AI assistant — not human

134 practices (110 NIST 800-171 + 24 NIST 800-172) + GCC High + DIBCAC assessment prep. 12 CMMC L2-3 engagements delivered.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
CMMC 2.0 Level 3 (Expert): 134 practices (110 NIST 800-171 + 24 NIST 800-172), DIBCAC-assessed (not C3PAO), 5-year cycle. Applies to DoD contractors handling highest-risk CUI. Microsoft support: GCC High + Azure Government + M365 GCC High + Purview + Defender + Sentinel + Entra PIM. Additional 800-172 practices: advanced authentication, threat hunting, cyber incident response, deception tech, cyber resiliency, insider threat. Timeline: 12-18 months. Cost: $550K-$1.05M services + Microsoft licensing + third-party tools + $15K-$40K/mo ongoing. EPC Group 12 CMMC L2-3 engagements delivered.
Cybersecurity Maturity Model Certification 2.0 Level 3 (Expert) is the highest CMMC tier, applicable to DoD contractors handling Controlled Unclassified Information (CUI) at highest priority. Requirements: (1) 110 practices from NIST 800-171. (2) 24 additional practices from NIST 800-172 (advanced threat detection + response). (3) Third-party assessment by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) — not by a C3PAO like Level 2. (4) Government-led assessment cycle (5-year). Level 3 applies to: contracts specifically designating higher-risk CUI + programs with heightened threat environment.
Microsoft supports Level 3 via GCC High + Azure Government + M365 GCC High + Purview + specific implementation guidance. Key Microsoft controls that map to Level 3: (1) Azure Government for compute/storage (FedRAMP High + DoD IL4+ authorized). (2) M365 GCC High for productivity (Copilot, SharePoint, Teams). (3) Microsoft Defender + Sentinel for threat detection. (4) Purview for information protection + insider risk + audit. (5) Azure Sentinel for SIEM + SOAR + threat hunting. (6) Entra ID PIM + Conditional Access + risk-based signals. Microsoft provides CMMC compliance documentation + STIG configurations + assessment support artifacts.
NIST 800-172 practices beyond 800-171 cover advanced persistent threat (APT) defense: (1) Advanced authentication + validation. (2) Threat hunting (proactive threat detection). (3) Cyber incident response (advanced playbooks). (4) System and communications protection (advanced network security). (5) Deception technology (honeypots, decoys). (6) Cyber resiliency (fail-over, degraded operation). (7) Personnel security clearances + insider threat programs. Microsoft implementation: Sentinel for threat hunting, Defender for XDR, Purview Insider Risk for insider threat program, Azure Bastion + Just-in-Time VM access for controlled access.
Timeline: (1) Discovery + gap assessment (4-6 weeks). (2) Foundation deployment (16-24 weeks) — establish GCC High tenant + baseline controls + policies. (3) Advanced controls (12-16 weeks) — 800-172 additional practices deployment. (4) Evidence generation (8-12 weeks) — documentation + audit artifacts + trained personnel. (5) Pre-assessment audit (4 weeks) — mock DIBCAC assessment. (6) DIBCAC assessment (variable, typically 4-8 weeks of active assessment). Total: 12-18 months from start to certification. Program requires senior compliance architect leadership throughout + close coordination with DoD program office.
EPC Group CMMC Level 3 tiers: (1) CMMC 2.0 Readiness Assessment ($75K, 6 weeks) — 134-practice gap analysis + roadmap + fixed-fee proposal. (2) GCC High Foundation ($150K-$300K, 12-16 weeks) — GCC High deployment + NIST 800-171 baseline controls. (3) NIST 800-172 Additional Practices ($150K-$300K, 12-16 weeks) — 24 advanced practices deployment. (4) Evidence + Documentation ($100K-$150K, 8-12 weeks) — SSP (System Security Plan) + POA&M + audit artifacts. (5) Pre-Assessment + DIBCAC Support ($75K-$150K). Total: $550K-$1.05M for typical mid-size defense contractor + Microsoft licensing (GCC High + Azure Government) + third-party tools. Ongoing maintenance: $15K-$40K/month.
Six most common CMMC Level 3 gaps EPC Group finds in assessments: (1) Sensitivity labels not deployed for CUI classification. (2) DLP policies not tuned for CUI patterns. (3) Insider Risk Management not deployed or under-tuned. (4) Threat hunting playbooks not documented. (5) Deception technology not deployed. (6) Personnel security clearance tracking not integrated with Entra ID. Additional common gaps: STIG configurations not fully applied, log retention inadequate (7-year requirement), backup + recovery not tested, incident response tabletops not conducted. All addressable via EPC Group CMMC Level 3 Readiness engagement.
EPC Group CMMC Level 3 methodology: (1) CMMC 2.0 Readiness Assessment ($75K, 6 weeks) — 134-practice gap analysis. (2) GCC High Foundation ($150K-$300K, 12-16 weeks) — tenant + baseline controls. (3) NIST 800-172 Additional Practices ($150K-$300K, 12-16 weeks). (4) Evidence + SSP ($100K-$150K, 8-12 weeks). (5) Pre-Assessment + DIBCAC Support ($75K-$150K). (6) Ongoing Compliance Retainer ($15K-$40K/month) — quarterly reviews + threat hunting + tabletop exercises + evidence updates. EPC Group CMMC experience: 12 defense contractor CMMC Level 2-3 readiness engagements. Senior compliance architect + Chief AI Architect Errin O'Connor leadership.
$75K/6wk 134-practice gap analysis + roadmap. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day