By 2026, all companies wanting to pursue contracts with the U.S. Department of Defense must meet the appropriate Cybersecurity Maturity Model Certification (CMMC) compliance level. This new process can be daunting for organizations accustomed to self-reporting their cyber hygiene practices.  CMMC consists of five levels ranging from basic to advanced. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas. An independent certified third-party assessor organization (C3PAO) is responsible for verifying that a contractor meets the compliance requirements for the applicable level. 

Meeting the CMMC Level 3 Requirements

Level 3 builds upon the first two levels and focuses on protecting Controlled Unclassified Information (CUI). Compliance with this level’s guidelines means contractors can demonstrate “good” cyber hygiene practices. However, these companies may still struggle when attempting to defend against advanced persistent threats (APTs).

Contractors hoping to attain this certification must show that they are implementing the appropriate cybersecurity solutions for the level and actively monitoring their outcomes. 

Level 3 adds 58 practices to the preceding two levels, bringing the total to 130. These practices encompass 17 domains:

analyzing charts

  1. Access Control
  2. Asset Management
  3. Awareness and Training 
  4. Audit and Accountability
  5. Security Assessment
  6. Configuration Management
  7. Identification and Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical Protection
  12. Personnel Security
  13. Recovery
  14. Risk Management
  15. Situational Awareness
  16. Systems and Communication Protection
  17. System and Information Integrity

Assuming your organization is already meeting the requirements for the first two levels, your Level 3 compliance efforts should focus on the following areas:

  • Enhancing your logging, monitoring, incident response and reporting capabilities
  • Improving your ability to back up and restore data
  • Increasing your proficiency at identifying vulnerabilities through timely risk assessments and managing unsupported products
  • Bolstering your protection efforts against malicious traffic through processes such as email sandboxing, filtering and spam protection

Practices/Procedures for Becoming Level 3 Certified

To meet the CMMC Level 3 certification requirements, Defense Industrial Base (DIB) companies must demonstrate the implementation of 20 additional technical and procedural practices. Examples include:

  • Clearly outlining procedures for managing CUI data.
  • Conducting a comprehensive analysis of cybersecurity events and documenting resolution efforts.
  • Performing regular data backup procedures per your organization’s unique needs.
  • Separately managing non-vendor support products and reducing your vulnerability by restricting access to them.
  • Implementing effective, reliable spam protection methods at all relevant information system access points.

Coalfire Federal Can Help With CMMC Level 3 Compliance

CMMC compliance represents a significant procedural departure for many companies and can require a substantial time investment. Coalfire Federal can ease the burden with our extensive array of CMMC advisory and training services.

Level 3 Gap Analysis is our most popular service. We’ll work closely with you to identify shortcomings in your current cyber hygiene processes and procedures. We’ll also develop an innovative remediation strategy that puts your company on the path to compliance. 

Protect the Mission: Contact Coalfire Federal Today

Call us today at 877-224-8077 or contact us online to learn more about our suite of CMMC Level 3 advisory services.