For most defense contractors, CMMC Level 2 is the destination. It is the certification that applies to the vast majority of organizations handling Controlled Unclassified Information, and it is the level around which the Phase 2 enforcement deadline of November 10, 2026, is built.
But for a smaller group of contractors, Level 2 is not the finish line. It is the prerequisite.
CMMC Level 3 exists for organizations supporting the DoD’s highest-priority programs, those facing Advanced Persistent Threats from nation-state adversaries. If your organization is in that population, or if you are trying to understand where Level 2 ends and Level 3 begins, this post explains exactly what changes between the two levels, what the additional requirements look like, and how the assessment process differs in ways that matter operationally.
Why Level 3 Exists
NIST SP 800-172 was developed to provide enhanced security requirements for CUI associated with critical programs and high-value assets where the threat actor is an Advanced Persistent Threat with the resources, capability, and patience of a nation-state. The Level 3 requirements are designed to supplement, not replace, the 110 security requirements of NIST SP 800-171. They address security capabilities that go beyond baseline CUI protection and are specifically intended for environments where sophisticated, persistent adversary activity is a realistic and anticipated threat.
This policy intent is reflected directly in the CMMC framework. Level 3 does not create a parallel compliance track. It extends a fully certified Level 2 environment with additional requirements, a more rigorous assessment process, and a government assessor whose authority reflects the sensitivity of the programs involved.
The Foundation: Level 2 Does Not Go Away at Level 3
Under 32 CFR § 170.18(a), an Organization Seeking Certification must first achieve Final Level 2 (C3PAO) status for the applicable assessment scope before initiating a Level 3 certification assessment. Conditional Level 2 status does not satisfy this prerequisite. All Level 2 POA&M items must be fully closed prior to the initiation of the Level 3 assessment, as confirmed in the DoD CIO CMMC Scoping Guide Level 3.
Per 32 CFR § 170.18, achieving a CMMC Status of Level 3 (DIBCAC) also satisfies the requirements for CMMC Statuses of Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO) for the same assessment scope. Level 3 subsumes the lower levels. It does not exist independently of them.
An important caveat for reassessment: under 32 CFR § 170.18, CMMC Level 3 recertification also requires a new CMMC Level 2 assessment. The three-year Level 3 certification cycle, therefore, requires a new Level 2 (C3PAO) assessment as a prerequisite before DIBCAC assessment scheduling is available.
What Changes: The Security Requirements
Level 2 requires implementation of all 110 security requirements in NIST SP 800-171 Revision 2 as established at 32 CFR § 170.17.
Level 3 adds 24 selected enhanced security requirements drawn from NIST SP 800-172. These 24 requirements are specified in Table 1 to 32 CFR § 170.14(c)(4). To achieve Final Level 3 (DIBCAC) status, all applicable Level 3 requirements must be determined to be MET. Conditional Level 3 (DIBCAC) status may be available when permitted by the POA&M rules under 32 CFR § 170.21, provided the organization meets the minimum score threshold and the POA&M does not include any prohibited requirements. All 24 requirements must ultimately be satisfied and validated during POA&M closeout to achieve Final Level 3 (DIBCAC) status.
The 24 Level 3 requirements address capabilities that go beyond those required at Level 2. They address areas including enhanced monitoring and detection, more rigorous configuration management, deeper security assessment practices, and additional protections for critical systems and high-value assets. These are not controls that can be satisfied by implementing a tool or writing a policy. They require demonstrated operational maturity that functions continuously at a higher level of rigor than Level 2.
What Changes: Who Conducts the Assessment
This is one of the most significant practical differences between Level 2 and Level 3.
Level 2 certification assessments are conducted by accredited C3PAOs, private-sector organizations authorized by the Cyber AB and listed in the Cyber AB Marketplace.
Level 3 certification assessments are conducted exclusively by DCMA DIBCAC. As defined in 32 CFR § 170.4, a Level 3 certification assessment is the activity performed by DCMA DIBCAC to evaluate the information system of an Organization Seeking Certification when seeking a CMMC Status of Level 3 (DIBCAC). DIBCAC is not a private-sector organization and is not available through the Cyber AB Marketplace.
Under 32 CFR § 170.18(a)(1), an organization initiates a Level 3 certification assessment by emailing a request to the DCMA DIBCAC point of contact at www.dcma.mil/DIBCAC. The request must include the Level 2 certification assessment unique identifier. DIBCAC will validate that the organization has achieved Final Level 2 (C3PAO) status and will contact the organization to schedule the Level 3 assessment.
One point that distinguishes DIBCAC from C3PAOs is its standing audit authority. Under DFARS 252.204-7020, DIBCAC retains the right to assess any contractor’s CMMC posture at any time. If the results of a subsequent DIBCAC assessment show that compliance has not been achieved or maintained, those results take precedence over any pre-existing CMMC Status.
What Changes: The Assessment Standard and Level 2 Revalidation
Level 2 certification assessments are conducted in accordance with NIST SP 800-171A and the DoD CIO CMMC Assessment Guide Level 2.
Level 3 assessments evaluate the Level 3 requirements derived from NIST SP 800-172 and use the assessment objectives contained in NIST SP 800-172A, while Level 2 compliance remains a prerequisite and may be revalidated by DIBCAC during the assessment. Under 32 CFR § 170.18(a)(1), DCMA DIBCAC performs Level 3 certification assessments in accordance with both NIST SP 800-171A (June 2018) and NIST SP 800-172A (March 2022), as well as the Level 3 scoping requirements at 32 CFR § 170.19(d).
This is a point that deserves particular attention. If DIBCAC identifies a Level 2 requirement as NOT MET during a Level 3 assessment, that finding has consequences for the assessment as a whole. Organizations should not enter a Level 3 assessment assuming that their Level 2 certification is beyond scrutiny. DIBCAC assesses the full environment, and Level 2 compliance is a continuing obligation, not a one-time validation that is permanently settled by the C3PAO certification.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and understand what steps are required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
What Changes: Scoping
Level 2 scoping is governed by 32 CFR § 170.19(c) and the DoD CIO CMMC Scoping Guide Level 2.
Level 3 scoping is governed by 32 CFR § 170.19(d) and the DoD CIO CMMC Scoping Guide Level 3. The regulation is explicit that the Level 3 CMMC Assessment Scope must be equal to or a subset of the Level 2 CMMC Assessment Scope. The Level 3 requirements apply to assets within the defined Level 3 Assessment Scope as determined under the CMMC Scoping Guide Level 3 and 32 CFR § 170.19(d). They do not automatically apply to the full Level 2 environment.
This scoping relationship requires deliberate architectural design. An organization defines the specific systems and assets within the Level 2 scope that process, store, or transmit the most sensitive CUI, and applies the additional Level 3 requirements to that subset. If any of the 24 Level 3 requirements are inherited from a cloud service provider, the organization must demonstrate that those inherited controls are properly implemented and documented within the Level 3 assessment scope, as noted in the CMMC Scoping Guide Level 3.
For questions about Level 3 scoping, 32 CFR § 170.19 directs organizations to contact DCMA DIBCAC directly at www.dcma.mil/DIBCAC.
What Changes: The POA&M Rules
Under 32 CFR § 170.21, an organization may achieve Conditional Level 3 (DIBCAC) status only if the assessment score divided by the total number of Level 3 security requirements is greater than or equal to 0.8, and the POA&M does not include any of the security requirements expressly prohibited from POA&M treatment at Level 3. The same 180-day closeout requirement applies at Level 3 as at Level 2. POA&M closeout assessments for Level 3 are conducted by DIBCAC rather than a C3PAO.
An organization may achieve Conditional Level 3 (DIBCAC) status with allowable POA&M items and a passing score. However, all applicable Level 3 requirements must ultimately be satisfied and validated during POA&M closeout to achieve Final Level 3 (DIBCAC) status. If the 180-day closeout window expires without a successful closeout assessment, Conditional Level 3 status expires, and the organization must undergo a new assessment before achieving the required CMMC Status.
What Changes: The Affirmation Requirement. The annual affirmation requirement applies at Level 3 just as it does at Level 2. Under 32 CFR § 170.22, a senior company official must submit an annual affirmation in SPRS confirming continued compliance within the CMMC Assessment Scope. Given that Level 3 status also satisfies Level 1 and Level 2 status requirements for the same scope, the annual affirmation at Level 3 covers the full body of requirements across all three levels.
What Does Not Change
The fundamental compliance discipline that makes Level 2 certification achievable is the same discipline that makes Level 3 certification achievable. Security controls must be implemented correctly, operating as intended, and producing the desired security outcome. Documentation must reflect the actual environment. Evidence must support every assessment objective. The System Security Plan must accurately describe how requirements are implemented across the assessment scope defined under 32 CFR § 170.19.
What Level 3 adds is not a different philosophy. It adds a more demanding set of requirements, a government assessor rather than a private-sector one, a more constrained scoping model, and the expectation that the operational maturity demonstrated at Level 2 is sustained and extended to meet the enhanced requirements set forth in NIST SP 800-172.
A Summary of the Key Differences
Security requirements: Level 2 requires 110 requirements from NIST SP 800-171 Revision 2. Level 3 requires those same 110 requirements plus 24 additional requirements from NIST SP 800-172, as specified in Table 1 to 32 CFR § 170.14(c)(4).
Assessor: Level 2 is assessed by an accredited C3PAO. Level 3 is assessed exclusively by DCMA DIBCAC.
Prerequisite: Under 32 CFR § 170.18(a), Final Level 2 (C3PAO) status on the same assessment scope is required before initiating a Level 3 assessment. Conditional Level 2 does not satisfy this prerequisite.
Scoping: The Level 3 Assessment Scope must be equal to or a subset of the Level 2 Assessment Scope under 32 CFR § 170.19(d).
Assessment standard: Level 3 assessments evaluate Level 3 requirements using the assessment objectives in NIST SP 800-172A, while Level 2 compliance remains a prerequisite and may be revalidated by DIBCAC during the assessment.
Recertification: Level 3 recertification requires a new Level 2 (C3PAO) assessment as a prerequisite under 32 CFR § 170.18.
POA&M closeout: Level 3 POA&M closeout assessments are conducted by DIBCAC rather than a C3PAO.
Annual affirmation: Required at Level 3 under 32 CFR § 170.22, covering all requirements across the assessment scope.
Final Thought
The path from Level 2 to Level 3 is not a lateral move. It is a vertical one that requires a fully certified Level 2 foundation, 24 additional enhanced security requirements, a government-conducted assessment using both NIST SP 800-171A and NIST SP 800-172A, and a more constrained scoping model designed to protect the most sensitive CUI in the defense industrial base.
For organizations that need it, Level 3 represents the highest level of cybersecurity maturity certification currently available under the CMMC framework. For organizations preparing for Level 2, understanding where Level 3 begins is part of understanding what the overall framework is designed to accomplish: a defense industrial base capable of continuously protecting sensitive government information, at the level of rigor the threat environment actually demands.
Organizations are expected to implement, document, maintain, and demonstrate the required security controls within the defined assessment scope. The applicable requirements, assessment procedures, and scoping guidance are publicly available through the DoD CIO CMMC Documentation page.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.