CMMC Level 3 Requirements

The Cybersecurity Maturity Model Certification (CMMC) sets forth stringent cybersecurity standards for defense contractors working with the Department of Defense (DoD) to safeguard Controlled Unclassified Information (CUI). CMMC 2.0 Level 3, often called the “Expert” level, ensures the highest level of protection for CUI, particularly for defense missions. This level incorporates advanced and detailed practices, requiring companies to have well-documented and sophisticated processes in place to meet stringent security standards.

CMMC Level 3 Objectives

CMMC 2.0 Level 3 is designed to provide the highest level of protection against advanced persistent threats (APTs) targeting the defense industrial base. The standards set forth in Level 3 are essential for maintaining the security of critical defense supply chains and supporting key defense programs. Meeting these standards will soon be a regulatory requirement. It is also a critical step in safeguarding national security.

Why is it Important to Government Contractors?

CMMC 2.0 Level 3 will soon be essential for eligibility to bid on DoD contracts. Without CMMC Level 3 certification, contractors may be ineligible to bid on contracts involving sensitive information, making it a necessary qualification for participating in high-priority defense-related projects.

What is Cybersecurity Maturity Model Certification

CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). The framework includes multiple levels of maturity, with Level 3 representing the highest standard necessary for protecting sensitive information in DoD contracts. It aims to enhance cybersecurity practices and reduce risks from threats.

Controlled Unclassified Information (CUI)

CUI requires safeguarding or dissemination controls and includes technical information, operational details, financial data, and personal information.

Federal Contract Information (FCI)

FCI, provided or generated under government contracts, includes procurement details, contract data, and performance reports. These data types are crucial for national security and defense operations.

Key Requirements and Compliance for CMMC Level 3

CMMC 2.0 Level 3 aligns with the security requirements of NIST SP 800-171 Rev. 3 and adds 24 additional controls from NIST SP 800-172. These practices are crucial for protecting CUI and ensuring the integrity and security of the defense supply chain.

Security Practices

The security practices for CMMC Level 3 are extensive and categorized into several key areas:

• Access Control (AC): Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. Employ secure information transfer solutions to control information flows between security domains on connected systems. Example: Implement multi-factor authentication (MFA) to enhance security for system access.
• Awareness and Training (AT): Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors. Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, aligned with current threat scenarios.
• Audit and Accountability (AU): Maintain records of system activities to detect and respond to security incidents. Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove or quarantine the components to facilitate patching, re-configuration, or other mitigations.
• Configuration Management (CM): Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
• Identification and Authentication (IA): Verify identities of users, devices, and systems before granting access.
• Incident Response (IR): Prepare for and mitigate the impact of cybersecurity incidents.
• Maintenance (MA): Ensure secure system maintenance procedures.
• Media Protection (MP): Protect digital and physical media containing CUI. Example: Encrypt data at rest and in transit to prevent unauthorized access.
• Physical Protection (PE): Secure physical access to systems and data.
• Risk Assessment (RA): Identify and assess risks to organizational operations and assets.
• Security Assessment (CA): Evaluate the effectiveness of security controls.
• System and Communications Protection (SC): Protect the confidentiality and integrity of transmitted information.
• System and Information Integrity (SI): Ensure systems and data remain secure from unauthorized modifications.

Assessment and Certification

Compliance with these practices is verified through various assessments:

• Triannual Government-Led Assessments: Mandatory for the most critical roles within the defense supply chain, conducted by the Department of Defense (DoD).
• Annual Affirmations: Required for contractors to continually monitor and affirm their compliance with CMMC guidelines through the Supplier Performance Risk System (SPRS).

System Security Plan

A key part of meeting CMMC Level 3 requirements is the development and maintenance of a System Security Plan (SSP). This document outlines the security practices and policies in place to protect CUI and demonstrates how the organization adheres to CMMC guidelines.

Steps to Achieve CMMC Level 3 Certification

1. Initial Self-Assessment: Contractors start with a self-assessment against the NIST SP 800-171 standards, which include 110 security practices. This self-check is crucial for identifying gaps in cybersecurity practices and planning how to address them.
2. Remediation and Plan of Action & Milestones (POA&M): Following the self-assessment, contractors need to address any security issues identified. This step may include developing a Plan of Action & Milestones (POA&M) that outlines specific measures and timelines to fully meet the security standards.
3. Third-Party Assessment: For Level 3, a third-party assessment conducted by an accredited CMMC Third Party Assessment Organization (C3PAO) is required. This assessment confirms that the necessary security measures and controls are in place. The results of the assessment are documented in the Supplier Performance Risk System (SPRS) to enable contracting officers to verify the offeror’s certification level and its currency.
4. Government Validation: For contracts with highly sensitive CUI, a government-led validation may be required. This additional assessment ensures that the highest standards of cybersecurity are maintained. The Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts the validation assessment. All objectives defined in NIST SP 800-172A for the corresponding CMMC Level 3 security requirements must be met for successful implementation.

Continuous Monitoring and Annual Affirmations

Once certified, contractors must submit annual affirmations of continued compliance through the Supplier Performance Risk System (SPRS). This includes updating any necessary action plans and demonstrating ongoing adherence to the security requirements. The affirmation process ensures that contractors maintain their certification status and remain eligible for contracts involving CUI.

Detailed Implementation Guidance for CMMC Level 3

Scoping and Preparation for CMMC Level 3

The first crucial step in preparing for CMMC 2.0 Level 3 is to thoroughly understand the assessment scope. According to the CMMC Assessment Scope guidelines, this involves identifying all relevant systems, processes, and information to be evaluated. This step includes a detailed analysis of where Controlled Unclassified Information (CUI) is stored, processed, and transmitted within the organization’s network.

System and Process Identification: Organizations need to map out every system and process that handles CUI. This encompasses both digital environments and physical storage locations, ensuring that all potential security risks are identified and addressed.

Information Flow Analysis: Understanding the movement of CUI within and outside the organization is essential. This involves analyzing how information flows between systems, which is critical for implementing effective security measures.

Implementing Required Security Controls

Once the scope is defined, the next step is to implement specific security controls as outlined in NIST SP 800 171 and NIST SP 800-172. These controls are designed to protect the confidentiality, integrity, and availability of CUI across various domains.

Access Control Measures: Robust access control measures must be established to ensure that only authorized personnel can access CUI. This includes employing least privilege principles, multi-factor authentication, and careful management of user identities.

Media Protection Strategies: It is crucial to protect digital and physical media containing CUI. Strategies should include encryption, secure storage, and proper disposal methods to prevent unauthorized access and data breaches.

Incident Response Plans: Organizations must develop and test incident response plans to quickly respond to and recover from security incidents. These plans should outline roles, responsibilities, and procedures for addressing potential security breaches.

Continuous Monitoring and Improvement

Achieving CMMC 2.0 Level 3 certification is only the beginning. Ongoing efforts are necessary to maintain compliance and enhance cybersecurity measures. Continuous monitoring of implemented security controls and regular updates are crucial to keeping pace with evolving cybersecurity threats.

Regular Security Assessments: Regular security assessments help identify weaknesses and gaps in the security framework. These assessments should be both internal and external, including periodic third-party audits to ensure continued compliance.

Updating Security Measures: As technology and cyber threats evolve, security measures must also be updated. Staying informed about the latest security technologies and practices is essential to protect against advanced threats and other emerging risks.

Training and Awareness Programs: Ongoing education and training for all employees on cybersecurity best practices and threat awareness are fundamental. Regular training reduces the likelihood of security incidents caused by human error.

Future Outlook

The future of CMMC 2.0 and Level 3 compliance involves adapting to new cybersecurity challenges and evolving threats. Organizations must stay informed about changes in regulations and emerging best practices to maintain their competitive edge and ensure the security of critical defense information.

Please see the Further Research section on this page for links to official documentation and other information.

Conclusion

Achieving CMMC 2.0 Level 3 compliance is essential for contractors aiming to bid on Department of Defense contracts that handle Controlled Unclassified Information (CUI), Controlled Technical Information (CTI), and ITAR or export-controlled data. Compliance not only enhances security controls but also provides better business opportunities and a competitive edge in the defense sector. It ensures that contractors meet current regulatory requirements and are prepared for future growth and digital transformation challenges. By adhering to CMMC 2.0 Level 3 standards, contractors can demonstrate their commitment to security and support national security objectives.