While most CMMC discussion focuses on Level 2 (the November 10, 2026 mandatory third-party-cert deadline), Level 3 — the highest tier — is now visible on the horizon. Level 3 applies to DoD contractors handling Controlled Unclassified Information on the most sensitive programs. 134 security controls. Government assessment via DIBCAC. Coverage from Strikegraph, Latham & Watkins, and DoD CIO.
What Level 3 actually requires
The 24 additional NIST SP 800-172 controls target Advanced Persistent Threats (APTs) — nation-state-level adversaries. They include enhanced incident response, threat hunting, and protective software development.
Assessment differs from Level 2
Where Level 2 uses C3PAOs (third-party assessor organizations), Level 3 is government-assessed via the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This is more rigorous and government-controlled — but also government-funded for contractors holding qualifying programs.
Who Level 3 applies to
Per DoD guidance, Level 3 applies to "the most critical programs and technologies." Realistic candidates: nuclear-systems, missile-defense, advanced research, intelligence-handling, classified-cleared contracts.
Path to Level 3
Contractors must achieve Level 2 first (all 110 controls + C3PAO certification). Then they can pursue Level 3 (additional 24 controls + DIBCAC assessment).
What to do
- Confirm whether your firm holds or pursues programs likely to require Level 3
- If yes, sequence: Level 2 first (target November 2026), Level 3 second (likely 2027-2028)
- NIST SP 800-172 implementation requires substantial security operations maturity — start gap analysis now