CMMC Level 3
CMMC consists of three (3) levels ranging from Foundational to Expert. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas.
Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs) and is designed for companies working with CUI on DoD’s highest priority programs. The Department of Defense (DoD) is still determining the specific security requirements for Level 3, but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.
CMMC Level 3 Requirements
Level 3 (Expert) focuses on the effectiveness of controls around protecting CUI from Advanced Persistent Threats (APT). This level is designed for companies working with CUI on DoD’s highest priority programs. Requirements are still being determined by the Cyber AB, the Department of Defense has indicated that Level 3 will be based on all 110 controls from NIST SP 800-171 plus a subset from NIST SP 800-172 controls.
Level 3 differs from the previous two levels is that it requires organizations to review and measure their controls over time to determine their effectiveness and take corrective action where necessary and inform organizationally defined personnel regularly. This plan may include goals, missions, projects, resourcing, training, and the participation of organization stakeholders.
CMMC Level 3 Practices
Level 3 is currently aligned with the practices set forth in NIST SP 800-172.
Level 3 will incorporate a subset of NIST SP 800-172 requirements, although the full scope is still under development.
Highest Priority Programs
Applies to companies that handle CUI for DoD programs with the highest priority.
Tri-annual government-led assessments required.