CMMC Level 3 Controls & Requirements

The Cybersecurity Maturity Model Certification (CMMC) is a framework for cybersecurity that all companies contracting with the US Department of Defense (DoD) must comply with. Version one of the CMMC model was released in January 2020, and all defense contractors will eventually need to achieve the required CMMC maturity level to continue working on existing contracts or bidding on new ones.

There are five CMMC levels with a hierarchical structure, meaning each level has the requirements of the level below it in addition to requirements that are new to that level. The levels range from 1 to 5, with CMMC Level 1 indicating basic cyber hygiene.

Each DoD contract will specify the minimum CMMC level that contractors will need before they can bid on it. The DoD determines the CMMC level for each contract based on the type of Controlled Unclassified Information (CUI) that contractors will need to handle. Many contracts will require CMMC Level 3 because this is the lowest level that fully achieves the goal of CUI protection by incorporating all the requirements of NIST SP 800-171 in addition to requirements from other sources.

Cuick trac™ educates users and helps organizations take ownership over their cybersecurity. Our is a solution for meeting CMMC Level 3 requirements and other government security standards. Contact us to request a free security consultation and demo.

Get DFARS/NIST 800-171 Compliant With cuick trac™ — a private hosted, virtual enclave

Learn More

An Overview of Cybersecurity Maturity Model Certification (CMMC)

DoD contractors have been required to maintain specific cybersecurity protocols since the passage of Defense Acquisition Federal Regulation Supplement (DFARS) in 2015. CMMC is a tool that helps contractors achieve compliance with these regulations, and it also helps auditors assess the security posture of contractors. Its overall purpose is to improve cybersecurity across the network of DoD contractors, especially the DoD’s supply chain known as the Defense Industrial Base (DIB).

These contractors handle two types of sensitive information, including Federal Contract Information (FCI) and CUI. FCI is information related to contracts generated by federal organizations or otherwise related to them that aren’t intended for public access or use. CUI is information that’s legally required to be confidential but isn’t currently classified. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) worked with Federally Funded Research and Development Centers (FFRDs) and University Affiliated Research Centers (UARCs) to develop the CMMC.

The major elements of the CMMC framework include 17 domains and five levels. Domains are categories of cybersecurity practices based on Federal Information Processing Standards (FIPS) Publication 200, which lists 43 capabilities governing these practices. CMMC Levels are progressive measures of an organization’s increasing security maturity that consist of practices and processes. Practices are the individual security behaviors, controls and protocols required to achieve the given maturity level, while processes indicate the extent of institutionalization of those practices within the organization.

CMMC requires DoD contractors to implement these practices according to the standards specified by National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171. The CMMC framework works with NIST SP 800-171 to ensure contractors have the controls in place that are appropriate for the CUI they will handle for their contracts.

CMMC also combines elements of other frameworks such as Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252- 204-7012 to protect CUI and Federal Acquisition Regulation (FAR) Clause 52.203-21 to protect FCI.

What is CMMC Level 3?

CMMC Level 3 is classified as Good Cyber Hygiene and should be the minimum CMMC level for any contractor that generates or has access to CUI. A contractor certified at this level has implemented all the security controls required by NIST SP 800-171, meaning that it’s able to meet most threats in keeping information secure.

However, contractors at Level 3 may find it difficult to fend off advanced persistent threats (APTs). Furthermore, they must document and report such cybersecurity incidents if they need to meet DFARS clause 252.204-7012 standards.

CMMC Level 3 has a total of 130 practices that contractors must implement to achieve this maturity level, including the 58 that are new to Level 3. Institutionalizing these practices is more challenging at this level because it requires organizations to transition from merely documenting processes to actively managing them.

A Certified Third Party Assessment Organization (C3PAO) qualified by the CMMC Accreditation Body (CMMC-AB) grants CMMC certification after an audit that establishes a baseline of the contractor's security posture. C3PAOs should also walk contractors through all stages of implementing, documenting and managing their processes, which involves demonstrating that you have the planning and resources needed to maintain CMMC compliance

Updated Audit Requirements CMMC Level 3

CMMC Volume 1.02, published in March 2020, shows that CMMC Level 2 requires an organization to implement 72 practices. Level 3 adds another 58 practices, bringing the total number of practices for Level 3 to 130.

Forty-five of the new practices come from NIST SP 800-171, while the remaining 13 come from other sources. The 58 practices that are new for Level 3 fall into the following 16 domains:

Access Control
Asset Management
Audit and Accountability
Awareness and Training
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Physical Protection
Recovery
Risk Management
Security Assessment
Situational Awareness
System and Communications
System and Information Integrity

Access Control

CMMC Level 3 introduces the following eight Access Control practices.

AC.3.012 – Authentication and encryption measures for safeguarding wireless access.
AC.3.014 – Cryptography to safeguard the confidentiality of remote sessions.
AC.3.017 – Separate the duties of individuals to reduce the risk of malicious actions. These actions are distinct from collusion, which doesn’t require the identification of specific threats.
AC.3.018 – Prevent execution of privileged functions from non-privileged accounts. Audit logs must document and analyze all privileged functions.
AC.3.019 – Automatically terminate user sessions that meet defined conditions.
AC.3.020 – Monitor and control all access via mobile devices.
AC.3.021 – Require authorization for remote execution of functions and access to security-related information.
AC.3.022 – Encrypt CUI on all computing platforms.

Asset Management

Level 3 introduces the first Asset Management practice as follows:

AM.3.036 – Define specific practices and procedures for handling CUI and related data.

Audit and Accountability

CMMC Level 3 introduces the following seven Audit and Accountability practices:

AU.3.045 – Regularly review all logged events and update or correct when necessary.
AU.3.046 – Necessitate an alert in the event that the audit and/or logging process fails.
AU.3.048 – Collect all information pertaining to audits into one or multiple central repositories to facilitate review, analysis, and strategizing regarding audit information.
AU.3.049 – Protect information pertaining to audits and audit logs, from all forms of unauthorized access, including especially use, modification, and deletion thereof.
AU.3.050 – Restrict access to auditing functionalities to a subset of privileged users.
AU.3.051 – Correlate review and analysis of audit records with reporting relative to investigation and response to unlawful, unauthorized, or otherwise irregular activities.
AU.3.052 – Facilitate immediate, on-demand analysis and reporting with efficient procedures for audit record reduction and generation of audit reports.

Awareness and Training

Level 3 introduces the first Awareness and Training practice as follows:

AT.3.058 – Provide training on security awareness that includes best practices for monitoring, identifying and reporting insider threats from other staff.

Configuration Management

CMMC Level 3 introduces the following three Configuration Management practices:

CM.3.067 – Define, document, approve access to all systems, both physical and virtual. System access must be based on the current security configuration.
CM.3.068 – Minimize access through restriction, disablement and prevention. These systems include hardware, software, functions and services.
CM.3.069 – Deny access by exception, commonly known as blacklisting, to prohibit unauthorized access. Enable authorized access by permitting by exception, also known as whitelisting.

Identification and Authentication

CMMC Level 3 introduces the following four Identification and Authentication practices:

IA.3.083 – Utilize multi-factor authentication (MFA) for local and network access to privileged accounts. Network access to non-privileged accounts also requires MFA.
IA.3.084 – Employ authentication mechanisms for access to privileged and non-privileged accounts that are “replay resistant.” These measures include cryptographic nonces, one-time authenticators and Transport Level Security (TLS).
IA.3.085 – Prevent reuse of identification credentials like user names by the same user or others for a defined period after changes to the account, including termination.
IA.3.086 – Disable identification credentials after an organizationally defined period of inactivity in the account. This action must also prevent reuse, per IA.3.085.

Incident Response

CMMC Level 3 introduces the following two Incident Response practices:

IR.3.098 – Ensure that all incidents are tracked, documented and reported to all designated authorities, whether they’re internal and external to the organization.
IR.3.099 – Regularly test the organization’s incident response capabilities.

Maintenance

CMMC Level 3 introduces the following two Maintenance practices:

MA.3.115 – Sanitize equipment transported off-site for maintenance by removing all CUI, including traces and other potential pathways to unauthorized access to CUI.
MA.3.116 – Monitor all media containing diagnostic or test programs to ensure it’s free of all forms of malicious code prior to installing or using it on organizational systems.

Media Protection

CMMC Level 3 introduces the following four Media Protection practices:

MP.3.122 – Mark or code any media containing CUI intended for limited distribution.
MP.3.123 – Disallow the use of any portable storage devices with unclear ownership or origin.
MP.3.124 – Restrict access to media containing CUI. Maintain accountability for this media during transport to areas not controlled by the organization.
MP.3.125 – Use cryptography or physical safeguards to protect the confidentiality of CUI stored on digital media, especially during transport.

Physical Protection

Level 3 introduces the first Physical Protection practice as follows:

PE.3.136 – Expand physical safeguards for CUI to all alternative work sites.

Recovery Practice

Level 3 introduces the first Recovery practice as follows:

RE.3.139 – Regularly perform robust and resilient data backups according to protocols and schedules defined by the organization’s security needs and storage media.

Risk Management

CMMC Level 3 introduces the following three Risk Management practices:

RM.3.144 – Perform periodic risk assessments that identify and prioritize risks according to criteria defined by the organization, including categories and sources.
RM.3.146 – Develop and implement plans to mitigate those risks as they’re identified.
RM.3.147 – Manage products separately if they’re unsupported by vendors. Enforce access restrictions to these products and use them independently of other assets to reduce the spread of malware.

Security Assessment

CMMC Level 3 introduces the following two Security Assessment practices:

CA.3.161 – Monitor existing security controls to ensure ongoing efficacy and safety.
CA.3.162 – Employ independent security assessments specific to software developed internally for internal use if it has been identified as a risk.

Situational Awareness

Level 3 introduces the first Situational Awareness practice as follows:

SA.3.169 – Collect, analyze and share relevant cyber threat intelligence from external sources with stakeholders, including reputable reports and forums.

Systems and Communications

Level 3 introduces 15 new controls for System and Communications, the most of any domain. These include the following:

SC.3.177 – Use cryptography up to FIPS for protecting CUI.
SC.3.180 – Ensure that effective and efficient information security is optimized across all information system elements, including the following:

Architectural designs
Infrastructural designs
Software development techniques
System engineering principles

SC.3.181 – Fully separate user functionalities access and system management.
SC.3.182 – Prevent insecure transfers of sensitive information with shared internal and external system resources, including unintentional and unauthorized transfers.
SC.3.183 – Implement a whitelist approach to network communications traffic, meaning such traffic is denied by default and allowed only by exception.
SC.3.184 – Prevent the potentially dangerous occurrence of “split tunneling,” in which remote devices simultaneously establish a non-remote connection with the organization’s systems and a connection to resources in external networks.
SC.3.185 – Use cryptography or physical safeguards to prevent unauthorized disclosure of CUI, especially during transmission or transportation.
SC.3.186 – Terminate network connections related to communication immediately upon the end of the session or after a period of inactivity defined by the organization.
SC.3.187 – Maintain cryptographic keys for all cryptography used across all systems.
SC.3.188 – Strictly monitor and control the use of mobile codes.
SC.3.189 – Strictly monitor the use of Voice over Internet Protocol (VoIP) technology.
SC.3.190 – Ensure authenticity of communications across sessions.
SC.3.191 – Ensure protection of CUI while in storage or some other passive capacity.
SC.3.192 – Use robust Domain Name System (DNS) filtering services.
SC.3.193 – Develop and enforce a policy restricting the publication of CUI on external, publicly accessible media and platforms such as forums and social media.

System and Information Integrity

CMMC Level 3 introduces the following three System and Information Integrity practices:

SI.3.218 – Deploy mechanisms for detecting spam and protecting against it at all entry, exit and access points to the organization’s information systems.
SI.3.219 – Use all available resources to detect and prevent document forgery.
SI.3.220 – Implement sandboxing techniques to detect, filter, block or otherwise prevent malicious and suspicious email communications.

Position yourself for CMMC Level 3 success with cuick trac™

Cuick trac™ is a pre-configured, secure virtual enclave that allows government contractors to handle, store, and process CUI, along with the supporting documentation you need to meet NIST SP 800-171 requirements.

Learn how cuick trac™ can help your organization prepare for CMMC Level 3 compliance. Request a free cuick trac™ demo today to speak with one of our security experts about your cybersecurity needs.

Get DFARS/NIST 800-171 Compliant With cuick trac™ — a private hosted, virtual enclave

Get a Free Demo

Sources:

https://www.acq.osd.mil ‍

https://www.acq.osd.mil/

https://nvlpubs.nist.gov

https://www.nist.gov/