CMMC Level 3
By 2026, all companies wanting to pursue contracts with the U.S. Department of Defense must meet the appropriate Cybersecurity Maturity Model Certification (CMMC) compliance level. This new process can be daunting for organizations accustomed to self-reporting their cyber hygiene practices. CMMC consists of five levels ranging from basic to advanced. These levels measure an organization’s degree of cyber maturity via an established set of processes, practices and focus areas. An independent certified third-party assessor organization (C3PAO) is responsible for verifying that a contractor meets the compliance requirements for the applicable level.
Meeting the CMMC Level 3 Requirements
Level 3 builds upon the first two levels and focuses on protecting Controlled Unclassified Information (CUI). Compliance with this level’s guidelines means contractors can demonstrate “good” cyber hygiene practices. However, these companies may still struggle when attempting to defend against advanced persistent threats (APTs).
Contractors hoping to attain this certification must show that they are implementing the appropriate cybersecurity solutions for the level and actively monitoring their outcomes.
Level 3 adds 58 practices to the preceding two levels, bringing the total to 130. These practices encompass 17 domains:
- Access Control
- Asset Management
- Awareness and Training
- Audit and Accountability
- Security Assessment
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Management
- Situational Awareness
- Systems and Communication Protection
- System and Information Integrity
Assuming your organization is already meeting the requirements for the first two levels, your Level 3 compliance efforts should focus on the following areas:
- Enhancing your logging, monitoring, incident response and reporting capabilities
- Improving your ability to back up and restore data
- Increasing your proficiency at identifying vulnerabilities through timely risk assessments and managing unsupported products
- Bolstering your protection efforts against malicious traffic through processes such as email sandboxing, filtering and spam protection
Practices/Procedures for Becoming Level 3 Certified
To meet the CMMC Level 3 certification requirements, Defense Industrial Base (DIB) companies must demonstrate the implementation of 20 additional technical and procedural practices. Examples include:
- Clearly outlining procedures for managing CUI data.
- Conducting a comprehensive analysis of cybersecurity events and documenting resolution efforts.
- Performing regular data backup procedures per your organization’s unique needs.
- Separately managing non-vendor support products and reducing your vulnerability by restricting access to them.
- Implementing effective, reliable spam protection methods at all relevant information system access points.
Coalfire Federal Can Help With CMMC Level 3 Compliance
CMMC compliance represents a significant procedural departure for many companies and can require a substantial time investment. Coalfire Federal can ease the burden with our extensive array of CMMC advisory and training services.
Level 3 Gap Analysis is our most popular service. We’ll work closely with you to identify shortcomings in your current cyber hygiene processes and procedures. We’ll also develop an innovative remediation strategy that puts your company on the path to compliance.