3 min read
Why CISSP Is the Gold Standard in Cybersecurity Leadership
The Certified Information Systems Security Professional (CISSP) credential, administered by (ISC)², has long been recognized as the gold standard...
3 min read
For most DoD contractors, CMMC Level 1 or 2 is the target. But for a small percentage of companies working on the most sensitive, high-stakes contracts, there’s CMMC Level 3.
And Level 3 is no joke.
To get there, you must implement everything from NIST SP 800-171, and then layer on a powerful set of additional cybersecurity practices from a second framework:
NIST SP 800-172 – “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST 800-171”
This blog breaks down what NIST 800-172 is, who needs it, and why it’s so much more rigorous than the lower levels of CMMC.
What Is NIST SP 800-172?
NIST 800 172 is an advanced cybersecurity framework designed to defend against Advanced Persistent Threats (APTs) — often posed by nation-state actors.
It’s not about basic cyber hygiene. It’s about:
- Real-time monitoring
- Active cyber defense
- Resilience under attack
- Behavior analytics
- Advanced access control
- Insider threat detection
- Zero Trust architectures
CMMC Level 3 integrates 24 specific enhanced requirements from this framework on top of the 110 controls in NIST SP 800-171.
“This isn’t just about protecting CUI anymore — it’s about national defense. Level 3 companies are targets.”
— Grant Eckstrom, vCISO – Succurri
Why Was 800-172 Created?
NIST 800-171 was a good start. But as cyberattacks became more sophisticated, the DoD recognized that even companies doing everything right could still be compromised.
That’s because 800-171 assumes a relatively passive defense posture.
NIST SP 800 172 was designed to introduce proactive defense — security that anticipates, detects, and responds to APTs. It emphasizes resilience, deception, and rapid recovery.
CMMC Level 3 Requirements: The Full Stack
To qualify for CMMC Level 3, your organization must:
- Implement all 110 controls from NIST 800-171
- Implement 24 additional practices from NIST 800-172
- Undergo a government-led assessment by DIBCAC (not a C3PAO)
- Submit to regular, high-level audits and validation
- Maintain documentation, monitoring, and continuous improvement at all times
NIST 800-172 Control Categories
The 24 enhanced requirements fall into three key domains:
1. Governance and Management
These controls focus on how the organization builds, sustains, and improves its cybersecurity posture:
- Cybersecurity architecture documentation
- Risk-informed decision-making
- Protection of critical program information
- Personnel security processes
2. Enhanced Protections
These go beyond basic access control to enforce strong security across all systems:
- Non-persistent systems
- Execution isolation (sandboxing)
- Hardware root of trust
- Data concealment strategies
- Dynamic network segmentation
3. Detection and Response
These controls help detect and respond to APTs in real time:
- Threat hunting
- Anomalous behavior detection
- Deception tools (honeypots, decoys)
- Rapid containment of compromised assets
- Continuous system monitoring
Who Needs CMMC Level 3?
Only a small percentage of contractors will be subject to CMMC Level 3. You’ll know if you’re one of them because:
- Your contract will explicitly require it
- You’re working on programs deemed critical to national security
- You’re handling highly sensitive CUI or potentially even classified material
- You’re developing or integrating cutting-edge defense technologies, such as AI targeting, missile systems, aerospace prototypes, or communications systems
Examples of companies that may need Level 3:
- Prime contractors on advanced weapons programs
- Aerospace engineering firms working on secure flight platforms
- R&D organizations supporting DARPA or Space Force
- Software developers building defense-grade AI models
Why Level 3 Is So Challenging
Here’s what separates Level 3 from Levels 1 and 2:
|
|
|
|
|---|---|---|
| # of Controls | 110 | 134+ |
| Audit Type | Third-party (C3PAO) | Government-led (DIBCAC) |
| Threat Model | Opportunistic attackers | Nation-state adversaries |
| Cost & Complexity | Moderate | High |
| Control Enforcement | Static | Dynamic, adaptive |
| Monitoring | Event logging | Real-time threat detection, anomaly analysis |
| Time to Prepare | 6–12 months | 12–24 months+ |
Why It Still Matters for Every Contractor
Even if you don’t need Level 3 today, here’s why you should still understand it:
CUI Exposure Grows – If your company takes on higher-tier subcontracting work, Level 3 may eventually apply.
Defense Prime Contractors Will Require It – Primes are already starting to flow down requirements and ask their vendors about advanced controls.
The Future Is Zero Trust – Many of the NIST SP 800-172 controls are aligned with a Zero Trust architecture, which will become the norm across government and defense networks.
It Raises Your Game – Training for Level 3 makes your company stronger, more resilient, and more competitive.
“NIST 800-172 represents the bleeding edge of cybersecurity — and CMMC Level 3 is the DoD’s signal that real threats require real defenses.”
— Grant Eckstrom, vCISO – Succurri
At Succurri, we partner with high-security defense contractors to prepare for Level 3 through deep architecture reviews, pre-assessments, and advanced control implementation. Whether you’re a prime contractor or an emerging tech firm entering the defense space, we can help you build a compliant, resilient security posture.
Preparing for the Highest Level of Cyber Defense
CMMC Level 3 and NIST SP 800-172 represent the highest standard of cybersecurity in the defense industrial base. They are not just compliance checklists, they’re critical blueprints for safeguarding our nation’s most sensitive assets from sophisticated, persistent threats.
Whether you’re required to meet Level 3 today or preparing for that future, understanding the enhanced controls in NIST 800-172 gives your organization a competitive edge and a stronger security foundation.
Succurri helps contractors design, implement, and audit resilient architectures that meet the rigorous demands of CMMC Level 3. If you’re ready to strengthen your defenses and lead in the defense marketplace, we’re ready to support you.
Schedule a Level 3 Readiness Review with our cybersecurity team today.
5 min read
Why Zero Trust Cybersecurity Matters More Than Ever for Businesses
For most of my career, the standard cybersecurity stack was made up of the usual suspects: firewalls, antivirus, VPNs, and (more recently)...
2 min read
Why Is Cyber Security Important? Here Are 10 Reasons
Small businesses are more vulnerable than ever to cyber threats. While many entrepreneurs assume that cyberattacks only target large...