February 16, 2024

Last Updated on February 20, 2024

Some of the most important clarifications in the recent Cybersecurity Maturity Model Certification (CMMC) Proposed Rule relate to CMMC Level 3—including compliance requirements, assessment requirements, and implementation timeline.

This blog post gives you a complete, high-level update on CMMC Level 3.


What is CMMC Level 3?

CMMC 2.0 Level 3 (Expert) defines controls and practices that enable a contractor to protect the most sensitive controlled unclassified information (CUI) from advanced persistent threats (APTs) and nation state level attacks.

The US Department of Defense (DoD) has not announced specific criteria for what organizations need to comply with CMMC Level 3. However, it has stated more generically that CMMC Level 3 will be required for contracts “supporting its most critical programs and technologies.”

In short, the DoD likely plans to apply CMMC Level 3 requirements on a contract-by-contract basis depending on the sensitivity of the CUI involved. These contracts are likely to include the most sensitive defense programs, such as missile system or nuclear weapons development.

The DoD estimates that less than 1% of suppliers in the US defense industrial base (DIB) will need to attain a CMMC Level 3 certification.


What are the CMMC Level 3 control requirements?

CMMC Level 3 starts with the 110 controls defined in NIST 800-171. Then it adds the 24 additional requirements in NIST 800-172, Enhanced Security Requirements for Protecting CUI.

As the NIST 800-172 standard explains, its enhanced controls support a multidimensional, defense-in-depth strategy for protecting highly sensitive CUI based on three primary components:

  1. A penetration-resistant architecture;
  2. Damage-limiting operations; and
  3. Designing for cyber resiliency and survivability while under sustained attack.

This defense-in-depth approach acknowledges that determined adversaries can eventually breach perimeter defenses and embed malicious code on a defender’s systems. Organizations must therefore have protections in place to detect, obstruct, and outflank attackers while protecting the highest value assets.

Critical components of the NIST 800-172 control strategy include:

  • Logical and physical isolation and segmentation within networks, storage, etc.
  • Dual or multifactor authorization controls
  • Extended configuration management requirements
  • Continuous 24×7 monitoring via a SOC and advanced analytics
  • Using deception techniques to confuse and mislead adversaries

In addition to the NIST 800-172 requirements, the CMMC proposed rule specifies a number of Organization-Defined Parameters (ODPs) to be applied in specific situations.


What are the CMMC Level 3 assessment requirements?

The CMMC Level 3 assessment process includes multiple steps:

  • First, an Organization Seeking Certification (OSC) needs to complete a CMMC Level 2 certification assessment with a Certified Third-Party Assessment Organization (C3PAO) and achieve a perfect 110 score.
  • In addition to successfully implementing the CMMC Level 2 control set, the OSC also needs to implement the 24 controls in NIST 800-172.
  • After achieving CMMC Level 2 certification, the OSC must arrange with the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) to verify the NIST 800-172 control implementation. Leveraging DoD assessors should reduce the assessment costs for CMMC Level 3 certification.

The CMMC proposed rule defines a scoring methodology for the DIBCAC to use when assessing CMMC Level 3 compliance, which allows Plans of Action & Milestones (POA&Ms) for some incomplete requirements. POA&Ms must be closed within 180 days of the assessment.

To achieve a final CMMC Level 3 certification, an OSC needs to attain a score of 20 or higher out of 24 for the NIST 800-172 controls, in addition to a perfect 110 score for the foundational NIST 800-171 controls. If POA&Ms are in place, the contractor may be awarded a conditional CMMC Level 3 certification, which enables them to compete for CMMC Level 3 contracts.

Once achieved, a CMMC Level 3 certification is valid for three years. A senior official must affirm on an annual basis that the compliance is being maintained.


When will CMMC Level 3 requirements start appearing in DoD contracts?

The CMMC proposed rule defines a four-phase rollout period:

  1. Phase 1 begins when the DFARS 7021 clause is finalized and lasts for six months. CMMC Level 3 requirements will not appear in DoD contracts during this Phase 1.
  2. Phase 2 begins six months after the start of Phase 1 and lasts for 12 months. During this period, the DoD may include CMMC Level 3 requirements in selected contracts.
  3. Phase 3 begins 18 months after the Phase 1 start date and will last for 12 months. This is when the DoD will start including CMMC Level 3 requirements as a condition of contract award. However, the DoD reserves the right to delay including CMMC Level 3 requirements during Phase 3 at its option.
  4. Phase 4 beings 30 months after the Phase 1 start date. By this time, all CMMC program requirements, including CMMC Level 3, will be in place across all DoD contracts and solicitations, including option periods.

The DoD has indicated that it is giving suppliers additional time to implement the NIST 800-172 requirements because these are new and may prove challenging. DIB orgs that support or plan to support “critical programs and technologies” should conduct a gap assessment soon to gauge their CMMC Level 3 compliance effort and develop a roadmap.


Will CMMC Level 3 “flow down” to subcontractors?

According to the proposed rule, CMMC Level 3 requirements will apply to “contractors and applicable subcontractors.”

In general, the DoD has stated that: “If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.”


What’s next?

For more guidance on this topic, listen to Episode 131 of The Virtual CISO Podcast with guests Jeff Carden and Warren Hylton, Federal Risk & Compliance Consultants at CBIZ Pivot Point Security.