Blog Post

Understanding the Basics of CMMC Level 3

Government Contracts Navigator

In this series on the Department of Defense’s (“DoD”) proposed Cybersecurity Maturity Model Certification (“CMMC”) rule, we have discussed the rule’s implementation timeline and the basics of CMMC Level 1 and CMMC Level 2. In this post, we discuss the most demanding CMMC level – CMMC Level 3.

What contracts will be subject to CMMC Level 3?

Unlike with CMMC Levels 1 and 2, DoD has not announced specific criteria for when CMMC Level 3 will apply. DoD has only stated that CMMC Level 3 will apply to contracts “supporting its most critical programs and technologies.” We know that CMMC Level 2 will apply to contracts where the contractor will receive Controlled Unclassified Information (“CUI”), so we can probably assume that CMMC Level 3 will, at a minimum, apply to contracts with the most sensitive CUI. DoD estimates that less than 1% of defense contractors will obtain a CMMC Level 3 verification once the rule has gone into full effect, which suggests that relatively few contracts will require CMMC Level 3 certification.    

To read the full post, please visit our Government Contracts Navigator blog.