CybersecurityHQ — CISO Memo
In partnership with:
Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation
LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform
CybersecurityHQ (CHQ) is a structural conditions registry for cybersecurity governance, publishing citable records on the conditions shaping security decisions for CISOs, executives, and boards.
CHQ-M-2026-03-18
MEMO
CMMC Level 3 Has No Acceptance Function
The CMMC program rule became effective December 16, 2024. The DFARS acquisition rule became effective November 10, 2025. Under the phased implementation schedule, Phase 3 begins November 10, 2027, when DoD intends to include Level 3 requirements in applicable solicitations and contracts. Between now and that date, primes and neo-primes are committing architecture, selecting controls, and building documentation against a framework that has published requirements but no publicly visible assessment precedent.
That distinction matters. The governing rules exist. The assessment methodology is documented. What does not exist is a body of DIBCAC Level 3 rulings that shows how assessors apply that methodology to real architectures under the threat model the standard encodes. Organizations building Level 3 posture today are making architectural bets against interpretive criteria that have not been tested in practice.
That is not a compliance gap. It is long-lead capital allocation against an acceptance function whose operational meaning will not be visible until the first assessments produce rulings.
Level 3 readiness is not a state an organization can currently verify. It is a claim about how an assessor, operating under a threat model calibrated to nation-state adversaries, will interpret controls that have not been tested against that model in practice. Some architectural choices carry that claim with more structural exposure than others. Organizations calling their current posture Level 3 ready are not describing a verified condition. They are making a bet on a favorable interpretation and embedding that bet in deployed infrastructure years before any feedback is possible.
The authority structure
CMMC Level 3 adds 24 selected requirements from NIST SP 800-172 on top of Level 2's 110 controls. Those enhanced requirements were written explicitly for advanced persistent threats targeting critical programs and high-value assets. The assessment will be calibrated to that assumption. The DIBCAC assessor is a government official whose job is to determine whether your posture would survive a targeted operation by an actor with the resources and patience to extract a single document.
The relevant controls require cryptographically based and replay-resistant authentication between systems and components, interpreted broadly across devices, workloads, and the non-human entities that constitute modern infrastructure. The requirements are defined by the rule and supporting guidance. What satisfies them under APT-grade adversarial conditions, at the margins where architectural interpretation matters, will be shaped by how assessors apply that guidance to architectures they have not previously evaluated.
Some will argue that DIBCAC will issue interpretive guidance before assessments begin. Guidance narrows the uncertainty space. It does not eliminate assessor discretion at the margins. It does not constitute a ruling. The problem is not that the evaluation is uncertain. The problem is that its operational meaning is non-computable in advance of first rulings, and guidance does not change that.
The exposure gradient
Not all architectural choices carry equal risk into a first-ever DIBCAC assessment.
Controls that rely on software-protected credential stores carry greater exposure to credential extraction under a capable adversary. Memory scraping, privilege escalation, kernel exploits: these are not theoretical techniques against the threat class Level 3 encodes. Hardware-bound approaches reduce that extractability by design, binding secrets to physical devices or secure execution environments rather than relying on software enforcement alone.
CMMC Level 3 incorporates 24 requirements from NIST SP 800-172, explicitly oriented toward advanced persistent threats. Under that threat model, resistance to credential theft and replay is a central concern, not a marginal one.
What is not yet established is how DIBCAC assessors will evaluate the sufficiency of different implementation approaches against that model. No public body of Level 3 assessment outcomes exists to show how tradeoffs between software protections, hardware binding, and compensating controls will be judged in practice. Hardware-bound approaches introduce their own untested assumptions: supply chain trust, attestation integrity, lifecycle enforcement at scale. Those have not been evaluated under DIBCAC conditions either. No architectural category exits this cleanly.
The first DIBCAC assessments will not be kind to postures optimized for argument construction rather than adversarial resilience. What separates those two approaches is currently undetectable. The first rulings will make it permanent.
The power dynamic no one has named
The first organizations through DIBCAC Level 3 assessment will not just determine their own compliance status. They will set the interpretive baseline for everyone else.
There is no existing case law. No C3PAO community calibrating toward consensus the way Level 2 assessments have begun to generate. No prior DIBCAC Level 3 rulings that subsequent assessors are bound to follow. The first assessments will produce decisions. Those decisions will become the de facto reference against which every subsequent posture is judged. Organizations assessed later inherit the interpretation established by organizations assessed first, under conditions none of them controlled.
Every organization currently claiming readiness is building posture against an interpretation that will be set by whoever goes first. Some of those postures will survive that interpretation. Others will not. The distinction is architectural, not procedural. It cannot be corrected after the architecture is deployed.
The one-way door
Commitment happens before feedback. Feedback arrives only at evaluation. Evaluation happens after deployment. Unlike Level 2, where C3PAO assessments have begun generating calibration, Level 3 has no equivalent signal. The organizations investing most aggressively in Level 3 posture are doing so in a complete signal vacuum, years before enforcement, with no corrective cycle between architecture commitment and the moment DIBCAC decides whether that architecture was sufficient.
Speed of compliance declaration and adversarial resilience are not the same variable. The first assessments will separate them. By then, the architecture is already in the ground.
The question your posture cannot currently answer
Which parts of your Level 3 architecture only pass if the first assessor decides they should?
The organizations that will be most exposed when DIBCAC begins assessing are not the ones that ignored Level 3. They are the ones that declared readiness against an acceptance function they did not control, on architectural bets embedded too early to reverse.
The first rulings will define what Level 3 readiness actually means. For organizations that built the wrong architecture, that definition will arrive when the architecture is already in the ground.