and assessment cost on top of Level 3.
Two honest cautions. First, private-market preparation ranges are quote-specific — a quote built around a tight enclave and one built around whole-enterprise scope are not the same product, and the gap between them is enormous. Don’t compare two Level 3 quotes unless the scope behind them is identical.Second, treat the DoD figures above as planning estimates from the rule’s cost analysis, not a price you’ll pay. For the broader picture across all three levels, see our CMMC Level 2 cost guide.
How long does CMMC Level 3 take?
The rule fixes the assessment cadence, not your readiness timeline: the Level 3 certification assessment occurs every three years, with an annual affirmation, and a Level 2 (C3PAO) reassessment is also required every three years. How long readiness takes depends on whether you already hold Final Level 2 and whether you’ve stood up a 24/7 SOC, threat hunting, SCRM, isolation, and the evidence to prove them.
- Already Final Level 2, mature SOC/SCRM/enclave: roughly 6–12+ months to close the 24-requirement gaps and assemble evidence.
- Final Level 2, but thin on SOC, threat hunting, or SCRM: roughly 9–18+ months, because those are capabilities to build and operate, not documents to write.
- Not Final Level 2 yet: your Level 2 timeline comes first, then Level 3.
- Cold start (no Level 2 program): this isn’t a Level 3 project yet. Scope and Level 2 come first.
When will CMMC Level 3 be required in DoD contracts?
CMMC requirements began phasing into contracts on , when the 48 CFR CMMC Acquisition final rule took effect and revised DFARS clause 252.204-7021. Under 32 CFR § 170.3(e), DoD may include a Level 3 (DIBCAC) requirement at its discretion beginning in Phase 2 (), and intends to include Level 3 broadly in Phase 3 ().
| Phase | Date range | Level 3 relevance |
|---|---|---|
| Phase 1 | – | DoD intends Level 1 (Self) or Level 2 (Self/C3PAO). Level 3 not yet included. |
| Phase 2 | – | DoD may, at its discretion, include a Level 3 (DIBCAC) requirement in applicable solicitations. |
| Phase 3 | – | DoD intends to include Level 3 (DIBCAC) for all applicable solicitations as a condition of award. |
| Phase 4 | Begins | CMMC requirements apply to all applicable solicitations and contracts, including option periods. |
There’s a real, non-manufactured urgency in the sequencing. Because Final Level 2 is a hard prerequisite, and because C3PAO assessor capacity is finite, a genuine Level 3 candidate can’t wait for Phase 3 to start working the Level 2 path. The bottleneck is the prerequisite, and the prerequisite takes time.
The timeline that binds you is the language in your contract, not the calendar. If a solicitation you’re bidding carries a valid Level 3 (DIBCAC) requirement under the phase-in rules, that requirement is real now.
Does NIST SP 800-172 Revision 3 change CMMC Level 3 requirements?
No — not yet. NIST published SP 800-172 Revision 3 (and the matching 800-172A Rev. 3) on , superseding the February 2021 publication as a NIST document. But CMMC Level 3 remains tied to the selected February 2021 requirements that are incorporated by reference into 32 CFR Part 170. Until DoD amends the CMMC rule through rulemaking, DIBCAC assesses against the original 24 requirements, and Revision 3 creates no contractual obligation.
- What changed at NIST: Revision 3 reorganizes and expands the enhanced security requirements. It’s the current NIST publication.
- What has not changed in CMMC: the controlling Level 3 requirements are still the 24 selected from the February 2021 version, per 32 CFR § 170.14(c)(4), assessed using 800-172A (March 2022).
- What to watch: future DoD rulemaking. Do not treat NIST SP 800-172 Revision 3 as your Level 3 control list.
The same principle applies to NIST SP 800-171: CMMC Level 2 currently uses Revision 2as incorporated in 32 CFR Part 170. NIST SP 800-171 Revision 3 (published 2024) does not control CMMC unless DoD amends the rule.
What should primes flow down to subcontractors on a Level 3 contract?
A Level 3 prime requirement does not automatically make every subcontractor a Level 3 shop. Under 32 CFR § 170.23, a subcontractor that handles only FCI needs a CMMC Status of Level 1 (Self); a subcontractor that handles CUI under a prime contract carrying a Level 3 (DIBCAC) requirement needs at least Level 2 (C3PAO). A subcontractor needs Level 3 only if its own subcontract carries a Level 3 (DIBCAC) requirement.
| Subcontractor’s role | Minimum CMMC status |
|---|---|
| Handles only FCI (no CUI) | Level 1 (Self) |
| Handles CUI, prime is Level 2 (C3PAO) | Level 2 (C3PAO) |
| Handles CUI, prime is Level 3 (DIBCAC) | Level 2 (C3PAO) |
| Subcontract itself requires Level 3 (DIBCAC) | Level 3 (DIBCAC) |
Don’t over-flow Level 3 onto every supplier by default — most subs on a Level 3 program need Level 2 (C3PAO), not Level 3. And don’t under-flow it either: a sub touching CUI can’t be left at Level 1. The mechanics are in our CMMC flow-down requirements guide.
For real-world context, Lockheed Martin’s published supplier guidance (reviewed June 2026) verifies supplier readiness through the Exostar Cybersecurity Compliance and Risk Assessment (CCRA) questionnaire, accepted reciprocally across major primes including Boeing, RTX, Northrop Grumman, and General Dynamics. One nuance for subcontractors: an SPRS score of 88 is sometimes cited as the bar, but 88 out of 110 is only the numeric floor for ConditionalLevel 2 — and only when the other POA&M restrictions in 32 CFR § 170.21 are met. Your prime’s clock may be faster than the government’s phase chart.
Which provider category should help at each stage?
Level 3 readiness is not one provider category. Depending on your gaps, you may need an RPO or vCISO for readiness governance, an MSP or enclave architect for scope and architecture, an MSSP or MDR provider for 24/7 monitoring and threat hunting, a GRC platform for evidence workflows, a penetration-testing firm for CA.L3-3.12.1e, a C3PAO for the prerequisite Level 2 assessment, and DCMA DIBCAC for the Level 3 assessment itself.
| Stage | Provider category | What they should do | What they should not claim |
|---|---|---|---|
| “We might need Level 3” | RP / RPO / vCISO | Interpret the requirement, scope, and readiness plan | Guarantee a certification outcome |
| “Our environment is too broad” | CUI enclave / MSP / cloud architect | Reduce and document scope | That cloud alone equals compliance |
| “We need 24/7 SOC and threat hunting” | MSSP / MDR / SOC | Monitoring, hunting, escalation, evidence | Replace the executive affirmation |
| “We need evidence management” | GRC / documentation provider | SSP, POA&M, and BOE workflows | That software alone satisfies CMMC |
| “We need our Level 2 certificate” | Authorized C3PAO | The Level 2 (C3PAO) assessment | Perform a Level 3 assessment |
| “We’re ready for Level 3” | DCMA DIBCAC | The Level 3 certification assessment | — |
Map the heaviest requirements straight to the category that carries them:
- MSSP / MDR / SOC → IR.L3-3.6.1e (SOC), IR.L3-3.6.2e (24-hour IR team), RA.L3-3.11.2e (threat hunting), RA.L3-3.11.3e (analytics), SI.L3-3.14.6e (threat-guided detection).
- SCRM / GRC advisor → RA.L3-3.11.6e (supply-chain risk response), RA.L3-3.11.7e (supply-chain risk plan).
- Enclave / network architect → AC.L3-3.1.3e (secure transfer between domains), SC.L3-3.13.4e (isolation), SI.L3-3.14.3e (specialized-asset security).
For the full category breakdown, see our CMMC provider categories guide and who to hire first.
Not sure which category fits — that’s the most common place to be. Tell us your level, scope, and timeline, and we’ll match you with source-checked provider options, so you talk to the right kind of provider the first time. Get matched with source-checked CMMC provider options →
What are the biggest mistakes companies make with CMMC Level 3?
The biggest Level 3 mistake is treating it as “Level 2 plus extra documentation.” The real gap is almost always operational: a 24/7 SOC, a deployable incident response team, threat-informed risk, threat hunting, supply-chain risk management, isolation, specialized-asset handling, evidence retention, and a Level 2 scope strong enough to survive Level 3 scrutiny.
- Building toward Level 3 before confirming the contract actually requires it.
- Assuming a C3PAO can perform the Level 3 assessment. (DIBCAC does.)
- Entering the Level 2 assessment with a scope that can’t support Level 3 later.
- Treating commercial cloud — even GCC High or GovCloud — as the whole answer.
- Ignoring ESP scope and the Customer Responsibility Matrix.
- Calling alert monitoring “threat hunting.”
- Calling a vulnerability scan a “penetration test.”
- Assuming every gap can be fixed on a POA&M after the assessment. (Seven can’t.)
- Forgetting the annual affirmation — and the parallel three-year Level 2 reassessment.
- Ignoring specialized assets (IoT, OT, GFE, test equipment) until scoping review.
What should you do next?
Your next step depends on where you stand. If no contract or flow-down requires Level 3, confirm the required CMMC status before spending. If you’re not Final Level 2, build the Level 2 path first — it’s the prerequisite. If you already hold Final Level 2 for the right scope, map your gaps against the 24 requirements and assemble the DIBCAC evidence package before you initiate.
- “We only heard Level 3 might be coming.” Confirm the contract language first. Don’t build yet.
- “Our prime says Level 3.” Request the written flow-down: the required level, the scope, and the timing. It may be Level 2 (C3PAO) for you.
- “Our solicitation says Level 3 (DIBCAC).” Verify your Final Level 2 status and confirm your scope lines up.
- “We’re not Final Level 2 yet.” Start the Level 2 readiness and C3PAO path — that’s your real first move.
- “We’re Final Level 2 and our scope is ready.” Map the 24 requirements, build the evidence binder, and initiate with DIBCAC.
How we verified this
We treat regulatory and contractual claims as the kind of thing you should be able to check yourself, so here’s our work. On , we verified against primary sources:
| Source | What it supports here |
|---|---|
| 32 CFR § 170.14(c)(4) (Table 1) | The CMMC model and the 24 Level 3 requirements, including DoD-set ODPs |
| 32 CFR § 170.18 | Final Level 2 prerequisite, DIBCAC assessment process, email-with-UID initiation, 10-business-day re-evaluation window, six-year hashed-artifact retention, CSP FedRAMP Moderate rule, ESP scoping |
| 32 CFR § 170.21(a)(3) | Level 3 POA&M conditions and the seven requirements that cannot be deferred |
| 32 CFR § 170.24 | Level 3 scoring methodology and the requirement for a maximum Level 2 score before initiating Level 3 |
| 32 CFR § 170.3(e) | Four-phase rollout and Level 3 timing (Phase 2 discretion, Phase 3 intent) |
| 32 CFR § 170.23 | Subcontractor flow-down rule for a Level 3 prime |
| DFARS 252.204-7021 at Acquisition.gov; 48 CFR CMMC Acquisition final rule (90 FR 43560, Sept. 10, 2025) | Contract mechanism and November 10, 2025 effective date |
| CMMC Program final rule (89 FR 83092, Oct. 15, 2024) | DoD Level 3 cost estimates |
| NIST Computer Security Resource Center | Status of NIST SP 800-172 Revision 3 (published May 13, 2026); confirmation that 32 CFR Part 170 still incorporates the February 2021 version |
| Cyber AB CMMC Assessment Process (CAP) | Independence framing for the Level 2 prerequisite |
CMMC Level 3 requirements: FAQ
How many CMMC Level 3 requirements are there?
CMMC Level 3 adds 24 selected NIST SP 800-172 (February 2021) requirements on top of Final Level 2’s 110 NIST SP 800-171 Rev. 2 requirements. The common shorthand is “134 total.” The 24 are codified in Table 1 to 32 CFR § 170.14(c)(4).
Is CMMC Level 3 all of NIST SP 800-172?
No. DoD selected a subset — 24 requirements — from the February 2021 version of NIST SP 800-172 and codified those in 32 CFR § 170.14(c)(4). NIST itself notes that agencies select enhanced requirements based on mission and risk; not all are expected to be selected.
Does CMMC Level 3 use NIST SP 800-172 Revision 3?
Not as the controlling requirement list today. Revision 3 was published , but CMMC Level 3 remains tied to the February 2021 requirements incorporated into 32 CFR Part 170 until DoD amends the rule.
Does NIST SP 800-171 Revision 3 control CMMC today?
No. CMMC Level 2 currently uses NIST SP 800-171 Revision 2 as incorporated in 32 CFR Part 170, and Level 3 adds selected NIST SP 800-172 February 2021 requirements. NIST SP 800-171 Revision 3 (published in 2024) does not control CMMC unless DoD amends the rule.
Do you need Final Level 2 before Level 3?
Yes. A Final Level 2 (C3PAO) status for the Level 3 scope is a prerequisite, and a maximum Level 2 score is required to be eligible to initiate Level 3 (32 CFR §§ 170.18, 170.24).
Can a C3PAO perform a CMMC Level 3 assessment?
No. DCMA DIBCAC performs Level 3 certification assessments. A C3PAO performs the prerequisite Level 2 (C3PAO) assessment. See our CMMC certification process overview for the full sequence.
Can Level 3 be self-assessed?
A self-assessment can help you prepare and support your annual affirmation, but self-assessment results cannot be submitted for Level 3 certification. Only a DCMA DIBCAC result yields Conditional or Final Level 3. For a full comparison of assessment types, see our CMMC self-assessment vs. C3PAO guide.
Can you get a Conditional Level 3?
Yes, if your Level 3 score divided by 24 is at least 0.8 (at least 20 of 24 met) and your POA&M excludes the seven requirements listed in 32 CFR § 170.21(a)(3). DCMA DIBCAC must confirm closeout within 180 days.
Is Level 3 status valid for three years?
Yes. Final Level 3 (DIBCAC) is current for three years with a current annual affirmation, and a Level 2 (C3PAO) reassessment is also required every three years to maintain Level 3.
Does every subcontractor on a Level 3 prime contract need Level 3?
No. Under 32 CFR § 170.23, a subcontractor handling only FCI needs Level 1 (Self); a subcontractor handling CUI under a Level 3 prime needs at least Level 2 (C3PAO). Level 3 applies to a sub only if its own subcontract requires it.
Does GCC High or AWS GovCloud automatically satisfy Level 3?
No. A cloud environment can help, but using a CSP doesn’t relieve you of implementing the 24 Level 3 requirements. Inherited controls must be shown through a CIS/CRM and Body of Evidence, and your on-premises infrastructure that connects to the cloud remains in scope.
How much does CMMC Level 3 cost?
There’s no C3PAO assessment fee at Level 3 because DIBCAC performs the assessment. DoD’s regulatory cost analysis estimates a contractor’s cost to support the assessment and initial affirmation at about $39,021 for an other-than-small entity (about $44,445 over three years) and about $9,050 for a small entity (about $12,802 over three years). The larger cost is implementing the 24 enhanced requirements, which is scope-dependent. Treat all figures as planning estimates, not quotes.
Keep going from here
- What is CMMC? — the full level model, timeline, and who it applies to
- CMMC Level 2 requirements — all 110 NIST SP 800-171 controls
- CMMC Level 2 checklist — 110-requirement readiness checklist
- CMMC certification process — what a C3PAO assessment actually involves
- CMMC self-assessment vs. C3PAO — who can assess what and when
- CMMC secure enclave — architecture trade-offs and scope reduction
- CMMC flow-down requirements — what primes must pass to subs
- CMMC scoping guide — the five asset categories, in and out of scope
- CMMC readiness checklist — pre-assessment checklist across all levels
- CMMC provider categories — RPO, C3PAO, MSP, MSSP, enclave — what each one does
► Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options — so you talk to the right kind of provider the first time.
Get matched to the right provider category →