As you likely know, Cybersecurity Maturity Model Certification (CMMC), the program responsible for the protection of Controlled Unclassified Information (CUI), is broken into 3 levels:
An estimate from the Department of War (DoW) predicts about 1% of the Defense Industrial Base (DIB) will need CMMC Level 3. But what makes CMMC Level 3 expert level? How does pursuing Level 3 differ from the process of Level 2? Let’s talk about it.
To qualify for a CMMC Level 3 assessment, you must already have a final CMMC Level 2 Certification assessed by a CMMC Third-Party Assessment Organization (C3PAO).
For CMMC Level 2, you must meet 110 controls laid out by National Institute of Standards and Technology (NIST) SP 800-171; in some cases, self-attestation is sufficient for Level 2, but a C3PAO-assessed certification at Level 2 is a pre-requisite for Level 3.
If your CMMC Level 2 certification was conditionally approved under a Plan of Action & Milestones (POAM or POA&M), those items must be resolved before qualifying for Level 3.
The primary difference between CMMC Levels 2 and 3 is the need for 24 additional controls spread across 10 control families.
Access Control (AC)
1. AC.L3-3.1.3e – Employ attribute-based access control (ABAC) where feasible
2. AC.L3-3.1.18e – Restrict access to privileged accounts and functions
3. AC.L3-3.1.20e – Prevent non-privileged users from executing privileged functions
Audit & Accountability (AU)
4. AU.L3-3.3.1e – Generate audit records for high-value events
5. AU.L3-3.3.2e – Correlate audit logs across multiple sources
6. AU.L3-3.3.8e – Protect audit information from unauthorized access/modification
Configuration Management (CM)
7. CM.L3-3.4.6e – Employ automated mechanisms to enforce configuration settings
8. CM.L3-3.4.7e – Track and control changes to system configurations in real time
Identification & Authentication (IA)
9. IA.L3-3.5.1e – Use phishing-resistant Multi-Factor Authentication (MFA) for privileged and non-privileged users
10. IA.L3-3.5.2e – Implement adaptive authentication based on risk/context
Incident Response (IR)
11. IR.L3-3.6.1e – Establish a cyber-threat hunting capability
12. IR.L3-3.6.2e – Incorporate lessons learned into incident response improvements
Maintenance (MA)
13. MA.L3-3.7.3e – Monitor and control remote maintenance sessions
Risk Assessment (RA)
14. RA.L3-3.11.1e – Perform advanced threat-informed risk assessments
15. RA.L3-3.11.2e – Use threat intelligence to inform risk decisions
System & Communications Protection (SC)
16. SC.L3-3.13.2e – Isolate critical system components
17. SC.L3-3.13.5e – Employ encryption for data in use (where applicable)
18. SC.L3-3.13.16e – Detect and prevent lateral movement
19. SC.L3-3.13.17e – Route communications through managed interfaces
System & Information Integrity (SI)
20. SI.L3-3.14.1e – Identify and manage malicious code with advanced detection
21. SI.L3-3.14.2e – Monitor system behavior for anomalies
22. SI.L3-3.14.4e – Analyze network traffic for adversarial activity
Situational Awareness (SA)
23. SA.L3-3.15.1e – Establish organization-wide SA capability
24. SA.L3-3.15.2e – Share threat intelligence internally and externally
These 24 enhancements live in NIST SP 800-172, making for a total of 134 controls; as with Level 2, a conditional status is possible with a POAM, which must still be remediated within 180 days. Like CMMC Level 2, Level 3 must be reassessed every three years and self-attested annually.
Unlike CMMC Level 2, the DoW doesn’t outsource assessment for CMMC Level 3.
Once these enhancements are in place, the organization seeking certification (OSC) must be assessed by the DIB Cybersecurity Assessment Center (DIBCAC), an organization within the DoW.
Like we mentioned earlier, the DoW estimated that ~1% of the DIB will need a Level 3 CMMC Certification, though this estimate may climb as more indicators and outliers are identified.
For example, the Defense Logistics Agency expects 10% of its service contracts requiring CMMC to require it at Level 3 or the Golden Dome of America, which will almost certainly have CMMC Level 3 requirements.
You’ll know which CMMC level you need by looking at a contract solicitation. It specifies what minimum CMMC level is required for information systems processing or transmitting CUI.
The solicitation will say, “The CMMC level required by this solicitation is ____.” The contracting officer fills in one of these options:
CMMC Level 2 is the result of an outstanding level of commitment to protecting CUI, but Level 3 is the golden standard. While the implementation of CMMC Level 3 is more expansive, the process parallels that of Level 2: implementation: assessment, POAM if needed, annual self-attestation, and reassessment every 3 years.
Reach out to an expert at Summit 7 to start your journey to CMMC Level 3 today.