Questions about CUI? We've got a guide for you. Learn More
    CMMC Phase One started November 10! Here's everything you need to know.

    CMMC Level 3 Explained: How It Differs from Level 2

    Learn about CMMC Level 3 certification, its requirements, and why it's crucial for organizations handling CUI.

    By
    3 Minutes Read

    As you likely know, Cybersecurity Maturity Model Certification (CMMC), the program responsible for the protection of Controlled Unclassified Information (CUI), is broken into 3 levels:

    An estimate from the Department of War (DoW) predicts about 1% of the Defense Industrial Base (DIB) will need CMMC Level 3. But what makes CMMC Level 3 expert level? How does pursuing Level 3 differ from the process of Level 2? Let’s talk about it.

    CMMC Level 2 is a pre-requisite.

    To qualify for a CMMC Level 3 assessment, you must already have a final CMMC Level 2 Certification assessed by a CMMC Third-Party Assessment Organization (C3PAO).

    For CMMC Level 2, you must meet 110 controls laid out by National Institute of Standards and Technology (NIST) SP 800-171; in some cases, self-attestation is sufficient for Level 2, but a C3PAO-assessed certification at Level 2 is a pre-requisite for Level 3.  

    If your CMMC Level 2 certification was conditionally approved under a Plan of Action & Milestones (POAM or POA&M), those items must be resolved before qualifying for Level 3.

    What makes CMMC Level 3 more secure?

    The primary difference between CMMC Levels 2 and 3 is the need for 24 additional controls spread across 10 control families.

    Access Control (AC)

    1. AC.L3-3.1.3e – Employ attribute-based access control (ABAC) where feasible
    2. AC.L3-3.1.18e – Restrict access to privileged accounts and functions
    3. AC.L3-3.1.20e – Prevent non-privileged users from executing privileged functions

    Audit & Accountability (AU) 

    4. AU.L3-3.3.1e – Generate audit records for high-value events
    5. AU.L3-3.3.2e – Correlate audit logs across multiple sources
    6. AU.L3-3.3.8e – Protect audit information from unauthorized access/modification

    Configuration Management (CM)  

    7. CM.L3-3.4.6e – Employ automated mechanisms to enforce configuration settings
    8. CM.L3-3.4.7e – Track and control changes to system configurations in real time

    Identification & Authentication (IA)  

    9. IA.L3-3.5.1e – Use phishing-resistant Multi-Factor Authentication (MFA) for privileged and non-privileged users
    10. IA.L3-3.5.2e – Implement adaptive authentication based on risk/context

    Incident Response (IR)  

    11. IR.L3-3.6.1e – Establish a cyber-threat hunting capability
    12. IR.L3-3.6.2e – Incorporate lessons learned into incident response improvements

    Maintenance (MA)

    13. MA.L3-3.7.3e – Monitor and control remote maintenance sessions

    Risk Assessment (RA)  

    14. RA.L3-3.11.1e – Perform advanced threat-informed risk assessments
    15. RA.L3-3.11.2e – Use threat intelligence to inform risk decisions

    System & Communications Protection (SC)

    16. SC.L3-3.13.2e – Isolate critical system components
    17. SC.L3-3.13.5e – Employ encryption for data in use (where applicable)
    18. SC.L3-3.13.16e – Detect and prevent lateral movement
    19. SC.L3-3.13.17e – Route communications through managed interfaces

    System & Information Integrity (SI)  

    20. SI.L3-3.14.1e – Identify and manage malicious code with advanced detection
    21. SI.L3-3.14.2e – Monitor system behavior for anomalies
    22. SI.L3-3.14.4e – Analyze network traffic for adversarial activity

    Situational Awareness (SA)

    23. SA.L3-3.15.1e – Establish organization-wide SA capability
    24. SA.L3-3.15.2e – Share threat intelligence internally and externally

    These 24 enhancements live in NIST SP 800-172, making for a total of 134 controls; as with Level 2, a conditional status is possible with a POAM, which must still be remediated within 180 days. Like CMMC Level 2, Level 3 must be reassessed every three years and self-attested annually.

    Your C3PAO cannot assess you at Level 3.

    Unlike CMMC Level 2, the DoW doesn’t outsource assessment for CMMC Level 3.

    Once these enhancements are in place, the organization seeking certification (OSC) must be assessed by the DIB Cybersecurity Assessment Center (DIBCAC), an organization within the DoW.  

    Do I need CMMC Level 3?

    Like we mentioned earlier, the DoW estimated that ~1% of the DIB will need a Level 3 CMMC Certification, though this estimate may climb as more indicators and outliers are identified.

    For example, the Defense Logistics Agency expects 10% of its service contracts requiring CMMC to require it at Level 3 or the Golden Dome of America, which will almost certainly have CMMC Level 3 requirements.

    You’ll know which CMMC level you need by looking at a contract solicitation. It specifies what minimum CMMC level is required for information systems processing or transmitting CUI.

    The solicitation will say, “The CMMC level required by this solicitation is ____.” The contracting officer fills in one of these options: 

    • CMMC Level 1 self-attestation 
    • CMMC Level 2 self-attestation 
    • CMMC Level 2 C3PAO 
    • CMMC Level 3 assessed by the government 

    To Close

    CMMC Level 2 is the result of an outstanding level of commitment to protecting CUI, but Level 3 is the golden standard. While the implementation of CMMC Level 3 is more expansive, the process parallels that of Level 2: implementation: assessment, POAM if needed, annual self-attestation, and reassessment every 3 years.

    Reach out to an expert at Summit 7 to start your journey to CMMC Level 3 today.

    Summit 7 Leadership

    Author

    Recommended For You