Skip to main content

CMMC Level 3 Essentials: What You Need To Know


CMMC level 3 requires defense contractors to standardize and optimize their process implementation at an advanced manner organization-wide. Building on the proactive approach in level 2, level 3 puts focus on the protection of Controlled Unclassified Information (CUI) from Advanced Persistent Threats (APTs). The additional controls, practices and processes deliver a deeper and more sophisticated cybersecurity posture.

What Is CMMC Level 3?

Level 3 is considered an advanced or progressive cyber security posture, and seeks to reduce the risk of Advanced Persistent Threats (APTs). APTs, often nation states or state-sponsored groups, utilize sophisticated expertise along with extensive resources, allowing them to continually attack security networks using multiple and varying attack vectors including physical and cyber security as well as deception techniques.

How Does A Level 3 Certification Compare With Level 2?


While level 3 certifications require significantly more security vigilance on part of the defense contractor than level 2, level 3 takes on a more advanced posture of proactive scanning and mitigation of APTs. In addition to implementing and reviewing more sophisticated security controls and processes, level 3 also requires the ongoing management and optimization of those processes to protect against continually evolving threat actors.

What Are The Audit Requirements Of Level 3?

CMMC level 3 requires NIST 800-171 and NIST 800-172 controls be put in place to protect against not only standard threats, but also against APTs, often originating from state-sponsored or nation state groups. The extensive list of controls, including those related to actively identifying and mitigating security threats, are summarized below, grouped within 17 domains:

  • Domain AC: Access Control is focused on controlling who and what is able to gain access to your systems. There is one control unique to level 5, which requires an organization to find and address any potential vulnerabilities with wireless access points to their network.
  • Domain AM: Asset Management consists of practices that come from level 2. As with all previous practices, these are also contained in level 3. These practices include defining how you will handle CUI data and managing your inventory.
  • Domain AT: Awareness and Training includes controls introduced in previous levels that are focused on training your staff, contractors and any vendors who interact with your data so you can protect against risks. This training should be tailored to the security risks your organization faces.
  • Domain AU: Audit and Accountability involves generating audit trails of any activity on your system and then reviewing those audit trails. Level 3 contains one control for this domain that’s not in previous levels, which calls for assuring that all appropriate systems are generating logs.
  • Domain CA: Security Assessment practices come from previous levels and are upheld in level 3. These practices involve assessing your organization’s performance periodically when it comes to your defensive capabilities and making a plan for improvements when needed.
  • Domain CM: Configuration Management includes practices from several levels, all of which are aimed at standardizing your configurations. Level 3 includes a control for CM that requires organizations to verify the correctness and integrity of software your organization considered essential or security-critical.
  • Domain IA: Identification and Authentication practices are introduced in the first three levels and continue through level 3. These practices are intended to ensure that only authorized users are able to access their user accounts.
  • Domain IR: Incident Response includes several controls that are introduced at level 3, in addition to previously introduced controls. At level 3, an organization should have a readily available incident response team and robust testing and planning in place so they are prepared for a security incident.
  • Domain MA: Maintenance is focused on the need and the proper procedures for maintaining organizational systems. As with all scenarios, your data must be protected in these instances. These practices are included in level 2 of the CMMC model.
  • Domain MP: Media Protection highlights the risks associated with removable media, such as digital storage devices or paper, and how your organization can safeguard against these risks. The controls in Domain MP come from level 1 and level 2.
  • Domain PE: Physical Protection includes controls from level 1 and level 2, all of which are aimed at protecting physical access to your systems. Cybersecurity measures aren’t adequate if you allow unauthorized physical access to your equipment and data.
  • Domain PS: Personnel Security calls for screening people before granting them access to any systems that contain CUI and protecting those systems when staff are terminated or transferred. These practices come from level 1 and remain important throughout all subsequent levels.
  • Domain RE: Recovery covers the need to back up your data. Level 5 includes a new requirement to ensure your information processing facilities adhere to the requirements your organization has set for information security continuity, redundancy and availability.
  • Domain RM: Risk Management is focused on the ongoing need to anticipate risks to your data and systems and remediate them. There are two practices in Domain RM that level 3 introduces. One requires organizations to involve an exception process in the case of non-whitelisted software, and the other requires an annual assessment of your security solutions.
  • Domain SA: Situational Awareness includes practices from level 2 that specify how an organization must look for and handle cyber threats that arise from various sources.
  • Domain SC: Systems and Communications Protection includes a list of safe communication practices from all three levels. The controls introduced in level 3 expand these practices to include more robust protections for data transmission.
  • Domain SI: System and Information Integrity includes practices from all three levels. These practices are aimed at quickly correcting security vulnerabilities when you become aware of them. The level 3 controls call for ongoing monitoring and analysis so you can detect any unusual behavior or malicious actions.

How Do I Pass A Level 3 Audit?


CMMC level 3 builds on the foundational security controls from level 1 and level 2. Therefore, all of the level 1 and level 2 controls are built in to level 3, which also requires defense contractors to put several additional controls in place such as:

  • Analyzing, detecting and mitigating malicious action scripts
  • Establishing and managing an active response team that is available 24/7
  • Annual system reviews using the latest threat intelligence
  • Identifying and fixing improper log management activities
  • Engaging automated response actions and real-time asset tracking.

Get Prepared For A Level 3 Audit & Certification


CCG can take the burden of CMMC compliance off of your organization. We offer a convenient solution for government contractors that allows you to focus on what you do best, while CCG works to achieve your CMMC certification. Contact us today via email to schedule a complimentary consultation with our security experts.