Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework designed to enhance the overall security of organizations working with the U.S. Department of Defense (DoD). It consists of three levels, with Level 3 representing the highest tier, required for organizations handling highly sensitive government information.

‍

Due to its comprehensive nature, achieving CMMC Level 3 certification can be challenging, as it requires significant resources, time, and preparation. Without the right guidance, organizations may face delays, inefficiencies, and other roadblocks.

‍

In this guide, we will break down the most significant aspects of the Level 3 certification process, such as scope, controls, and requirements, as well as the most common pitfalls, while providing actionable steps to help you prepare efficiently and minimize friction.

‍

Who needs CMMC Level 3 certification?

CMMC Level 3 is required for organizations that collect, process, and share Controlled Unclassified Information (CUI), which is critical to national security and requires high-level protection.

‍

The applicability of Level 3 is similar to Level 2. As of this writing, the CMMC Final Rule does not specify which types of CUI will require a Level 3 certificate versus a Level 2 certificate. As a result, organizations may not know which certification level they need until the DoD starts specifying it in its contracts through Requests for Proposal (RFPs).

‍

However, if you’re currently working with the DoD and you are unsure whether you need CMMC Level 3, it’s a good idea to contact the DoD contracting officer or your prime contractor (if you’re a subcontractor) for clarification.

‍

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

‍

CMMC Level 3 scope

CMMC Level 3 encompasses four categories of assets:

‍

1. CUI assets: All assets that can store, process, or transmit CUI, such as servers, databases, and workstations.
2. Security protection assets: Systems and resources that provide security capabilities or functions to your organization, such as firewalls and encryption tools. Whether these assets can store, process, or transmit CUI is not a determining factor.
3. Specialized assets: Assets that can store, process, or transmit CUI but can’t be fully secured, such as the Internet of Things (IoT), Government Furnished Equipment (GFE), and Operational Technology (OT).
4. Out-of-scope assets: Assets that can’t store, process, or transmit CUI or are physically or logistically separated from CUI assets are out of scope. These include non-secured equipment, public-facing websites, personal devices, and guest networks.

‍

Since CMMC Level 2 certification is a prerequisite for Level 3, Contractor Risk Managed Assets must also be included, since they’re a part of the Level 2 scope. These assets, such as printers, external storage devices, and non-sensitive data backup systems, can store, process, or transmit CUI but are not intended to.

‍

Outlining your scope precisely to ensure all relevant assets are included is essential. This helps you identify which systems to consider, allowing you to prioritize critical assets and allocate resources efficiently, streamlining the certification process.

‍

‍

CMMC Level 3 controls

Achieving CMMC Level 3 certification will require implementing two sets of practices:

‍

1. 110 practices based on NIST SP 800-171 R2, which are also required for a CMMC Level 2 certificate
2. An additional 24 practices based on NIST SP 800-172, officially included as of October 15, 2024

‍

Implementing both sets of practices simultaneously is not possible, as your organization must first obtain a Level 2 certificate by implementing the 110 NIST SP 800-171 R2 practices (assessed by a C3PAO). After that, you can pursue Level 3 by adding the additional 24 practices from NIST SP 800-172 (assessed by the government), some of which include:

‍

‍

To ensure a smooth transition from CMMC Level 2 to Level 3, your organization should first focus on supply chain risk response, incident response, and threat-hunting control practices. These practices help you address key security threats early in the compliance process, making integration into existing systems easier and further strengthening your security posture.

‍

Most Level 3 practices revolve around enhancing your organization’s risk management practices. As such, paying special attention to risk assessment and treatment strategies while preparing for certification is essential.

‍

“

As organizations going for CMMC Level 3 must have Level 2 first, some may think that it is mostly a more rigorous version of Level 2. In reality, CMMC Level 3 is an augmentation to CMMC Level 2 with additional advanced cybersecurity measures to protect very highly sensitive Controlled Unclassified Information (CUI).”

Faisal Khan

GRC Solutions Expert, Vanta

|

LinkedIn

‍

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist‍

‍

CMMC Level 3 requirements

Besides obtaining a CMMC Level 2 certificate, your organization must undergo a government-led audit performed by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to receive a Level 3 certificate.

‍

During the audit, assessors can use several assessment techniques to ensure alignment with CMMC requirements. The most commonly employed are the three methods described in NIST SP 800-172A:

‍

1. Interviews: The assessors speak with relevant team members to determine whether CMMC practices are implemented and whether sufficient resources, training, and planning have been provided to meet the requirements.
2. Examination: This includes reviewing, inspecting, observing, studying, or analyzing assessment objects such as policy documents, training materials, and network diagrams to evaluate whether assessment objectives have been met.
3. Testing: The most common assessment method, where assessors require organizations to demonstrate how implemented processes function to provide evidence that the requirements have been met.

‍

Assessments of CMMC requirements can result in one of three types of practice findings: MET, NOT MET, or N/A. Once the audit has been completed, the results must be entered into the CMMC Enterprise Mission Assurance Support Service (eMASS) by DIBCAC.

‍

For CMMC Level 3, organizations are expected to fully implement all required practices to get certified. However, a Conditional Certificate may still be granted if at least 80 percent of the requirements are met and a Plan of Actions and Milestones (POA&M) is submitted, detailing how the remaining gaps will be bridged within 180 days.

‍

CMMC Level 3 compliance process at a glance

Once you obtain a Level 2 certificate, taking the following steps can help you achieve Level 3 certification more efficiently:

‍

1. Reassess the scope: The scope for Level 3 is broader than for Level 2, so it’s recommended to reassess in-scope assets to ensure relevant systems and resources affected by Level 3 are identified and accounted for.
2. Implement the missing practices: CMMC Level 3 compliance requires fully implementing the additional 24 practices before undergoing the audit. 
3. Collect evidence of compliance: Collect and maintain comprehensive, up-to-date documentation of all your compliance workflows. This will better demonstrate your compliance efforts to auditors, streamlining the certification process.
4. Undergo the DIBCAC audit: Once you’ve implemented the missing practices and prepared all the necessary documentation, undergo the DIBCAC audit to receive your certificate.
5. Maintain your certificate: To maintain your CMMC Level 3 certificate, you’ll need to submit annual compliance affirmations and apply for recertification every three years, making continuous monitoring imperative for ongoing compliance.

‍

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

‍

CMMC Level 3: Common challenges

One of the main challenges of achieving CMMC Level 3 certification is the extensive security and compliance work it requires, especially for organizations that have yet to achieve Level 2 certification.

‍

Level 3 introduces unique requirements, such as having a dedicated incident response team, which can be particularly challenging for small and medium businesses (SMBs) and other resource-constrained organizations with limited capacity. 

‍

Another common challenge is 3.11.2e—Threat Hunting. The tooling and processes required for successful implementation are complex and require organizations to change their existing threat intelligence and incident response processes.

‍

In addition, maintaining continuous CMMC Level 3 compliance requires extensive evidence collection, which can be time-consuming and labor-intensive if done manually. Security and compliance teams often need to sift through disparate systems and screenshots to collect proof of compliance efforts—an overwhelming process that can lead to delays and bottlenecks.

‍

Adopting an automated compliance solution can help address these challenges by reducing repetitive manual workflows, streamlining evidence collection, and enabling real-time monitoring and reporting. This improves efficiency and helps your team save time and resources over the long term.

‍

Vanta: Your CMMC compliance partner

Vanta is a comprehensive trust management platform that helps organizations streamline CMMC compliance by offering clear guidance at every step of the certification process and automating manual workflows. 

‍

Leveraging Vanta can help SMBs and other resource-constrained organizations working with the DoD accelerate deal cycles and compete with larger organizations by reducing the time and resource investment needed to pursue CMMC certification.

‍

Vanta’s dedicated CMMC solution comes with multiple features that automate up to 50 percent of related workflows, including: 

‍

• Out-of-the-box support for all CMMC certification levels
• Automated evidence collection supported by 375+ integrations
• Automated gap assessments
• Centralized, real-time tracking and monitoring of CMMC practices
• Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172

‍

Once you start preparing for the assessment, you can tap Vanta’s partner network to connect with a reputable C3PAO that can support your organization throughout every aspect of the compliance process.

‍

Schedule a custom demo to learn more about Vanta’s CMMC solution and see how it can help you streamline compliance.

‍

{{cta_simple33="/cta-blocks"}} | CMMC product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.