CMMC Level 3 Requirements

An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1 as well as additional practices from other standards and references to mitigate threats.

CMMC Level 3 indicates a basic ability to protect and sustain an organization’s assets and CUI; however, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs).

For process maturity, a CMMC Level 3 organization is expected to adequately resource activities and review adherence to policy and procedures, demonstrating management of practice implementation.

The new CMMC is a complicated model that will require DoD contractors to review, assess, and make necessary changes to cybersecurity controls to bid on future DoD contracts. The best place to start is a CMMC readiness assessment which will review your current infrastructure and identify the changes which need to be made.


Neena Shukla, CPA, CFE, CGMA, FCPA, CTP

Partner, Government Contracting Team Leader