CMMC Level 3 Assessment Guide

The CMMC Level 3 Assessment Guide provides a framework for evaluating an organization’s implementation of advanced cybersecurity practices required to protect highly sensitive Controlled Unclassified Information (CUI) in support of critical national security objectives.

Level 3 is based on:

• All 110 requirements from NIST SP 800-171, and

• A subset of advanced practices from NIST SP 800-172, which focus on detecting and defending against sophisticated, persistent threats.

Key features of the guide include:

• Assessment objectives and methods for each enhanced requirement, including interviews, technical tests, and document reviews.

• Government-led assessments—only authorized DoD assessment teams (not C3PAOs) can perform Level 3 evaluations.

• Emphasis on active cyber defense, such as threat hunting, anomaly detection, and incident response capabilities.

• High assurance expectations, requiring robust evidence of maturity and consistent implementation.

The guide ensures organizations handling the most critical CUI demonstrate a highly mature and resilient cybersecurity posture.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL3v2.pdf