NIST SP 800-172: What Makes CMMC Level 3 So Demanding?

For most DoD contractors, CMMC Level 1 or 2 is the target. But for a small percentage of companies working on the most sensitive, high-stakes contracts, there’s CMMC Level 3.

And Level 3 is no joke.

To get there, you must implement everything from NIST SP 800-171, and then layer on a powerful set of additional cybersecurity practices from a second framework:

NIST SP 800-172 – “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST 800-171”

This blog breaks down what NIST 800-172 is, who needs it, and why it’s so much more rigorous than the lower levels of CMMC.

What Is NIST SP 800-172?

NIST 800 172 is an advanced cybersecurity framework designed to defend against Advanced Persistent Threats (APTs) — often posed by nation-state actors.

It’s not about basic cyber hygiene. It’s about:

• Real-time monitoring
• Active cyber defense
• Resilience under attack
• Behavior analytics
• Advanced access control
• Insider threat detection
• Zero Trust architectures

CMMC Level 3 integrates 24 specific enhanced requirements from this framework on top of the 110 controls in NIST SP 800-171.

“This isn’t just about protecting CUI anymore — it’s about national defense. Level 3 companies are targets.”
— Grant Eckstrom, vCISO – Succurri

Why Was 800-172 Created?

NIST 800-171 was a good start. But as cyberattacks became more sophisticated, the DoD recognized that even companies doing everything right could still be compromised.

That’s because 800-171 assumes a relatively passive defense posture.

NIST SP 800 172 was designed to introduce proactive defense — security that anticipates, detects, and responds to APTs. It emphasizes resilience, deception, and rapid recovery.

CMMC Level 3 Requirements: The Full Stack

To qualify for CMMC Level 3, your organization must:

• Implement all 110 controls from NIST 800-171
• Implement 24 additional practices from NIST 800-172
• Undergo a government-led assessment by DIBCAC (not a C3PAO)
• Submit to regular, high-level audits and validation
• Maintain documentation, monitoring, and continuous improvement at all times

NIST 800-172 Control Categories

The 24 enhanced requirements fall into three key domains:

1. Governance and Management

These controls focus on how the organization builds, sustains, and improves its cybersecurity posture:

• Cybersecurity architecture documentation
• Risk-informed decision-making
• Protection of critical program information
• Personnel security processes

2. Enhanced Protections

These go beyond basic access control to enforce strong security across all systems:

• Non-persistent systems
• Execution isolation (sandboxing)
• Hardware root of trust
• Data concealment strategies
• Dynamic network segmentation

3. Detection and Response

These controls help detect and respond to APTs in real time:

• Threat hunting
• Anomalous behavior detection
• Deception tools (honeypots, decoys)
• Rapid containment of compromised assets
• Continuous system monitoring

Who Needs CMMC Level 3?

Only a small percentage of contractors will be subject to CMMC Level 3. You’ll know if you’re one of them because:

• Your contract will explicitly require it
• You’re working on programs deemed critical to national security
• You’re handling highly sensitive CUI or potentially even classified material
• You’re developing or integrating cutting-edge defense technologies, such as AI targeting, missile systems, aerospace prototypes, or communications systems

Examples of companies that may need Level 3:

• Prime contractors on advanced weapons programs
• Aerospace engineering firms working on secure flight platforms
• R&D organizations supporting DARPA or Space Force
• Software developers building defense-grade AI models

Why Level 3 Is So Challenging

Here’s what separates Level 3 from Levels 1 and 2:

Why It Still Matters for Every Contractor

Even if you don’t need Level 3 today, here’s why you should still understand it:

CUI Exposure Grows – If your company takes on higher-tier subcontracting work, Level 3 may eventually apply.

Defense Prime Contractors Will Require It – Primes are already starting to flow down requirements and ask their vendors about advanced controls.

The Future Is Zero Trust – Many of the NIST SP 800-172 controls are aligned with a Zero Trust architecture, which will become the norm across government and defense networks.

It Raises Your Game – Training for Level 3 makes your company stronger, more resilient, and more competitive.

“NIST 800-172 represents the bleeding edge of cybersecurity — and CMMC Level 3 is the DoD’s signal that real threats require real defenses.”
— Grant Eckstrom, vCISO – Succurri

At Succurri, we partner with high-security defense contractors to prepare for Level 3 through deep architecture reviews, pre-assessments, and advanced control implementation. Whether you’re a prime contractor or an emerging tech firm entering the defense space, we can help you build a compliant, resilient security posture.

Preparing for the Highest Level of Cyber Defense

CMMC Level 3 and NIST SP 800-172 represent the highest standard of cybersecurity in the defense industrial base. They are not just compliance checklists, they’re critical blueprints for safeguarding our nation’s most sensitive assets from sophisticated, persistent threats.

Whether you’re required to meet Level 3 today or preparing for that future, understanding the enhanced controls in NIST 800-172 gives your organization a competitive edge and a stronger security foundation.

Succurri helps contractors design, implement, and audit resilient architectures that meet the rigorous demands of CMMC Level 3. If you’re ready to strengthen your defenses and lead in the defense marketplace, we’re ready to support you.

Schedule a Level 3 Readiness Review with our cybersecurity team today.