Every defense contractor that handles Controlled Unclassified Information knows CMMC Level 2 by now. Far fewer understand what sits above it. CMMC Level 3 is the Expert tier of the program, and it is built on a standard most contractors have never opened: NIST SP 800-172. If your company supports the highest-priority defense programs, or expects to, Level 3 is the bar you will eventually be measured against, and the time to understand it is before it shows up in a contract.
This primer explains what NIST SP 800-172 is, how it relates to NIST SP 800-171 and CMMC Level 2, exactly what the 24 enhanced requirements behind Level 3 cover, who conducts the assessment, when Level 3 applies, what it costs, and how to prepare for it without rebuilding your entire security program from scratch. It is written for the CISOs, ISSMs, and compliance leads who will own this work.
What Is NIST SP 800-172?
NIST SP 800-172 is titled "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171." The key word is supplement. NIST SP 800-171 establishes the 110 baseline requirements for protecting CUI in nonfederal systems. NIST SP 800-172 sits on top of that baseline and adds a focused set of enhanced requirements for organizations and assets that face a far more capable adversary.
That adversary is the Advanced Persistent Threat. An APT is a well-resourced, patient, and sophisticated attacker, frequently nation-state affiliated, that targets specific organizations over long periods and is willing to spend significant time and money to get in and stay in. The standard assumes that against this class of threat, prevention alone will fail at some point, so the requirements are designed around limiting damage and surviving a breach, not just keeping attackers out.
What 800-172 Adds to 800-171
NIST SP 800-171 is about hygiene and baseline protection. NIST SP 800-172 is about resilience against a determined adversary. The original February 2021 version of 800-172 contains 39 enhanced security requirements, organized into the same control families used across the rest of the CUI framework. Companion assessment procedures live in NIST SP 800-172A. Importantly, 800-172 is not meant for everyone. It is written for high-value assets and critical programs, a deliberately narrow population compared to the broad base of contractors that 800-171 covers.
The Three Design Strategies Behind 800-172
The enhanced requirements are organized around three strategies that distinguish 800-172 from the baseline:
Penetration-resistant architecture. Harden the environment so that compromising one component does not hand the attacker the rest. This includes stronger isolation, dual authorization for high-impact actions, and tighter control over connections between security domains.
Damage-limiting operations. Assume the adversary will get in, and design operations to detect them quickly, contain the blast radius, and deny them the ability to move laterally or persist. This is where continuous monitoring, threat hunting, and rapid incident response do the heavy lifting.
Cyber resiliency and survivability. Build systems that continue to operate and protect CUI even while under active attack, using deception, unpredictability, and the assumption of breach as design principles.
What Is CMMC Level 3?
CMMC Level 3 is the Expert level of the Cybersecurity Maturity Model Certification program. Where Level 1 (Foundational) covers basic safeguarding and Level 2 (Advanced) codifies all 110 NIST SP 800-171 Rev 2 requirements, Level 3 layers a selected subset of NIST SP 800-172 on top of the full Level 2 baseline.
The exact composition matters, so here it is precisely. DoD selected 24 of the 39 enhanced requirements in NIST SP 800-172 (February 2021) to serve as the Level 3 requirements. They are listed in Table 1 to 32 CFR 170.14(c)(4). The complete Level 3 picture is therefore 110 baseline controls plus 24 enhanced controls, every one of which must be technically enforced and verifiable rather than merely documented. Level 3 is reserved for the programs where the consequences of CUI loss to an APT are most severe, which is why it is expected to apply to only a small fraction of the Defense Industrial Base.
CMMC Level 3 vs Level 2: The Key Differences
Many contractors assume Level 3 is "Level 2 with more controls." It is more than that. The assessment authority, the flexibility, and the technical bar all change. The table below summarizes the distinctions that actually affect planning and budget.
| Dimension | CMMC Level 2 | CMMC Level 3 |
|---|---|---|
| Baseline | 110 requirements (NIST SP 800-171 Rev 2) | Level 2 plus 24 selected requirements from NIST SP 800-172 (Feb 2021) |
| Threat model | Protect CUI from common threats | Protect CUI from Advanced Persistent Threats |
| Who assesses | Certified Third-Party Assessment Organization (C3PAO) | Government: DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) |
| Prerequisite | Scoping and self or third-party assessment | Final Level 2 (C3PAO) certification must be achieved first |
| Organization-Defined Parameters | None (800-171 Rev 2 uses none) | DoD assigns specific ODP values on the selected requirements |
| POA&M flexibility | Conditional status permitted within score thresholds | Very limited: most of the 24 must be fully met at assessment |
| Assessment procedures | NIST SP 800-171A | NIST SP 800-171A and NIST SP 800-172A |
| Population | Broad: contractors handling CUI | Narrow: highest-priority programs and high-value assets |
The single most consequential difference is the Organization-Defined Parameter. Under NIST SP 800-172A, each organization normally sets its own parameter values to fit its environment. For CMMC Level 3, DoD has pre-assigned those values to enforce a consistent standard across programs. That removes interpretive room and means contractors must meet the government's definition of "good enough," not their own.
CMMC Level 3 Requirements: What the 24 Controls Cover
The 24 enhanced requirements span familiar practice domains, including Access Control, Awareness and Training, Configuration Management, Identification and Authentication, Incident Response, Personnel Security, Risk Assessment, and System and Communications Protection. The difference is depth and enforcement. A few representative examples illustrate the shift in posture:
Restricting system access to organization-owned or organization-controlled resources rather than allowing arbitrary endpoints. Requiring secure information transfer solutions when moving data between security domains. Expanding threat awareness so the program tracks adversary tactics relevant to its mission, not generic alerts. Strengthening incident response so detection and containment operate against a patient, persistent attacker rather than opportunistic intrusions.
The common thread is that none of these are paperwork exercises. At Level 3, an assessor expects to see each control operating in the live environment, producing evidence, and holding up under examination. This is the practical reason Level 3 demands real security operations capability, not just a strong document set.
Who Conducts a CMMC Level 3 Assessment?
This is the question that surprises contractors most. Level 2 certification assessments are performed by Certified Third-Party Assessment Organizations, the C3PAOs accredited under the program. Level 3 is different. All Level 3 certification assessments are conducted by the government, specifically the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center, known as DIBCAC.
There is also a strict order of operations. A contractor must first achieve a Final Level 2 (C3PAO) certification for the relevant scope, and only then undergo the separate DIBCAC assessment against the 24 enhanced requirements. DIBCAC assesses using the procedures in NIST SP 800-171A and NIST SP 800-172A. In short, you earn Level 2 from an accredited third party, then earn Level 3 from the government on top of it.
When Is CMMC Level 3 Required?
Level 3 is contract-driven. It applies when a DoD program determines that the CUI involved warrants protection against APT-level threats, and it is written into the solicitation and contract accordingly. The CMMC Program itself was codified in 32 CFR Part 170, published in the Federal Register on October 15, 2024, with the contractual mechanics flowing through the DFARS clauses (252.204-7012 for safeguarding and incident reporting, and 252.204-7021 for the CMMC requirement). DoD is phasing the contract requirements in over time, so the right move is to track current DoD guidance for your specific contracts rather than assume a single nationwide date.
Flow-down is worth understanding early. If a prime contract carries a Level 3 (DIBCAC) requirement, a subcontractor that will process, store, or transmit CUI generally needs to meet at least Level 2 (C3PAO). Level 3 obligations at the top of a supply chain ripple downward, even if the exact level required of each tier differs.
What CMMC Level 3 Costs, and Why It Is Higher
Level 3 is meaningfully more expensive than Level 1 or Level 2, for reasons that are structural rather than incidental. We do not publish a single price because it depends on scope, current maturity, and program complexity, but the cost drivers are consistent:
The Level 2 prerequisite means you are paying for two assessments, not one, because Final Level 2 certification has to be in place before Level 3 begins. The enhanced controls require real engineering and operations investment, not documentation, since APT-grade requirements like penetration-resistant architecture and damage-limiting operations have to be built and run. The pre-assigned ODPs reduce the ability to scope your way to a cheaper implementation. And the limited POA&M flexibility at Level 3 means most of the 24 requirements must be genuinely met at assessment time, so there is little room to defer work and remediate later. The organizations that control Level 3 cost best are the ones that treat it as an operational capability to inherit rather than a project to staff from zero.
NIST SP 800-172 Revision 3 and the Future of Level 3
NIST has advanced 800-172 toward Revision 3, with updated assessment procedures in NIST SP 800-172A. This signals where the framework is heading. It does not change what CMMC requires today. CMMC Level 3 remains anchored to the 24 requirements selected from the February 2021 version of 800-172, because a NIST publication only becomes a CMMC obligation once DoD incorporates it through formal rulemaking. The practical guidance is straightforward: prepare against the February 2021 baseline that 32 CFR Part 170 actually references, and treat Revision 3 as a planning input for the next cycle, not a current requirement.
How to Prepare for CMMC Level 3
Level 3 readiness comes down to two problems: running enhanced security operations against a real adversary, and proving it with documentation that survives a government assessment. Most contractors underestimate the first and overspend on the second. Quzara was built to solve both, because we operate a federal security platform every day and build the AI that automates the compliance work beneath it.
Inherit the Operational Controls Instead of Building Them
The damage-limiting and resiliency requirements at the heart of 800-172, continuous monitoring, threat hunting, rapid detection, and incident response against APTs, are exactly what a mature security operations center delivers. Quzara Cybertorch is a FedRAMP Certified Class D managed detection and response platform on Azure Government, authorized for DoD IL-4, staffed by a 24/7 U.S. citizen only SOC. Inheriting that operational capability lets you satisfy the enhanced operational requirements with a proven, authorized boundary instead of standing up an APT-grade SOC of your own. Learn more at Quzara Cybertorch MDR.
Automate the Documentation and Control Mapping
The other half of Level 3 is evidence. You have to map and maintain 110 baseline requirements plus 24 enhanced ones, track the DoD-assigned ODPs, and assemble assessment-ready artifacts for DIBCAC. NISTCompliance.ai automates that work: AI-driven gap analysis across NIST SP 800-171 and the selected 800-172 requirements, audit-ready SSP and POA&M generation, OSCAL output, and an Auditor Co-Pilot that lets assessors query your evidence repository directly. It turns months of spreadsheet work into days of AI-driven confidence, so your team spends its time on security rather than paperwork.
A sensible path is to start with a clear-eyed assessment of where you stand. A CMMC gap assessment maps your current posture against both the Level 2 baseline and the Level 3 enhanced requirements, so you know exactly what to build, what to inherit, and what to document before DIBCAC arrives.
Frequently Asked Questions
What is CMMC Level 3? CMMC Level 3 is the Expert level of the Cybersecurity Maturity Model Certification program. It requires the full 110 NIST SP 800-171 Rev 2 baseline (Level 2) plus 24 enhanced requirements selected from NIST SP 800-172, all aimed at protecting CUI from Advanced Persistent Threats.
What is the difference between CMMC Level 2 and Level 3? Level 2 is 110 NIST SP 800-171 requirements assessed by a C3PAO. Level 3 adds 24 NIST SP 800-172 enhanced requirements, is assessed by the government (DIBCAC), uses DoD-assigned Organization-Defined Parameters, allows far less POA&M flexibility, and requires a Final Level 2 certification first.
How many controls in CMMC Level 3 come from NIST 800-172? 24. DoD selected 24 of the 39 enhanced requirements in the February 2021 version of NIST SP 800-172, listed in Table 1 to 32 CFR 170.14(c)(4). They sit on top of the 110 Level 2 controls.
Who can conduct a Level 3 CMMC assessment? Only the government. The Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts all CMMC Level 3 certification assessments. C3PAOs handle Level 2, not Level 3.
When is CMMC Level 3 required? When a DoD program determines the CUI involved warrants APT-level protection and writes the requirement into the contract. It is contract-driven and phased, so track current DoD guidance for your specific awards. A Level 3 requirement on a prime contract generally flows down a minimum of Level 2 to subcontractors handling CUI.
What does CMMC Level 3 require for media sanitization? The core media sanitization obligations for CUI live in the Level 2 baseline under NIST SP 800-171 Media Protection, which requires sanitizing or destroying media containing CUI before disposal or reuse. Level 3 builds on that foundation with enhanced handling and architecture requirements aimed at a more capable adversary rather than replacing the baseline media controls.
How much does CMMC Level 3 certification cost? There is no single price. Cost depends on scope, current maturity, and program complexity, and it is higher than Level 1 or Level 2 because you pay for the Level 2 prerequisite, must engineer and operate the enhanced controls, work within DoD-assigned ODPs, and have limited room to defer work to a POA&M.
Does NIST SP 800-172 Revision 3 change CMMC Level 3 today? No. CMMC Level 3 is still assessed against the 24 requirements from the February 2021 version of 800-172. A revised NIST publication only becomes a CMMC obligation after DoD adopts it through formal rulemaking.
Move From Awareness to Readiness
CMMC Level 3 rewards organizations that treat it as an operational capability, not a documentation sprint. The contractors who get there efficiently inherit proven security operations and automate the compliance work underneath, instead of trying to build and prove APT-grade defenses from a standing start.
Explore NISTCompliance.ai to automate gap analysis, SSP and POA&M generation, and OSCAL output across the NIST SP 800-171 baseline and the selected 800-172 requirements behind Level 3.
Partner with Quzara for compliance advisory and FedRAMP Certified Class D managed security operations through Cybertorch. From gap assessment through assessment readiness, Quzara provides the strategic and tactical trusted advisory services that defense contractors depend on at the highest tier of CMMC.
