Identifies any gaps between the organization's environment and the 110 required controls from NIST 800-171 and a subset of NIST 800-172 controls. CMMC Level 3 is for organizations that work with controlled unclassified information on critical systems.