CMMC Level 3
Also known as: Level 3, CMMC L3
CMMC Level 3 is the highest CMMC certification tier, reserved for DoD programs involving CUI of the highest priority. It requires implementing NIST SP 800-171 plus 24 enhanced controls drawn from NIST SP 800-172, and triennial assessments performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Related terms
- NIST SP 800-172
NIST SP 800-172 specifies 24 enhanced security requirements that supplement NIST SP 800-171 for systems handling CUI associated with critical programs or high-value assets. These additional 24 controls are what distinguishes CMMC Level 3 from Level 2.
- Defense Industrial Base Cybersecurity Assessment Center
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the Defense Contract Management Agency (DCMA) component that conducts NIST SP 800-171 assessments and CMMC Level 3 assessments on DoD contractors. DIBCAC assessments are the highest assurance level in the program.
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.