Skip to content

CMMC 2.0 Level 3


Hello, and welcome back to this next TomCast from Iron Bow Technologies; we are a leading global IT solution provider dedicated to innovation with integrity. We successfully transform today's technology challenges into business opportunities, helping our clients meet their missions while gaining a competitive edge. 

Today we’re going to continue the discussion on the Cybersecurity Maturity Model Certification, otherwise known as CMMC version 2.0, and what is required for level 3 certification.

As mentioned during the last TomCast, there are three levels of certification within CMMC version 2.0, and Level 3 is the Expert level. Level 3 (expert) contains 110 security control requirements and requires government-led assessments of the entire organization. What does this mean in more depth?

The following information was pulled directly off of the Department of Defense website regarding CMMC, and that site URL is

“Overview of Assessments

CMMC 2.0 implements tiered assessment requirements based on the sensitivity of the information shared with a contractor. Upon implementation of CMMC 2.0: Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments against clearly articulated cybersecurity standards. Contractors managing information critical to national security will be required to undergo CMMC Level 2 third-party assessments. The highest priority, most critical defense programs (Level 3) will require government-led assessments.

The Department intends for Level 3 cybersecurity requirements to be assessed by government officials. Assessment requirements are currently under development.”

So, organizations that meet the level 3 criteria necessitating government-led assessments are going to be assessed against clearly articulated cybersecurity standards. But wait, what are those standards? Those standards are found also on that same site, the site (search for CMMC 2.0 level 3). Now, as of the composition of this TomCast (I say that because the entire CMMC process is currently being reviewed and changes could be made), level 3 will obviously be more stringent regarding what the organization is assessed against than level 2, but the actual written requirements have not yet been fully developed.

The entire CMMC 2.0 certification process is still fairly new overall, which explains why level 3 requirements are still in discussions and under development. As new information is released, a more detailed TomCast will be produced to keep you, the listener, informed.

If you have any questions surrounding CMMC, reach out to us over here at Iron Bow Technologies. We have the expertise to help you understand the requirements of the Department of Defense and how CMMC will benefit you and your organization. We’re also here to help any way we can to ensure your organization remains as secure as possible.

We here at Iron Bow thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on Or, if you would like more information on what Iron Bow can do for you, head on over to and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!