ROOT@DAKINE:~# | NODE: LOCATING... // IP: --.--.--.-- --:--:-- | --°F | STATUS: ONLINE

CMMC Level 3

Expert-level safeguards for highest-priority defense environments.

This page outlines all 24 Level 3 requirements selected by DoD from NIST SP 800-172 and applied on top of full Level 2 implementation.

LEVEL 3 QUICK REFERENCE - 24 ADDITIONAL REQUIREMENTS

Assessment Focus

Active defense maturity, threat hunting, and supply-chain resilience.

Level 3 expands beyond baseline control execution by emphasizing advanced detection, response, threat-informed engineering, and government-led oversight.

  • Level 3 applies after Level 2 requirements are fully implemented.
  • Assessments are government-led with annual affirmation requirements.
  • Threat intelligence integration and measured response capability are central.

All 24 Additional Requirements

Selected NIST SP 800-172 requirements used by CMMC Level 3.

  • AC.L3-3.1.2e Restrict access to systems and system components to information resources owned, provisioned, or issued by the organization.
  • AC.L3-3.1.3e Employ secure information transfer solutions to control information flows between security domains on connected systems.
  • AT.L3-3.2.1e Provide awareness training at initial hire, after significant cyber events, and at least annually; update training when threat conditions materially change.
  • AT.L3-3.2.2e Include practical role-based exercises for general users, specialized users, and privileged users with supervisor feedback loops.
  • CM.L3-3.4.1e Maintain an authoritative repository for approved and implemented system components.
  • CM.L3-3.4.2e Use automated mechanisms to detect misconfigured or unauthorized components and remove or quarantine/remediate them.
  • CM.L3-3.4.3e Use automated discovery and management tooling to keep inventory complete, current, and accurate.
  • IA.L3-3.5.1e Identify and authenticate systems/components before network connection using cryptographic, replay-resistant, bidirectional authentication.
  • IA.L3-3.5.3e Prevent components from connecting unless known, authenticated, properly configured, or within an approved trust profile.
  • IR.L3-3.6.1e Establish and maintain 24/7 security operations center capability, including remote/on-call staffing where needed.
  • IR.L3-3.6.2e Maintain a cyber incident response team that can be deployed within 24 hours.
  • PS.L3-3.9.2e Protect organizational systems if adverse information develops about individuals with CUI access.
  • RA.L3-3.11.1e Incorporate threat intelligence from open/commercial and DoD-provided sources into risk assessment, architecture, monitoring, hunting, and response.
  • RA.L3-3.11.2e Conduct cyber threat hunting on an ongoing aperiodic basis or when indicators warrant.
  • RA.L3-3.11.3e Use advanced automation and analytics to help predict and identify risks to systems and components.
  • RA.L3-3.11.4e Document selected security solutions, rationale, and risk determinations in the system security plan.
  • RA.L3-3.11.5e Assess security solution effectiveness at least annually and when relevant threat intelligence or incidents occur.
  • RA.L3-3.11.6e Assess, respond to, and monitor supply chain risks associated with systems and components.
  • RA.L3-3.11.7e Develop and maintain a supply chain risk management plan; update at least annually and on relevant threat/incident triggers.
  • CA.L3-3.12.1e Conduct penetration testing at least annually or after significant security changes, using automated and SME-led methods.
  • SC.L3-3.13.4e Employ physical isolation techniques, logical isolation techniques, or both, within systems and components.
  • SI.L3-3.14.1e Verify integrity of security-critical and essential software with root-of-trust mechanisms or cryptographic signatures.
  • SI.L3-3.14.3e Include specialized assets (e.g., IoT/IIoT/OT/GFE/test equipment) in enhanced security scope or segregate them in purpose-specific networks.
  • SI.L3-3.14.6e Use threat indicators and mitigations from open/commercial and DoD-provided sources to guide intrusion detection and threat hunting.

Talk to Engineering

Map your current environment to a practical compliance roadmap.

Share your requirements and timeline. We will help you prioritize controls, evidence, and implementation phases.