Overview of CMMC Level 3 Requirements

If your organization handles Controlled Unclassified Information (CUI) for the U.S. Department of Defense (DoD), understanding CMMC Level 3 requirements is essential.

Level 3 represents advanced cybersecurity maturity and focuses on protecting sensitive defense information from advanced persistent threats (APTs). In this guide, we break down:

• What CMMC Level 3 is

• The total number of practices required

• Domain-by-domain control breakdown

• How to meet Level 3 requirements

• What assessors look for

Let’s start with a quick framework overview.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) framework was developed by the U.S. Department of Defense (DoD) to strengthen cybersecurity across the Defense Industrial Base (DIB).

It protects two primary data types:

• Federal Contract Information (FCI) – Non-public contract-related data

• Controlled Unclassified Information (CUI) – Sensitive but unclassified government data requiring safeguarding

CMMC builds upon:

• National Institute of Standards and Technology (NIST) SP 800-171

• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

• Federal Acquisition Regulation (FAR) 52.203-21

Overview of CMMC Level 3 Requirements

CMMC Level 3 requirements focus on achieving and managing full protection of CUI.

At this level, organizations must:

• Implement all Level 1 and Level 2 practices

• Implement 58 additional security practices

• Demonstrate managed and institutionalized cybersecurity processes

• Maintain documentation, policies, and resource planning

Total Practices at Level 3:

• 130 total practices

• 45 sourced from NIST SP 800-171

• 13 from additional federal cybersecurity frameworks

Level 3 represents “good cyber hygiene” plus advanced protection measures.

 

CMMC Level 3 Requirements by Domain

Below is a breakdown of the additional Level 3 controls by domain.

Access Control (AC) – 8 Additional Practices

Level 3 strengthens remote access, encryption, and privileged access management.

Key requirements include:

• Encrypt wireless access

• Protect remote sessions with cryptography

• Enforce separation of duties

• Prevent privileged actions from non-privileged accounts

• Automatically terminate sessions

• Encrypt CUI on mobile devices

Asset Management (AM) – 1 Additional Practice

• Define and document procedures for handling CUI across systems and environments

Audit & Accountability (AU) – 7 Additional Practices

Level 3 requires centralized and protected audit logging.

Organizations must:

• Review logs regularly

• Alert when logging fails

• Protect audit records from modification

• Restrict audit functionality access

• Enable rapid analysis and reporting

Awareness & Training (AT) – 1 Additional Practice

• Provide insider threat awareness training

Configuration Management (CM) – 3 Additional Practices

• Restrict system access based on configuration

• Disable unnecessary services

• Implement whitelist or blacklist controls

Identification & Authentication (IA) – 4 Additional Practices

• Enforce Multi-Factor Authentication (MFA)

• Use replay-resistant authentication methods

• Prevent credential reuse

• Disable inactive accounts

Incident Response (IR) – 2 Additional Practices

• Track and report incidents

• Regularly test response capabilities

Maintenance (MA) – 2 Additional Practices

• Sanitize equipment before offsite maintenance

• Ensure diagnostic tools are malware-free

Media Protection (MP) – 4 Additional Practices

• Mark CUI media for limited distribution

• Restrict unknown portable devices

• Protect CUI during transport

• Encrypt digital storage media

Physical Protection (PE) – 1 Additional Practice

• Extend physical safeguards to alternative work sites

Recovery (RE) – 1 Additional Practice

• Perform regular, resilient data backups

Risk Management (RM) – 3 Additional Practices

• Conduct periodic risk assessments

• Develop risk mitigation plans

• Restrict unsupported vendor products

Security Assessment (CA) – 2 Additional Practices

• Continuously monitor controls

• Perform independent software assessments

Situational Awareness (SA) – 1 Additional Practice

• Collect and share external threat intelligence

System & Communications Protection (SC) – 15 Additional Practices

This is one of the most extensive domains at Level 3.

Organizations must:

• Encrypt CUI to FIPS standards

• Prevent split tunneling

• Use DNS filtering

• Protect CUI at rest and in transit

• Control VoIP and mobile code

• Enforce network traffic whitelisting

System & Information Integrity (SI) – 3 Additional Practices

• Implement anti-spam protections

• Detect document forgery

• Use sandboxing for suspicious email activity

How to Meet CMMC Level 3 Requirements

Meeting CMMC Level 3 requirements involves more than implementing controls. You must demonstrate:

• Formalized cybersecurity policies

• Active management oversight

• Budgeted security resources

• Continuous monitoring

• Evidence of long-term sustainability

Certification requires assessment by a Certified Third-Party Assessment Organization (C3PAO).

Working with experienced advisors significantly reduces audit risk and remediation costs.

Achieve CMMC Level 3 Certification with Confidence

CMMC Level 3 certification signals strong CUI protection and advanced cybersecurity maturity.

At RSI Security, we help defense contractors:

• Prepare for assessment

• Close compliance gaps

• Develop documentation

• Manage ongoing security programs

Contact RSI Security today to start preparing for CMMC Level 3 certification.

Download Our CMMC Checklist