Welcome to the third installment of our series on the Cybersecurity Maturity Model Certification (CMMC), a framework required for companies contracting with the US Department of Defense (DoD). In this guide, we’ll break down everything you need to know about CMMC Level 3. For information about other levels of the CMMC, see our guides, levels 1, 2, 4, and 5.
Overview of CMMC Level 3 Requirements
The key to complying with CMMC requirements at all levels is understanding exactly what is required. To that end, this blog (and the whole series) is built around descriptions of all practices for each given level, sourced directly from CMMC Volume 1.02 from March 2020
Like other articles in the series, we’ll begin with a brief overview (or recap) of the whole CMMC Framework, including baseline definitions and concepts that apply across all levels. Then, as with installment 2, the main structure below breaks down as follows:
- CMMC Level 3 deep-dive
- Guide to Level 3 compliance
Let’s get started!
CMMC Framework Review
The CMMC exists in order to shore up cyberdefense across the vast network of DoD contractors. This includes especially the supply chain that makes up the Defense Industrial Base sector (DIB), which hosts two particularly sensitive forms of data:
- Federal Contract Information (FCI) – Information related to contracts generated by or otherwise related to federal bodies that are not intended for public access or use.
- Controlled Unclassified Information (CUI) – Information that is required to be confidential by legal statutes but that does not presently have “classified” status.
To protect FCI and CUI, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) worked with University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDs) to develop the CMMC.
Structurally, the CMMC Framework consists of the following major elements:
- Domains – A total of 17 cybersecurity domains, based on corresponding concerns in Federal Information Processing Standards Publication 200 (FIPS), containing:
- Cybersecurity capabilities (43 total) that govern practices
- Levels – A 5-stage progression scheme that indexes an institution’s gradual increase in cybersecurity maturity, or breadth and dept of cyberdefenses, by two measures:
- Processes, or the extent of institutionalization of practices
- Practices, or individual security controls, behaviors, and protocols
The Framework’s controls combine elements of several other frameworks. The National Institute for Standards and Technology (NIST) Special Publication 800-171 informs protections for CUI in accordance with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252- 204-7012. And Federal Acquisition Regulation (FAR) Clause 52.203-21 informs FCI protections.
CMMC Level 3 Controls Deep Dive
Unlike Level 2, Level 3 indicates culmination. Building on the preparatory and transitional work of the prior levels, the focus of Level 3 is finally achieving the goal of CUI protection, achieving incorporation of all of NIST SP 800-171, along with many other protections from other sources.
This means achieving “good cyber hygiene” across practices and ensuring that processes are further institutionalized: not only implemented and documented, but managed. At Level 3, you need to have an action plan in place with adequate resources for long-term implementation.
For those keeping count, Level 3 adds an additional 58 practices for a whopping total of 130. Of these 58, 45 come from NIST SP 800-171, whereas 13 come from other, disparate sources.
Let’s take a close look at all the practices, broken down by domain.
Level 3 Access Control Practices
There are 8 new AC controls introduced at Level 3:
- AC.3.012 – Use authentication and encryption measures to protect wireless access.
- AC.3.014 – Use cryptography to safeguard the confidentiality of remote access sessions.
- AC.3.017 – Separate individuals’ duties to reduce risk of malevolent activities, independent of collusion (and to be able to identify these, as distinct from collusion).
- AC.3.018 – Prevent execution of privileged functions from non-privileged accounts; document and analyze any and all executive and other privileged functions in audit logs.
- AC.3.019 – Automatically terminate user access sessions upon defined conditions.
- AC.3.020 – Monitor and control any and all access via mobile devices.
- AC.3.021 – Require authorization for remote execution of security and non-security functions privileged functions, as well as access to any security-related information.
- AC.3.022 – Encrypt CUI on any and all mobile devices and computing platforms.
Level 3 Asset Management Practice
The first AM control is introduced at Level 3:
- AM.3.036 – Define specific practices and procedures for handling CUI and related data.
Level 3 Audit and Accountability Practices
There are 7 new AU controls introduced at Level 3:
- AU.3.045 – Regularly review all logged events and update or correct when necessary.
- AU.3.046 – Necessitate an alert in the event that the audit and/or logging process fails.
- AU.3.048 – Collect all information pertaining to audits into one or multiple central repositories to facilitate review, analysis, and strategizing regarding audit information.
- AU.3.049 – Protect information pertaining to audits and audit logs, from all forms of unauthorized access, including especially use, modification, and deletion thereof.
- AU.3.050 – Restrict access to auditing functionalities to a subset of privileged users.
- AU.3.051 – Correlate review and analysis of audit records with reporting relative to investigation and response to unlawful, unauthorized, or otherwise irregular activities.
- AU.3.052 – Facilitate immediate, on-demand analysis and reporting with efficient procedures for audit record reduction and generation of audit reports.
Level 3 Awareness and Training Practice
There is just 1 new AT control introduced at Level 3:
- AT.3.058 – Provide personnel training on security awareness up to and including best practices for monitoring for, recognizing, and reporting on insider threats from other staff.
Level 3 Configuration Management Practices
There are 3 new CM controls introduced at Level 3:
- CM.3.067 – Control (define, document, approve) and restrict access to systems, physically and otherwise, according to most recent changes to security configurations.
- CM.3.068 – Reduce and ideally eliminate (restrict, disable, prevent, etc.) any and all access to and use of nonessential software, hardware, functions, services, and systems.
- CM.3.069 – Apply “blacklisting” (deny by exception) to prohibit unauthorized use or access, or apply “whitelisting” (permit by exception) to enable authorized use or access.
Level 3 Identification and Authentication Practices
There are 4 new IA controls introduced at Level 3:
- IA.3.083 – Utilize multi-factor authentication (MFA) for both local and network access to privileged accounts, as well as for network access to non-privileged accounts.
- IA.3.084 – Employ authentication mechanisms that are “replay resistant” (nonces, TLS, one-time authenticators, etc.) for access to privileged and non-privileged accounts.
- IA.3.085 – Prevent reuse of identification credentials (usernames, etc.) by the same or other users for a defined period after termination of or other changes to an account.
- IA.3.086 – Disable identification credentials after an organizationally defined period of inactivity in the account — disabling also disallows reuse, per IA.3.085.
Level 3 Incident Response Practices
There are 2 new IR controls introduced at Level 3:
- IR.3.098 – Ensure that all incidents are tracked, documented, and reported on to all designated authorities and officials, both internal and external to the organization.
- IR.3.099 – Regularly test the organization’s incident response capabilities.
Level 3 Maintenance Practices
There are 2 new MA controls introduced at Level 3:
- MA.3.115 – Sanitize equipment transported off-site for maintenance, removing any and all CUI, traces thereof, and potential pathways to illegitimate access of CUI.
- MA.3.116 – Monitor all media that contains diagnostic or test programs to ensure it is free of all forms of malicious code prior to installing or using it on organizational systems.
Level 3 Media Protection Practices
There are 3 new MP controls introduced at Level 3:
- MP.3.122 – Mark (or code) any media containing CUI for limited distribution.
- MP.3.123 – Disallow use of any portable storage devices of unclear ownership or origin.
- MP.3.124 – Restrict access to media containing CUI; maintain accountability for such CUI-related media during transport outside of areas controlled by the organization.
- MP.3.125 – Utilize cryptography and/or physical safeguards to protect the confidentiality of CUI stored on digital media, especially during transportation thereof.
Level 3 Physical Protection Practice
There are is just 1 new PE control introduced at Level 3:
- PE.3.136 – Expand physical safeguards for CUI to any and all alternative work sites.
Level 3 Recovery Practice
There is just 1 new RE control introduced at Level 3:
- RE.3.139 – Regularly perform robust and resilient data backups, following protocols, and schedules defined according to organizational security needs and storage means.
Level 3 Risk Management Practices
There are 3 new RM controls introduced at Level 3:
- RM.3.144 – Perform periodic risk assessments, both identifying and prioritizing the risks to address according to organizationally defined categories, sources, and other criteria.
- RM.3.146 – Develop and implement plans to mitigate risks as they are identified.
- RM.3.147 – Manage products not supported by vendors separately; enforce access and use restrictions independently of other assets to reduce risks from these unique vectors.
Level 3 Security Assessment Practices
There are 2 new CA controls introduced at Level 3:
- CA.3.161 – Monitor security controls in practice to ensure ongoing efficacy and safety.
- CA.3.162 – Employ independent security assessment(s) specific to any and all software that is developed internally, for internal use, and has been identified as an area of risk.
Level 3 Situational Awareness Practice
The first SA control is introduced at Level 3:
- SA.3.169 – Collect, analyze, and share with stakeholders any and all relevant cyber threat intelligence from external sources, including reputable reports and forums.
Level 3 System and Communications Protection Practices
There are a whopping 15 new SC controls introduced at Level 3:
- SC.3.177 – Utilize cryptography up to FIPS standards to protect the confidentiality of CUI.
- SC.3.180 – Ensure that effective and efficient information security is optimized across all elements of information systems, including but not limited to:
- Architectural and infrastructural designs
- Software development techniques
- System engineering principles
- SC.3.181 – Fully separate functionalities for user access and system management.
- SC.3.182 – Prevent unintended, unauthorized, and otherwise risky transfer of sensitive information via system resources being shared, internally or externally.
- SC.3.183 – Implement a “whitelist” approach to network communications traffic by denying all such traffic by default and allowing it only by special exception.
- SC.3.184 – Prevent the potentially dangerous phenomenon of “split tunneling,” in which remote devices simultaneously establish both non-remote connection(s) with the organization’s systems and one or more connections to resources in external networks.
- SC.3.185 – Use cryptography and/or physical safeguards to prevent unauthorized disclosure of CUI, especially during periods of transmission or transportation.
- SC.3.186 – Terminate network connection sessions related to communication immediately upon session end or after an organizationally defined period of inactivity.
- SC.3.187 – Maintain cryptographic keys for all cryptography used across all systems.
- SC.3.188 – Strictly monitor and control the use of mobile code(s).
- SC.3.189 – Strictly monitor the use of Voice over Internet Protocol (VoIP) technology.
- SC.3.190 – Ensure authenticity across sessions related to communication.
- SC.3.191 – Ensure protection of CUI “at rest” in storage or other passive capacity.
- SC.3.192 – Utilize robust Domain Name System (DNS) filtering services.
- SC.3.193 – Craft and enforce a policy restricting publication or “posting” of CUI on external, publicly accessible media and platforms (social media, forums, etc.).
Level 3 System and Information Integrity Practices
There are 3 new SI controls introduced at Level 3:
- SI.3.218 – Deploy mechanisms for detecting and protecting against spam at all entry, exit, and access points to organizational information systems.
- SI.3.219 – Utilize all available resources to detect and prevent document forgery.
- SI.3.220 – Implement “sandboxing” to detect, filter, block, and otherwise prevent malicious and suspicious email communications.
How to Meet CMMC Level 3 Requirements
At Level 3, there are 130 total practices you need to worry about — all 72 from Level 2, plus the 58 added in Level 3. Furthermore, institutionalization is also more challenging at this level, since you need to move from mere documentation to a more active management of processes.
That means demonstrating to your assessor that you have a plan and resources in place to keep these practices up and running over the long-term. Speaking of assessor…
It takes a Certified Third Party Assessment Organization (C3PAO), qualified by the CMMC Accreditation Body, to grant certification. And the best C3PAOs, like RSI Security, do more than certify. We are also happy to walk you through all stages of implementation, documentation, and management of your processes. Our CMMC services are key to certification at all levels.
Robust, Professional CUI Protection
Here at RSI Security, we are ready and willing to help you with all of your cybersecurity needs. From CMMC certification across all levels of compliance more broadly, to basic architecture implementation — we have you covered. Our team of experts has provided cybersecurity solutions to all kinds of companies for over a decade. We’re happy to help you serve the DoD.
Contact RSI Security today to see just how easy CMMC level 3 certification can be!