For most defense contractors, CMMC Level 2 is the destination. It is the certification that applies to the vast majority of organizations handling Controlled Unclassified Information, and it is the level around which the Phase 2 enforcement deadline of November 10, 2026, is built.
But for a smaller group of contractors, Level 2 is not the finish line. It is the prerequisite.
CMMC Level 3 exists for organizations supporting the DoD’s highest-priority programs, those facing Advanced Persistent Threats from nation-state adversaries. If your organization is in that population, or if you are trying to understand where Level 2 ends and Level 3 begins, this post explains exactly what changes between the two levels, what the additional requirements look like, and how the assessment process differs in ways that matter operationally.
Why Level{ 3 Exists}
NIST SP 800-172 was developed to provide enhanced security requirements for CUI associated with critical programs and high-value assets where the threat actor is an Advanced Persistent Threat with the resources, capability, and patience of a nation-state. The Level 3 requirements are designed to supplement, not replace, the 110 security requirements of NIST SP 800-171. They address security capabilities that go beyond baseline CUI protection and are specifically intended for environments where sophisticated, persistent adversary activity is a realistic and anticipated threat.
This policy intent is reflected directly in the CMMC framework. Level 3 does not create a parallel compliance track. It extends a fully certified Level 2 environment with additional requirements, a more rigorous assessment process, and a government assessor whose authority reflects the sensitivity of the programs involved.
{The Foundation:} Level 2 Does Not Go Away at Level 3
Under 32 CFR § 170.18(a), an Organization Seeking Certification must first achieve Final Level 2 (C3PAO) status for the applicable assessment scope before initiating a Level 3 certification assessment. Conditional Level 2 status does not satisfy this prerequisite. All Level 2 POA&M items must be fully closed prior to the initiation of the Level 3 assessment, as confirmed in the DoD CIO CMMC Scoping Guide Level 3.
Per 32 CFR § 170.18, achieving a CMMC Status of Level 3 (DIBCAC) also satisfies the requirements for CMMC Statuses of Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO) for the same assessment scope. Level 3 subsumes the lower levels. It does not exist independently of them.
An important caveat for reassessment: under 32 CFR § 170.18, CMMC Level 3 recertification also requires a new CMMC Level 2 assessment. The three-year Level 3 certification cycle, therefore, requires a new Level 2 (C3PAO) assessment as a prerequisite before DIBCAC assessment scheduling is available.
What Changes: {The Security Requirements}
Level 2 requires implementation of all 110 security requirements in NIST SP 800-171 Revision 2 as established at 32 CFR § 170.17.
Level 3 adds 24 selected enhanced security requirements drawn from NIST SP 800-172. These 24 requirements are specified in Table 1 to 32 CFR § 170.14(c)(4). To achieve Final Level 3 (DIBCAC) status, all applicable Level 3 requirements must be determined to be MET. Conditional Level 3 (DIBCAC) status may be available when permitted by the POA&M rules under 32 CFR § 170.21, provided the organization meets the minimum score threshold and the POA&M does not include any prohibited requirements. All 24 requirements must ultimately be satisfied and validated during POA&M closeout to achieve Final Level 3 (DIBCAC) status.
The 24 Level 3 requirements address capabilities that go beyond those required at Level 2. They address areas including enhanced monitoring and detection, more rigorous configuration management, deeper security assessment practices, and additional protections for critical systems and high-value assets. These are not controls that can be satisfied by implementing a tool or writing a policy. They require demonstrated operational maturity that functions continuously at a higher level of rigor than Level 2.
