top of page
CMMC-Level-3.jpg

CMMC Level 3

Cybersecurity Maturity Model Certification (CMMC) Level 3 builds on Level 2, which means it includes Federal Acquisition Regulation (FAR) practices and NIST SP 800-171 Rev 1 controls. It also includes 20 other important practices to support cyber hygiene. This CMMC level emphasizes the importance of planning and maintaining cybersecurity efforts.

​

What Is CMMC Level 3?

CMMC Level 3 is the third certification for defense contractors out of five possible levels. Specifically, these requirements apply to defense contractors who create or access Controlled Unclassified Information (CUI). The levels range from “Basic Cyber Hygiene” to “Advanced/Progressive.” Level 3 is known as “Good Cyber Hygiene.” It includes all the same requirements you’d find in Levels 1 and 2, plus some additional requirements focused on planning, sourcing and reviewing your security policies and procedures.

While CMMC Level 3 indicates good cyber hygiene overall, it is still limited compared to higher levels. An organization that is CMMC Level 3 certified may still struggle to effectively defend against advanced persistent threats (APTs).

​

How Does Level 3 Compare With Level 2?

The most significant differences between CMMC Level 2 and Level 3 come from the process maturity of both levels. This can also be referred to as ongoing security management. Level 2 requires defense contractors to establish policies, practices and a plan to implement the required security elements.

 

Level 3 takes that significant step further by also requiring a detailed review of those policies and practices, along with dedicated resources to meet the plan and activities as stated. These extra measures help to ensure that security solutions are implemented correctly and able to be fully effective. Achieving Level 3 certification means your organizations has implemented the appropriate solutions and is actively monitoring them.

CMMC Levels

​

What Are The Audit Requirements Of Level 3?

CMMC Level 3 certification requires significantly more controls than Levels 1 and 2. There are 130 required processes in all for Level 3. These controls are grouped into 17 domains. Let’s take a brief look at what each of these domains covers:

  • Domain AC: Access Control is focused on identifying and limiting the people and other entities allowed to access your systems. It also involves limiting the types of functions and transactions that authorized users can perform.

  • Domain AM: Asset Management includes requirements for managing services and devices that store or interact with your data, whether they are on your network or hosted in the cloud.

  • Domain AT: Awareness and Training controls require defense contractors to maintain a training program for their staff, contractors and vendors so that they are equipped to overcome cybersecurity threats they may encounter.

  • Domain AU: Audit and Accountability controls specify how to create and maintain audit trails that let you track individual users’ activity and system activity.

    • Domain CA: Security Assessment covers the need for assessing and testing periodically to make sure your system security plans are working.

    • Domain CM: Configuration Management lists the requirements for creating baseline configurations and inventories and making changes to those systems. It also requires that your organization monitors for any unapproved changes.

    • Domain IA: Identification and Authentication is similar to Domain AC in that it is focused on user access. However, the emphasis in this case is on ensuring the person using an account is indeed the correct user.

    • Domain IR: Incident Response controls cover the need to make a plan that anticipates security incidents and specifies what your response will be if they occur.

    • Domain MA: Maintenance is based on the premise that all computer systems are vulnerable to failure at some point. That means defense contractors must protect critical services and data against vulnerabilities in the instance of a system failure.

    • Domain MP: Media Protection covers the use of removable media to store data, including both electronic storage devices and paper. Storing information on removable media can be dangerous, so it must be carefully controlled.

    • Domain PE: Physical Protection outlines the need to protect your physical facility and equipment from unauthorized access since such access could expose your data to security threats.

    • Domain PS: Personnel Security requires your organization to screen people before allowing them to gain access to systems containing controlled unclassified information (CUI). When a person is transferred or terminated and is no longer authorized to access data, you must take steps to protect that data.

    • Domain RE: Recovery has to do with data backups. Regularly backing up your data is critical for preventing data losses.

    • Domain RM: Risk Management focuses on the need to regularly conduct risk assessments of your data and systems so that you can keep them protected.

    • Domain SA: Situational Awareness requires an organization to take intelligence regarding cyber threats from external sources seriously and respond to them appropriately.

    • Domain SC: Systems and Communications Protection includes an extensive list of controls focused on securing the transmission of information that takes place within a system. It also prohibits the sharing of CUI on public forums.

    • Domain SI: System and Information Integrity requires defense contractors to monitor for issues and promptly apply security patches as needed. You should also take advantage of updates to your security capabilities.

Let's talk

​​Please fill out the email form, submit and we will get back to you soon.

bottom of page