Recapping CMMC Level 3: Considerations for Government Contractors | Insights

Go-To Guide:

Starting November 2026, contractors and subcontractors handling controlled unclassified information (CUI) that must be protected against advanced persistent threats may be required to certify at the highest CMMC Level 3

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct CMMC Level 3 assessments, which will require a final CMMC Level 2 status as a prerequisite.

To meet the Level 3 requirements, a contractor must implement certain baseline security controls against NIST SP 800-171 rev. 2 and NIST SP 800-172, have a minimum assessment score of 80%, and annually affirm compliance with both Level 2 (C3PAO) and Level 3 security controls.

While a contractor may have a “conditional” status based on partially implemented controls and a Plan of Action and Milestones (POAM) for some controls, any unimplemented controls and POAMs must be closed within 180 days of the conditional CMMC status.

On Sept. 10, 2025, the Department Defense (DoD) issued a final rule amending the Defense Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) program for government contractors. This final rule established a Nov. 10, 2025, go-live date for the start of phase 1 of CMMC. As we covered in our prior GT Alerts, under the four-phased implementation approach, the focus will be on Level 1 and Level 2 self-assessments in the first year; Level 2 third-party certifications in the second year; Level 3 certifications in the third year; and all contracts and solicitations will include CMMC requirements in the fourth year.

We have previously discussed Level 1 and Level 2. This GT Alert addresses Level 3, which applies to contractors and subcontractors with information systems that store, process, or transmit controlled unclassified information (CUI) and need to protect against advanced persistent threats. Authorized assessors of the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct Level 3 certification assessments.

Beginning on Nov. 10, contractors and subcontractors may see CMMC requirements in solicitations, contracts, and option exercises. While the initial phases contemplate only the implementation of CMMC requirements for Level 1 and Level 2, starting in Phase 2, which begins November 2026, DoD will have discretion to require Level 3 DIBCAC certifications for some programs.

CMMC Level 3 Application

Similar to Level 2, CMMC Level 3 focuses on safeguarding CUI, which is generally non-public information the government creates or possesses, or which an entity creates or possesses for or on behalf of the government, that requires safeguarding or dissemination controls because of the sensitive nature of the information. CUI is defined by the National Archives and Records Administration (NARA), which has established 20 organizational categories of information that constitute CUI, including defense information.¹

Where Level 2 requires broad CUI protection, Level 3 prescribes higher-level protection against advanced persistent threats. While DoD anticipates that approximately only 1% of the Defense Industrial Base will need to obtain a Level 3 status, more than 67% of this group may be small businesses. Subcontractors that handle CUI where the prime contract has a Level 3 assessment requirement might have to obtain, at minimum, a Level 2 (C3PAO) assessment.

CMMC Level 3 Requirements

Assessments

CMMC Level 3 requires a DIBCAC assessment every three years. Level 3 certifications require a final Level 2 (C3PAO) CMMC status for the same assessment scope, meaning any Level 2 POAM must be closed out before initiating a Level 3 assessment. Level 3 assessments are also conducted against a total of 134 security controls: 110 security controls in NIST SP 800-171 rev. 2 and 24 selected controls from NIST SP 800-172, using the assessment methodology in NIST SP 800-171A, NIST SP 800-172A, and the CMMC Assessment guidance.

At the outset, contractors must define the proper assessment scope based on the requisite asset categories. These include all company information systems that store, process, transmit, or receive CUI, as well as those assets that provide security functions or capabilities to the defined CMMC assessment scope. Assets that store, process, or transmit CUI but are unable to be fully secured, such as internet of things or operational technologies, are considered “specialized assets” that must be documented in the contractor’s asset inventory, system security plan, and network diagram.

The assessments will be conducted using evidence and documentation demonstrating that a contractor has met all of the Level 3 security controls. If a company has not fully implemented a security control, it may be granted a conditional Level 3 status so long as it has implemented all the required baseline controls, achieved a score of at least 80%, and has POAMs in place that will be closed in 180 days. Some controls cannot be the subject of a POAM, including seven of the NIST SP 800-172 rev. 2 controls. Once an entity has fully implemented all required controls and closed out all POAMs, it will achieve a Level 3 Final status. The Level 3 certification assessment results will be posted by the DIBCAC assessor into the Enterprise Mission Assurance Support Service (eMASS).

Ongoing Compliance

In addition to the certification assessment, each year, a senior official of the company must provide affirmation of continuing compliance with the specified security controls. Affirmations are required after the conduct of the initial assessment, POAM closeout, and annually thereafter. For contractors with Level 3 status, they must also annually affirm their Level 2 (C3PAO) status due to distinctions in the assessment scopes for C3PAOs and DIBCAC. The affirming official must be a senior official responsible for ensuring the entity’s compliance with CMMC Program requirements and have the authority to attest to the company’s continued compliance with all applicable security requirements. Companies are required to retain records of the hashed artifacts used for the assessments for at least six years from the date the CMMC status is obtained for each assessment.

Certification expenses vary based on a business’ size and the type of assessment.

For DIBCAC assessments, it is estimated that every three years, a company other than a small business may invest $36,308 in planning, preparing, conducting, and reporting the Level 3 assessment, including any POAM closeout costs. This cost might be $7,174 for small businesses. For annual affirmations, it is estimated that companies other than small businesses may spend $2,712 and small business may spend $1,876.

DoD has also considered the costs of implementing the selected security controls from NIST SP 800-172. Unlike for Levels 1 and 2, these controls are new additions to the current security protection requirements, so the costs of implementing those controls are new costs.

Across the DIB, for an other than small entity, DoD estimates the initial implementation costs will total $21.1 million, and the annual recurring costs of maintaining compliance will total $4,120,000.

For small businesses across the DIB, DoD estimates the initial implementation costs will total $2.7 million, and the annual recurring costs of maintaining compliance will total $490,000.

Because a Level 3 necessarily requires a Level 2 (C3PAO) final status, which must also be annually affirmed to maintain eligibility for contracts requiring compliance with Level 3, the foregoing certification expenses are in addition to the requisite costs to maintain Level 2 final status. Whether these costs are recoverable depends on the type of contracts the company performs and additional analysis under the cost account standards, which are outside the scope of the CMMC rulemaking.

Takeaways

Level 3 requirements may start appearing in solicitations in Phase 2 (beginning November 2026), and companies should consider acting now to prepare for a DIBCAC assessment. This includes preparing for and achieving Level 2 (C3PAO) final status, with no outstanding POAMs, which is a prerequisite for initiating a Level 3 assessment. It may take several months to prepare for, schedule, and conduct third party assessments.

To facilitate a smooth assessment process, companies should carefully assess whether the type of work they perform is vulnerable to advanced persistent threats that will likely need higher protection levels in accordance with Level 3. This includes analyzing whether a company’s highly-sensitive products, services, or data have risk profiles involving sophisticated threats and attacks.² Companies should also consider:

Identifying all CUI in a company’s possession and locating it on the company’s information systems. This includes capturing information a company may generate during the performance of a contract that is derived from CUI or identified in the company’s contracts as CUI.

Understanding the scope of the company’s information systems and assets that store, process, transmit, or receive CUI. This may help the company pinpoint the information systems and assets that must be included in any requisite Level 2 assessment.

Preparing for, scheduling, and conducting assessments of the identified information systems and assets, ensuring that assets excluded from the scope of the assessment are carefully documented. The SSP, policies, and procedures must be updated to reflect current network diagrams and information security practices.

Identifying an affirming official who is responsible for the company’s CMMC compliance and can reasonably attest to the continued implementation of all required security controls.