Working with the US government, particularly the Department of Defense (DoD), can be extremely lucrative. However, given how critical the DoD’s security is to the well-being of all Americans domestic and abroad, it also requires would-be contractors to take all available precautions in physical and digital security. Enter the Cybersecurity Maturity Model Certification (CMMC), published by the OUSD (A&S), or the Office of the Under Secretary of Defense for Acquisition and Sustainment. To that end, CMMC level 3 is a significant milestone on your way to DoD contacts.
Are You Ready for CMMC Level 3 Certification?
While the CMMC is a complex and challenging cybersecurity framework to implement, compliance is made more manageable by its tiered breakdown, also known as levels. Rather than implementing all of its 171 practices at once, companies can ease into each level.
However, CMMC level 3 is one of the most dynamic and challenging, with more practices added than at any other level. So, in the sections that follow, we’ll provide:
- An overview of the CMMC framework, up to and including level 3
- A systematic deep dive into all CMMC level 3 requirements
- A guide to compliance at CMMC level 3 and beyond
By the end of this article, you’ll be ready to start your journey toward certification and security (per CMMC standards). But first, let’s discuss who needs to be concerned about these requirements.
Who Needs CMMC Level 3 Certification?
All businesses that work with the DoD make up a critical supply chain known as the Defense Industrial Base (DIB) sector. One defining characteristic of DIB companies is their proximity to several sensitive forms of information related to US citizens’ security.
In particular, some of the most important classes of protected information are:
- Federal Contract Information (FCI) – Contract information generated by governmental agencies and entities that is not intended for (and protected from) public viewing or use.
- Controlled Unclassified Information (CUI) – Excluding information protected by executive order or certain acts, this is unclassified yet still highly protected data, such as technical and strategic documents that could compromise the DoD if published.
If your business comes into contact with these types of information, which it is likely to when working with the DoD, you need to achieve CMMC certification. Even if your potential contact with this data is only incidental or otherwise insignificant, you’ll still need to achieve certification if you want to lock down a preferred contractor status with the DoD.
Background: Overview of CMMC Framework
The CMMC addresses government agencies and their contractors’ requirements, compiling controls from other regulatory frameworks. For example, the FCI protections it addresses are detailed in Federal Acquisition Regulation (FAR) Clause 52.203-21 and CUI protections in Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
These requirements were also addressed in the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171), which precedes and lends much of its basic structure to the CMMC. NIST controls map onto CMMC practices rather seamlessly.
Here are a few more articles to help you learn more about CMMC :
The core of the CMMC comprises 17 cybersecurity domains, which are based on analogous “requirement families” in NIST SP 800-171. The domains house 43 “capabilities” and 171 “practices,” the latter of which are analogous to the “requirements” of SP 800-171.
In many ways, the CMMC is a successor to NIST SP 800-171; however, it also includes many other controls from different frameworks too — 61 controls come from other documents.
The biggest difference between SP 800-171 and the CMMC, besides the CMMC being deeper and more complex, is that the CMMC allows for gradual implementation across five maturity levels. So, even though the CMMC is more comprehensive, it can also be more manageable.
How CMMC Levels 1 and 2 Prepare for Level 3
Each level of the CMMC has a particular focus; the focus of level 3 is only entirely understandable in the context of the first two levels since each acts as a stepping stone for level 3 readiness:
- CMMC level 1 focus – The most basic safeguarding of FCI, irrespective of CUI
- CMMC level 2 focus – Transitioning over to CUI protection, achieved at level 3
- CMMC level 3 focus – Full protection of FCI; greater emphasis on CUI moving forward
As these definitions make clear, levels 1 and 2 are merely building blocks toward level 3, which instead is a real threshold of cybersecurity maturity. Alongside these focuses, each level also has a practice maturity goal; all these levels are aimed at “cyber hygiene” on that axis, scaling upward from “basic” and level 1 to “intermediate” at level 2, and only reaching “good” at level 3.
After level 3, levels 4 and 5 have one shared goal, which is further optimizing CUI protection by shifting emphasis to advanced persistent threats (APT) while still protecting FCI.
Culmination: CMMC Level 3 Requirements
The most significant hurdle to compliance at any CMMC level is the implementation of its various practices. This is especially true at CMMC level 3, which adds the most practices of any level. The sum total of its practices, which constitute “good cyber hygiene,” includes the entirety of the 110 requirements from NIST SP 800-171, in addition to 20 from other sources.
As we’ll touch on below, practices aren’t the only element of compliance at each level — there is also a process maturity goal, which governs how practices are implemented and institutionalized. But to understand the processes, you need to understand practices.
Let’s take a close look at the breadth of practices added at CMMC level 3.
Breakdown of CMMC Level 3 Controls by Domain
Again, at CMMC level 3, more controls are added than at any other level. Particularly, 58 new practices are added, three more than were added at level 2, for a cumulative total of 130.
The new additions are distributed across 16 of 17 domains, as follows:
- Access Control (AC) – Governing authorization and access to protected resources, according to 4 capabilities. There are eight AC practices added for a running total of 22.
- Asset Management (AM) – Specifying particular rules and standards for documenting and accounting for assets, per two capabilities. The first AM practice is introduced.
- Audit and Accountability (AU) – Detailing how often audits occur and how to log them, per four capabilities. There are seven AU practices added, totaling 14.
- Awareness and Training (AT) – Defining the need for staff training and how it should happen, per two capabilities. There is one new AT practice added, for a total of three.
- Configuration Management (CM) – Governing the settings installed on all hardware and software, per two capabilities. There are three new CM practices added, for a total of nine.
- Identification and Authentication (IA) – With AC, governing user accounts and access through authorization, per 1 capability. The last four AC practices are added, totaling 11.
- Incident Response (IR) – Specifying how a company should react to security events, per five capabilities. There are two new IR practices added for a running total of seven.
- Maintenance (MA) – Governing how often regular maintenance should occur and what it should entail, per one capability. The final two MA practices are added, totaling six.
- Media Protection (MP) – Specifying how media containing sensitive information should be safeguarded, per four capabilities. The final four MP practices are added, totaling eight.
- Physical Protection (PE) – Limiting physical access to systems containing sensitive information, per one capability. The final PE practice is added for a total of six.
- Recovery (RE) – Governing ways a company should approach immediate and long-term recovery of compromised resources. There is one RE practice added, for a total of three.
- Risk Management (RM) – Governing ways a company should account for and mitigate risks, per three capabilities. There are three new RM practices added for a running total of six.
- Security Assessment (CA) – Specifying how often routine and special assessments should occur, per three capabilities. There are two new CA practices added, totaling five.
- Situational Awareness (SA) – Detailing requirements for personnel’s knowledge of company security posture, per one capability. The first SA practice is added at level 3.
- Systems and Communications Protection (SC) – Governing communications technology, per two capabilities. There are 15 SC practices added, for a total of 19.
- System and Information Integrity (SI) – Specifying requirements for integrity and operationality, per four capabilities. There are three SI practices added, for a total of ten.
In addition, all previous controls from levels 1 and 2 still apply, including the two Personnel Security (PS) requirements from level 2. This means that level 3 is the first stage at which practices from all 17 domains are required to be implemented — and, importantly, “managed.”
How to Secure Certification at CMMC Level 3
Importantly, practices are not the only requirement for advancement in maturity across the 5 CMMC levels. In addition to a focus and practice goal for each level, there is also a process maturity goal, which measures the institutionalization of practices. This means that practices are not just being carried out, but also integrated into every facet of the organization in question.
These process maturity goals scale upward at each level, as follows:
- CMMC level 1: implemented – Practices must be accomplished, but are not measured in any particular way. This accounts for the ad hoc or partial manner in which many organizations might approach the basic controls as they start building their defenses.
- CMMC level 2: documented – Practices must now be carried out and rigorously documented, so as to set the stage for replicability and stability moving forward.
- CMMC level 3: managed – Building on documentation, practices must be managed thoroughly at level 3, including resources, a plan for long-term implementation, training, and involvement of various stakeholders from all parts of the company.
Levels 4 and 5 build on this foundation, moving into “reviewed” and “optimizing.”
As with practices, these process maturity goals are also cumulative, so that full management at CMMC level 3 includes level 2’s documentation. This also means that at each level, all new practices added and existing practices need to be institutionalized to a new standard.
How Professional Compliance Advisory Services Help
Achieving “good cyber hygiene” by implementing all 130 practices at CMMC level 3 to the requisite process maturity of “managed” is still insufficient for official certification. You also need to receive verification from a qualified assessor: a Certified Third-Party Assessment Organization (C3PAO) certified by the CMMC Accreditation Body (CMMC-AB).
The best way to ensure certification is to contract with a C3PAO who will evaluate your compliance and work with you to get all controls in place prior to certification.
RSI Security is a C3PAO, and we’re happy to work with you throughout certification (at CMMC level 3 and beyond). Our dedicated CMMC advisory services comprise everything you need for compliance — and a strong relationship with the DoD — in the long run.
Professional Compliance and Cybersecurity
Here at RSI Security, we know how important compliance is for DoD contractors. But we also know that compliance isn’t the “be all, end all” of security: it’s just one part of a holistic cyberdefense scheme. To that end, we’re happy to help you with any element of your security, from basic managed IT and virtual CISO to niches like penetration testing.
No matter where you are in the process, we’re your first and best option; we’ll get you to the next step in your compliance and security journey. Contact RSI Security today to see how easy CMMC level 3 compliance can be. Once you’re ready for certification, we’ll get you prepared for CMMC levels 4, 5, and ultimately a lucrative long-term partnership with the DoD.