CMMC Level 3 compliance requires implementing advanced controls beyond the baseline that Levels 1 and 2 require. One of the most integral requirements at this level is threat intelligence, which impacts both routine risk assessments and all other elements of CMMC implementation.
Is your organization prepared for Level 3 risk assessments? Request a consultation to find out.
CMMC Level 3 Threat-Informed Risk Assessments
The Cybersecurity Maturity Model Certification (CMMC) is a framework that ensures sound cyberdefense and data protection amongst military contractors. The Department of Defense (DoD) will require CMMC compliance at Level 1, 2, or 3 for all contracts moving forward, and organizations that handle the largest amount of data in riskier environments will need Level 3.
Threat-informed risk assessments are a critical part of Level 3 compliance, but they’re often misunderstood because of a dearth of directly related controls. To bridge the gap, you’ll need:
- Some structural context for how the CMMC requirements operate at each Level
- A deep dive into the single control requiring threat-informed risk assessments
- An overview of the other Level 3 risk assessment requirements that are impacted
- A consideration of assessment criteria for CMMC compliance at Level 3
Working with a dedicated strategy, implementation, and assessment partner helps organizations achieve and maintain their CMMC compliance, even at the challenging threshold of Level 3.
Context for CMMC Threat-Informed Risk Assessment
The CMMC framework is unique among regulatory guides in that it is based upon tiers of cyberdefense, allowing for a stepwise progression for organizations at different stages. The CMMC requirements at Level 3 are significantly more complex and numerous than those at Level 1, offering the greatest amount of protection for all sensitive data contractors may harbor.
Protections ramp up so significantly because of the data and threat environment at Level 3.
CMMC was designed to protect two primary data types: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC Level 1 corresponds to FCI, while contractors who process CUI will need Level 2 at a minimum. Those who process CUI in an environment subject to Advanced Persistent Threats (APTs) need Level 3. In most cases, a contract will specify the level of CMMC compliance needed, both immediately and in the long term.
Threat-informed risk assessments are warranted in large part because of APTs. CMMC Levels 1 and 2 include a total of 110 controls. These encompass the full set outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. Level 3 introduces 24 additional controls, adapted from NIST’s supplementary SP 800-172 guide.
In practice, the CMMC Level 3 requirements only make sense if all 110 requirements from Levels 1 and 2 are already installed. So, below, we’ll take a look at the specific control threat-informed risk assessments come from, the others that it comes with, and their prerequisites.
Control RA.L3-3.11.1E: Threat-Informed Risk Assessment
Incorporating threat intelligence into risk assessments is a best practice for any organization, irrespective of its compliance burden. However, it’s not an explicit requirement in the CMMC framework until Level 3. At this level, there is a single requirement dedicated eponymously to threat-informed risk assessments. However, as we’ll cover below, all other risk assessment controls for Level 3 and all prerequisites can and should incorporate this same principle.
With respect to the actual control, RA.L3-3.11.1E requires compliant organizations to employ threat intelligence as a central part of cyber risk assessments, making them “threat-informed.” More specifically, the requirement calls for this threat intelligence from an open-access and/or commercial source, at minimum, with a preference for sources vetted or provided by the DoD.
In addition, the control stipulates that threat intelligence should inform much more than just threat reports. It should also inform the development of all organizational systems that address risks. This includes selecting organizational security solutions. It also involves operating specific protocols, such as system-wide monitoring, threat hunting, and response and recovery.
In other words, this control requires deep, system-wide integration of threat intelligence.
The most direct application of threat intelligence and a threat-informed approach outside of RA.L3-3.11.1E is in the other Risk Assessment controls, both at Level 3 and earlier Levels. But these same considerations can and should impact all other CMMC controls across all systems.
Other Risk Assessment Requirements at CMMC Level 3
There is only one requirement that explicitly mentions “threat-informed risk assessments” in the CMMC framework, and it’s the first RA requirement of Level 3. However, its position and its specifications indicate that all RA controls are, in effect, threat-informed RA requirements.
All Risk Assessment controls at CMMC Level 3 require some aspect of threat intelligence, per the stipulations above. To that effect, the full complement of RA controls at Level 3 includes:
- RA.L3-3.11.2e: Threat Hunting – Conduct threat hunting activities regularly and when risk assessments deem necessary to detect, track, and dispel threats evading controls.
- RA.L3-3.11.3e: Advanced Risk Identification – Use automation and advanced analytic capabilities to predict and identify risks to system components related to CUI processing.
- RA.L3-3.11.4e: Security Solution Rationale – Document and review a threat-informed plan and rationale, including the risk determination, for each security solution selected.
- RA.L3-3.11.5e: Security Solution Effectiveness – Assess the effectiveness of all security solutions at least annually and in response to any new threat intelligence.
- RA.L3-3.11.6e: Supply Chain Risk Response – Assess and respond to risks to organizational systems associated with the supply chain and all its components.
- RA.L3-3.11.7e: Supply Chain Risk Plan – Develop a plan for managing identified supply chain risks and update it regularly upon receipt of relevant threat intelligence.
As noted above, threat intelligence is essential to all these controls’ functionality. Without an existing system in place to generate and mobilize effective threat intelligence, compliance simply isn’t possible. This consideration also applies retroactively to RA controls from previous Levels.
Prerequisites to Level 3 Risk Assessment at CMMC Level 3
As a precursor to CMMC Level 3 compliance, organizations need to have all Level 1 and Level 2 requirements in place. Level 3 then builds on these with additional, advanced protections.
Risk Assessment is back-loaded with controls at CMMC Level 3, and it is one of the few domains that sees most of its controls added at the highest level of compliance. However, several impactful RA controls are added at CMMC Level 2. These break down as follows:
- RA.L2-3.11.1: Risk Assessments – Assess organizational risks periodically, including strategy, operations, assets, personnel activities, and all other elements impacting CUI.
- RA.L2-3.11.2: Vulnerability Scan – Scan for vulnerabilities across systems regularly and when any new information about vulnerabilities impacting these systems surfaces.
- RA.L2-3.11.3: Vulnerability Remediation – Remediate all identified vulnerabilities in accordance with risk assessments (including threat-informed determination at Level 3).
There are no Level 1 RA controls, as risk assessment as a methodology is more impactful at Level 2 for protecting CUI. But these controls apply to both CUI and FCI at Levels 2 and 3.
And, like their Level 3 counterparts, Level 2 RA controls all need to be informed by threat intelligence at the highest Level 3, even if they were not when the organization achieved Level 2. This means organizations leveling up after years of certification may need some reworking.
Assessment and Certification Requirements at CMMC Level 3
Implementing controls does not automatically grant CMMC compliance. Organizations need to assess them for efficacy, with different thresholds for assurance at each Level. CMMC Level 3 actually requires two formal rounds of assessment, as eligible organizations first need to certify at Level 2 before they qualify for Level 3 audits. Once threat-informed risk assessment controls are in place, all other Level 3 controls need to be installed before audit prep can commence.
CMMC Level 3 compliance requires a government-led assessment. In particular, organizations need to work with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a branch of the Defense Contract Management Agency (DCMA). A successful audit certifies the organization’s compliance for a period of three years, with annual affirmations in the interim.
However, to even qualify for these assessments, DoD contractors must first complete a Level 2 assessment with a Certified Third Party Assessment Organization (C3PAO). The Cyber AB vets and certifies assessors for all but a select few Level 2 CMMC assessments. Entities at CMMC Level 2 may qualify for self-assessment if they process CUI that is not related to the DoD.
Only organizations at Level 1 qualify for full self-assessment, and this level applies strictly to contractors handling only Federal Contract Information (FCI). Any organization aiming to expand its DoD engagement will need to pursue Level 2 or 3 certification.
Although Level 3 requires a DIBCAC-led assessment, organizations must first work with a C3PAO. What’s more, working with a compliance advisor can help, regardless of CMMC Level.
Streamline Your CMMC Level 3 Compliance Today
On the surface, threat-informed risk assessments may seem like a minor component of CMMC Level 3 compliance. But even though this consideration is only explicitly part of one out of 134 total controls, its impact is felt throughout the rest of risk assessment and overall cybersecurity deployment. CMMC Level 3 certification is difficult, but it’s necessary for some Department of Defense contracts.
The best way to prepare for threat-informed risk assessment requirements at CMMC Level 3 is to integrate threat intelligence into all of your security systems. Working with a compliance partner will help you strategize, implement, assess, and maintain these controls efficiently in the long term.
RSI Security has helped DoD contractors meet their regulatory needs since the earliest stages of the CMMC rollout—and beforehand. RSI Security is a certified C3PAO specializing in CMMC compliance. We support defense contractors in meeting the cybersecurity requirements essential to U.S. military operations. Protecting sensitive data the right way is the only way to safeguard DoD and national security. We’ll help you achieve that—efficiently and confidently.
To learn more about our CMMC certification services, contact RSI Security today!
Contact Us Now!
