To achieve CMMC Level 3 certification, Department of Defense (DoD) contractors must meet strict cybersecurity requirements, especially in the area of System and Communications Protection (SC).
CMMC Level 3 System and Communications Protection
Working with the Department of Defense (DoD) means handling large quantities of extremely sensitive information. For this reason, DoD contractors are required to achieve Cybersecurity Maturity Model Certification (CMMC) up to Level 1, 2, or 3, depending on the kinds of data they handle and the risk environment in which they operate. One of the most critical kinds of controls that need to be installed, especially at Level 3, are System and Communications Protection controls.
Fulfilling all system protection or network protection needs for CMMC Level 3 means:
- Understanding the System and Communications Protection CMMC level 3 requirements
- Satisfying System and Communications Protection prerequisites at Levels 1 and 2
- Preparing for, conducting, and passing a government-led compliance assessment
The best way to implement the System and Communications Protection and other CMMC requirements and prepare for an assessment is to work with a compliance advisory partner.
System and Communications Protection Level 3 Requirement
Systems and Communications Protection (SC) is one of 14 Domains within the CMMC framework. Each Domain houses a set of Security Requirements, totaling 134 at Level 3. Specifically, the SC Domain includes 19 controls spanning Levels 1 through 3. Of these, 18 are derived from NIST SP 800-171 and implemented at Levels 1 and 2. Additionally, Level 3 introduces one more control, sourced from NIST SP 800-172, to address advanced persistent threats.
There is just one SC requirement at CMMC Level 3, but it is extremely impactful in scope:
- SC.L3-3.13.4e: Isolation – Employ physical and/or logical isolation techniques to separate organizational systems and system components related to protected data.
This control is critical because it builds on similar SC requirements at lower CMMC Levels (see below). It enables complete separation between protected data for effective incident response. By isolating data systems, organizations minimize the potential damage a breach could impose.
The discussion section provides multiple examples of approaches organizations can take to this effect. Logical isolation can take the form of virtual machines or “containers” for sensitive data.
This allows for granular digital rights management (DRM) and data loss prevention (DLP). What’s more, physical isolation can employ completely separate hardware for different data types or access privileges. Finally, hybrid approaches may also employ cryptographic controls for extra assurance.
System and Communications Protection Level 3 Prerequisites
To fully understand the impact of Level 3 SC protection, it’s important to consider the broader context of the CMMC’s control matrix. At its foundation, the CMMC draws from two major cybersecurity frameworks: the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 and 800-172. Specifically, Levels 1 and 2 are grounded in SP 800-171. Level 1 incorporates 15 foundational controls, representing some of the framework’s most basic requirements. In contrast, Level 2 builds upon this base by implementing all 125 controls outlined in SP 800-171, offering more comprehensive protections across multiple domains.
These sources also correspond to specific kinds of data that the CMMC was designed to protect.
In particular, CMMC Level 1 is associated with Federal Contract Information (FCI) data, which pertains to federal contracts and specifications. Meanwhile, Levels 2 and 3 are associated with Controlled Unclassified Information (CUI), which includes highly sensitive details about DoD financial transactions, technical details of military equipment, and other security-critical information.
CMMC Level 2 ensures full protection of CUI in most environments. CMMC Level 3 adds complex protections against Advanced Persistent Threats (APTs), which pose more serious danger to CUI—as well as DoD and US security, by extension. For these reasons, the compliance burden at Level 3 is much higher than it is at Levels 1 and 2. Organizations must install all prior controls, certify at Level 2, and then prepare for Level 3 implementation and assessment.
In effect, all CMMC requirements for Level 2 are prerequisites for SC at CMMC Level 3.
Below, we’ll provide an overview of the specific SC controls organizations need in place at CMMC Levels 1 and 2 to prepare for the implementation of SC.L3-3.13.4e at CMMC Level 3.
System and Communications Protection at CMMC Level 1
CMMC Level 1 comprises relatively few straightforward controls targeting basic protections for FCI. This includes its System and Communications requirements, which cover security considerations that many organizations may already have in place, if informally. Regardless, they’re stepping stones for Levels 2 and 3.
At Level 1, the CMMC prescribes two SC controls for the protection of FCI:
- SC.L1-3.13.1: Boundary Protections (FCI) – Monitor and control communications by defining external and internal boundaries and protecting incoming and outgoing FCI.
- SC.L1-3.13.5: Public Access System Separation (FCI) – Deploy subnetworks for all publicly accessible FCI systems, logically or physically separated from internal networks.
These requirements, though limited in scope, lay the groundwork for more robust protections at higher levels. CMMC Level 2 also mirrors them to safeguard CUI.
System and Communications Protection at CMMC Level 2
CMMC Level 2 encompasses the entirety of NIST SP 800-171. This level adds the vast majority of controls, especially within Domains like System and Communications Protection.
At Level 2, the CMMC prescribes 16 SC controls for robust protection of CUI:
- SC.L2-3.13.1: Boundary Protections (CUI) – Monitor and control communications by defining external and internal boundaries and protecting incoming and outgoing CUI.
- SC.L2-3.13.2: Security Engineering – Deploy security architecture, development techniques, and engineering principles to promote CUI security across all systems.
- SC.L2-3.13.3:Role Separation – Separate user functionality and account management from broader system management functionality across components in contact with CUI.
- SC.L2-3.13.4: Shared Resource Control – Prevent all unauthorized or unintended transfer of CUI within, across, into, and out of shared systems and system components.
- SC.L2-3.13.5:Public Access System Separation (CUI) – Deploy subnetworks for all publicly accessible CUI systems logically or physically separated from internal networks.
- SC.L2-3.13.6: Network Communication by Exception – Restrict communications by exception using a “deny all except” or equivalent approach via policy or software control.
- SC.L2-3.13.7: Split Tunneling – Prevent remote devices from connecting to non-remote organizational systems and communicating via other connections to external networks.
- SC.L2-3.13.8: Data in Transit – Prevent unauthorized disclosure of CUI in transmission with cryptographic controls unless said CUI data is otherwise protected or accounted for.
- SC.L2-3.13.9: Connections in Termination – Terminate network connections that are associated with communication at the end of their sessions or after a period of inactivity.
- SC.L2-3.13.10: Key Management – Establish and manage secure generation, storage, and management of cryptographic keys employed across organizational CUI systems.
- SC.L2-3.13.11: CUI Encryption – Employ Federal Information Processing Standards (FIPS) cryptography to protect the confidentiality of CUI data both at rest and in transit.
- SC.L2-3.13.12: Collaborative Device Control – Prevent remote activation of any collaborative computing devices and provide indications regarding devices in use.
- SC.L2-3.13.13: Mobile Code – Monitor, control, and restrict the use of mobile code across systems and networks directly hosting or otherwise in contact with CUI data.
- SC.L2-3.13.14: Voice over Internet Protocol – Monitor and control VoIP technology across systems and networks directly hosting or otherwise in contact with CUI data.
- SC.L2-3.13.15: Communications Authenticity – Protect and ensure authenticity across communications sessions by requiring and determining authenticity at login.
- SC.L2-3.13.16: Data at Rest – Ensure the confidentiality of CUI “at rest” across organizational systems with monitoring, encryption, and strong access controls.
These controls build on the foundation of Level 1 and create a sound foundation for security across most organizational contexts. However, without Level 3’s isolation requirement, CUI may still be subject to APTs. Level 3 acts as a force multiplier, maximizing these controls’ protection.
Compliance Assessment Requirements at CMMC Level 3
Achieving CMMC certification at any level begins with an official assessment. For CMMC Level 3, however, organizations must meet two distinct thresholds. Firstly, they need to have already achieved Level 2 certification.
This requires working with a Certified Third Party Assessment Organization (C3PAO) that has been vetted by the Cyber AB. These C3PAO assessments serve to validate an organization’s cybersecurity posture for a period of up to three years. During this certification window, annual affirmations are required to ensure ongoing compliance and readiness.
Then, after completing Level 2 certification—and meeting all associated requirements—organizations become eligible to advance. At this stage, they can pursue a government-led Level 3 audit to achieve the highest tier of CMMC certification.
At CMMC Level 3, official assessments are led by the Defense Contract Management Agency’s (DCMA’s) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). In parallel, Certified Third-Party Assessment Organizations (C3PAOs) conduct these audits every three years.
To remain compliant throughout the certification period, contractors must also submit an annual affirmation. Importantly, failure to complete these affirmations can result in compliance lapses and potential contract termination.
DoD contractors at Level 2 can self-assess if they only process non-DoD-related CUI. Contractors seeking Level 3 certification must complete a full C3PAO audit. Level 1 contractors can maintain compliance through self-assessments. However, any future contract involving CUI will require Level 2 or Level 3 compliance.
Optimize Your CMMC Level 3 Implementation Today
Ultimately, reaching CMMC Level 3 certification requires implementing much more than just the lone System and Communications Protection control required at this stage. Organizations must install all controls across every domain and previous level, and they must also undergo an official C3PAO assessment. Then, after the governmental audit at Level 3, organizations need further third-party audits each year to ensure that all security systems are functional.
Needless to say, all of this can be challenging, especially for Department of Defense contractors new to the CMMC framework.
As an authorized C3PAO and trusted compliance advisory firm, RSI Security plays a pivotal role in CMMC readiness. We help organizations with all aspects of compliance across every Level, from foundational to advanced. In addition to conducting government-led audits, we also support initial scoping, implementation, Level 2 assessments, and annual affirmations required at Level 3. With deep cybersecurity and compliance expertise, RSI Security actively helps organizations rethink and strengthen their cyber defenses.
Get a clear roadmap to CMMC compliance, download our checklist and prepare for certification with confidence.