In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2. In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply. DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.” We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI. DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.

What are the requirements of CMMC Level 3?

There are three steps the contractor must satisfy to obtain a CMMC Level 3 certification. First, the contractor must obtain a CMMC Level 2 certification. This means that a Certified Third-Party Assessor Organization (“C3PAO”) will need to assess any contractor information system that stores, processes, or transmits CUI for compliance with the NIST SP 800-171 rev. 2 security requirements. Note that because the proposed CMMC rule requires a CMMC Level 2 certification—a third party assessment—a CMMC Level 2 self-assessment will not suffice.

Second, the contractor must implement all 24 security controls from NIST SP 800-172. These controls include (1) employing secure information transfer solutions; (2) providing awareness training on recognizing social engineering and advanced persistent threat actors; (3) establishing a security operations center that operates 24/7; (4) conducting penetration testing at least annually or when significant security changes are made to the system; and (5) employing physical and/or logical isolation techniques in organizational systems and system components.

Finally, the contractor must pass a CMMC Level 3 Certification assessment, which will be conducted by the Defense Contract Management Agency (“DCMA”) Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”). DIBCAC will assess the applicable contractor information systems for compliance with the 24 NIST SP 800-172 controls and submit the results through the CMMC Enterprise Missions Assurance Support Service (“eMASS”). 

If the information systems meet all security requirements, then the contractor has achieved a “CMMC Level 3 Final Certification Assessment.” If certain security requirements are not met, then the contractor will have a “conditional certification” and must submit a Plan of Action and Milestone (“POA&M”) explaining how it will implement the remaining security requirements. The contractor must then implement the POA&Ms and DIBCAC must perform a closeout assessment within 180 days of the conditional certification. The contractor is eligible for DoD CMMC Level 3 contracts as long as its conditional certification remains active. If the contractor fails to close out the POA&Ms within 180 days, then its conditional status expires, and the contractor is ineligible for CMMC Level 3 contracts.

A CMMC Level 3 certification is valid for three years. A contractor “senior official” must affirm continuing compliance with CMMC Level 3 requirements through SPRS on an annual basis.

Does CMMC Level 3 apply to subcontractors?

If the prime contract has a CMMC Level 3 requirement and the subcontractor will process, store, or transmit CUI, then the subcontractor must have at least a CMMC Level 2 certification. It is less clear under what circumstances a subcontractor will require a CMMC Level 3 certification. We can safely assume that the more involvement the subcontractor has in a CMMC Level 3 prime contract, the higher the likelihood the subcontractor will need a CMMC Level 3 certification. 

When will DoD begin incorporating CMMC Level 3 requirements into contracts?

The final CMMC rule is expected to go into effect in late 2024 or early 2025. DoD will begin adding the CMMC Level 3 requirement to new contract awards approximately 18 months later. One year later (two-and-a-half years after the rule goes into effect), DoD agencies will begin amending applicable contracts that were awarded prior to the CMMC rule’s effective date to require CMMC Level 3 certifications. DoD is providing contractors this extra buffer period because CMMC Level 3’s NIST SP 800-172 requirements are new, and contractors will need time to implement them and prepare for their DIBCAC assessment. While we expect relatively few contractors will need a CMMC Level 3 certification, if contractors believe they support “critical” DoD programs, they should start assessing their information systems now for compliance with CMMC Level 3 requirements.