CMMC Level 3 Controls & Requirements
For the latest information on CMMC 2.0, please click here.
The Cybersecurity Maturity Model Certification (CMMC) is a framework for cybersecurity that all companies contracting with the US Department of Defense (DoD) must comply with. Version one of the CMMC model was released in January 2020, and all defense contractors will eventually need to achieve the required CMMC maturity level to continue working on existing contracts or bidding on new ones.
There are five CMMC levels with a hierarchical structure, meaning each level has the requirements of the level below it in addition to requirements that are new to that level. The levels range from 1 to 5, with CMMC Level 1 indicating basic cyber hygiene.
Each DoD contract will specify the minimum CMMC level that contractors will need before they can bid on it. The DoD determines the CMMC level for each contract based on the type of Controlled Unclassified Information (CUI) that contractors will need to handle. Many contracts will require CMMC Level 3 because this is the lowest level that fully achieves the goal of CUI protection by incorporating all the requirements of NIST SP 800-171 in addition to requirements from other sources.
Cuick trac™ educates users and helps organizations take ownership over their cybersecurity. Our cuick trac™ software is a solution for meeting CMMC Level 3 requirements and other government security standards. Contact us to request a free security consultation and demo.
An Overview of Cybersecurity Maturity Model Certification (CMMC)
DoD contractors have been required to maintain specific cybersecurity protocols since the passage of Defense Acquisition Federal Regulation Supplement (DFARS) in 2015.
CMMC is a tool that helps contractors achieve compliance with these regulations, and it also helps auditors assess the security posture of contractors.
Its overall purpose is to improve cybersecurity across the network of DoD contractors, especially the DoD’s supply chain known as the Defense Industrial Base (DIB).
These contractors handle two types of sensitive information, including Federal Contract Information (FCI) and CUI. FCI is information related to contracts generated by federal organizations or otherwise related to them that aren’t intended for public access or use.
CUI is information that’s legally required to be confidential but isn’t currently classified. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) worked with Federally Funded Research and Development Centers (FFRDs) and University Affiliated Research Centers (UARCs) to develop the CMMC.
The major elements of the CMMC framework include 17 domains and five levels. Domains are categories of cybersecurity practices based on Federal Information Processing Standards (FIPS) Publication 200, which lists 43 capabilities governing these practices.
CMMC Levels are progressive measures of an organization’s increasing security maturity that consist of practices and processes. Practices are the individual security behaviors, controls and protocols required to achieve the given maturity level, while processes indicate the extent of institutionalization of those practices within the organization.
CMMC requires DoD contractors to implement these practices according to the standards specified by National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171.
The CMMC framework works with NIST SP 800-171 to ensure contractors have the controls in place that are appropriate for the CUI they will handle for their contracts.
CMMC also combines elements of other frameworks such as Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252- 204-7012 to protect CUI and Federal Acquisition Regulation (FAR) Clause 52.203-21 to protect FCI.
What is CMMC Level 3?
CMMC Level 3 is classified as Good Cyber Hygiene and should be the minimum CMMC level for any contractor that generates or has access to CUI.
A contractor certified at this level has implemented all the security controls required by NIST SP 800-171, meaning that it’s able to meet most threats in keeping information secure.
However, contractors at Level 3 may find it difficult to fend off advanced persistent threats (APTs). Furthermore, they must document and report such cybersecurity incidents if they need to meet DFARS clause 252.204-7012 standards.
CMMC Level 3 has a total of 130 practices that contractors must implement to achieve this maturity level, including the 58 that are new to Level 3.
Institutionalizing these practices is more challenging at this level because it requires organizations to transition from merely documenting processes to actively managing them.
A Certified Third Party Assessment Organization (C3PAO) qualified by the CMMC Accreditation Body ( known as the "Cyber AB") grants CMMC certification after an audit that establishes a baseline of the contractor's security posture.
C3PAOs should also walk contractors through all stages of implementing, documenting and managing their processes, which involves demonstrating that you have the planning and resources needed to maintain CMMC compliance
Updated Audit Requirements CMMC Level 3
CMMC Volume 1.02, published in March 2020, shows that CMMC Level 2 requires an organization to implement 72 practices. Level 3 adds another 58 practices, bringing the total number of practices for Level 3 to 130.
Forty-five of the new practices come from NIST SP 800-171, while the remaining 13 come from other sources. The 58 practices that are new for Level 3 fall into the following 16 domains:
- Access Control
- Asset Management
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Risk Management
- Security Assessment
- Situational Awareness
- System and Communications
- System and Information Integrity
CMMC Level 3 introduces the following eight Access Control practices.
- AC.3.012 – Authentication and encryption measures for safeguarding wireless access.
- AC.3.014 – Cryptography to safeguard the confidentiality of remote sessions.
- AC.3.017 – Separate the duties of individuals to reduce the risk of malicious actions. These actions are distinct from collusion, which doesn’t require the identification of specific threats.
- AC.3.018 – Prevent execution of privileged functions from non-privileged accounts. Audit logs must document and analyze all privileged functions.
- AC.3.019 – Automatically terminate user sessions that meet defined conditions.
- AC.3.020 – Monitor and control all access via mobile devices.
- AC.3.021 – Require authorization for remote execution of functions and access to security-related information.
- AC.3.022 – Encrypt CUI on all computing platforms.
Level 3 introduces the first Asset Management practice as follows:
- AM.3.036 – Define specific practices and procedures for handling CUI and related data.
Audit and Accountability
CMMC Level 3 introduces the following seven Audit and Accountability practices:
- AU.3.045 – Regularly review all logged events and update or correct when necessary.
- AU.3.046 – Necessitate an alert in the event that the audit and/or logging process fails.
- AU.3.048 – Collect all information pertaining to audits into one or multiple central repositories to facilitate review, analysis, and strategizing regarding audit information.
- AU.3.049 – Protect information pertaining to audits and audit logs, from all forms of unauthorized access, including especially use, modification, and deletion thereof.
- AU.3.050 – Restrict access to auditing functionalities to a subset of privileged users.
- AU.3.051 – Correlate review and analysis of audit records with reporting relative to investigation and response to unlawful, unauthorized, or otherwise irregular activities.
- AU.3.052 – Facilitate immediate, on-demand analysis and reporting with efficient procedures for audit record reduction and generation of audit reports.
Awareness and Training
Level 3 introduces the first Awareness and Training practice as follows:
- AT.3.058 – Provide training on security awareness that includes best practices for monitoring, identifying and reporting insider threats from other staff.
CMMC Level 3 introduces the following three Configuration Management practices:
- CM.3.067 – Define, document, approve access to all systems, both physical and virtual. System access must be based on the current security configuration.
- CM.3.068 – Minimize access through restriction, disablement and prevention. These systems include hardware, software, functions and services.
- CM.3.069 – Deny access by exception, commonly known as blacklisting, to prohibit unauthorized access. Enable authorized access by permitting by exception, also known as whitelisting.
Identification and Authentication
CMMC Level 3 introduces the following four Identification and Authentication practices:
- IA.3.083 – Utilize multi-factor authentication (MFA) for local and network access to privileged accounts. Network access to non-privileged accounts also requires MFA.
- IA.3.084 – Employ authentication mechanisms for access to privileged and non-privileged accounts that are “replay resistant.” These measures include cryptographic nonces, one-time authenticators and Transport Level Security (TLS).
- IA.3.085 – Prevent reuse of identification credentials like user names by the same user or others for a defined period after changes to the account, including termination.
- IA.3.086 – Disable identification credentials after an organizationally defined period of inactivity in the account. This action must also prevent reuse, per IA.3.085.
CMMC Level 3 introduces the following two Incident Response practices:
- IR.3.098 – Ensure that all incidents are tracked, documented and reported to all designated authorities, whether they’re internal and external to the organization.
- IR.3.099 – Regularly test the organization’s incident response capabilities.
CMMC Level 3 introduces the following two Maintenance practices:
- MA.3.115 – Sanitize equipment transported off-site for maintenance by removing all CUI, including traces and other potential pathways to unauthorized access to CUI.
- MA.3.116 – Monitor all media containing diagnostic or test programs to ensure it’s free of all forms of malicious code prior to installing or using it on organizational systems.
CMMC Level 3 introduces the following four Media Protection practices:
- MP.3.122 – Mark or code any media containing CUI intended for limited distribution.
- MP.3.123 – Disallow the use of any portable storage devices with unclear ownership or origin.
- MP.3.124 – Restrict access to media containing CUI. Maintain accountability for this media during transport to areas not controlled by the organization.
- MP.3.125 – Use cryptography or physical safeguards to protect the confidentiality of CUI stored on digital media, especially during transport.
Level 3 introduces the first Physical Protection practice as follows:
- PE.3.136 – Expand physical safeguards for CUI to all alternative work sites.
Level 3 introduces the first Recovery practice as follows:
- RE.3.139 – Regularly perform robust and resilient data backups according to protocols and schedules defined by the organization’s security needs and storage media.
CMMC Level 3 introduces the following three Risk Management practices:
- RM.3.144 – Perform periodic risk assessments that identify and prioritize risks according to criteria defined by the organization, including categories and sources.
- RM.3.146 – Develop and implement plans to mitigate those risks as they’re identified.
- RM.3.147 – Manage products separately if they’re unsupported by vendors. Enforce access restrictions to these products and use them independently of other assets to reduce the spread of malware.
CMMC Level 3 introduces the following two Security Assessment practices:
- CA.3.161 – Monitor existing security controls to ensure ongoing efficacy and safety.
- CA.3.162 – Employ independent security assessments specific to software developed internally for internal use if it has been identified as a risk.
Level 3 introduces the first Situational Awareness practice as follows:
- SA.3.169 – Collect, analyze and share relevant cyber threat intelligence from external sources with stakeholders, including reputable reports and forums.
Systems and Communications
Level 3 introduces 15 new controls for System and Communications, the most of any domain. These include the following:
- SC.3.177 – Use cryptography up to FIPS for protecting CUI.
- SC.3.180 – Ensure that effective and efficient information security is optimized across all information system elements, including the following:
- Architectural designs
- Infrastructural designs
- Software development techniques
- System engineering principles
- SC.3.181 – Fully separate user functionalities access and system management.
- SC.3.182 – Prevent insecure transfers of sensitive information with shared internal and external system resources, including unintentional and unauthorized transfers.
- SC.3.183 – Implement a whitelist approach to network communications traffic, meaning such traffic is denied by default and allowed only by exception.
- SC.3.184 – Prevent the potentially dangerous occurrence of “split tunneling,” in which remote devices simultaneously establish a non-remote connection with the organization’s systems and a connection to resources in external networks.
- SC.3.185 – Use cryptography or physical safeguards to prevent unauthorized disclosure of CUI, especially during transmission or transportation.
- SC.3.186 – Terminate network connections related to communication immediately upon the end of the session or after a period of inactivity defined by the organization.
- SC.3.187 – Maintain cryptographic keys for all cryptography used across all systems.
- SC.3.188 – Strictly monitor and control the use of mobile codes.
- SC.3.189 – Strictly monitor the use of Voice over Internet Protocol (VoIP) technology.
- SC.3.190 – Ensure authenticity of communications across sessions.
- SC.3.191 – Ensure protection of CUI while in storage or some other passive capacity.
- SC.3.192 – Use robust Domain Name System (DNS) filtering services.
- SC.3.193 – Develop and enforce a policy restricting the publication of CUI on external, publicly accessible media and platforms such as forums and social media.
System and Information Integrity
CMMC Level 3 introduces the following three System and Information Integrity practices:
- SI.3.218 – Deploy mechanisms for detecting spam and protecting against it at all entry, exit and access points to the organization’s information systems.
- SI.3.219 – Use all available resources to detect and prevent document forgery.
- SI.3.220 – Implement sandboxing techniques to detect, filter, block or otherwise prevent malicious and suspicious email communications.
Position yourself for CMMC Level 3 success with cuick trac™
Cuick trac™ is a pre-configured, secure virtual enclave that allows government contractors to handle, store, and process CUI, along with the supporting documentation you need to meet NIST SP 800-171 requirements.
Learn how cuick trac™ can help your organization prepare for CMMC Level 3 compliance. Request a free cuick trac™ demo today or speak with one of our security experts.
Get a 30-minute demo from a cuick trac™ product expert
You've made it this far, now let us show you why cuick trac™ will be the smartest decision you'll make this year.