CMMC Level 3 Certification Assessment Requirements
32 CFR 170.18 establishes the requirements for CMMC Level 3 certification, which is reserved for DoD programs involving CUI of the highest priority. It requires implementation of all 110 NIST SP 800-171 controls plus 24 enhanced controls drawn from NIST SP 800-172, with the certification assessment performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Who must comply
Contractors on the specific DoD programs designated as requiring Level 3.
What it requires
- 01Hold a current Level 2 certification as a prerequisite.
- 02Implement 24 enhanced controls selected from NIST SP 800-172 in addition to all 110 NIST SP 800-171 controls.
- 03Undergo a Level 3 assessment performed by DIBCAC, not a C3PAO.
- 04Renew the certification every three years and submit annual affirmations between cycles.
Related clauses
- 32 CFR 170.17CMMC Level 2 Certification Assessment Requirements
32 CFR 170.17 specifies the procedural requirements when CMMC Level 2 must be verified by a CMMC Third-Party Assessment Organization (C3PAO) rather than self-assessed. It defines the triennial assessment cadence, the role of the Certified CMMC Assessor (CCA), the use of NIST SP 800-171A objectives, and the conditions for issuing a Final Level 2 Certification Assessment.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.