Under the Cybersecurity Maturity Model Certification (CMMC), all DoD contractors are required to be evaluated on the maturity and reliability of their cybersecurity infrastructure, earning certifications ranging from Level 1 (basic cyber hygiene) to Level 5 (advanced security). The five CMMC certification levels are tiered, so the requirements and processes for each level builds upon the previous. Future DoD contracts will indicate the certification level required to bid, and only companies certified to the level specified or higher will be allowed to submit a proposal for those contracts.

When the CMMC was created, the central goal was to improve the protection of controlled unclassified information (CUI) within the DoD supply chain. Building upon the requirements of the two preceding levels, CMMC Level 3 certifies “good cyber hygiene” and is the first certification level to focus on the protection of CUI. At a minimum, companies that create or access CUI will need to earn the Level 3 certification, which adequately demonstrates an organization’s basic ability to protect CUI and any sensitive assets they handle. Since CMMC Level 3 is expected to be the most common level requirement in future contracts, it is an important achievement for organizations hoping to continue to work with the DoD.

In the third installment of our five-part series, Exploring the Five Certification Levels of the CMMC, we’ll take a closer look at the CMMC Level 3 certification and the various requirements necessary for achieving compliance.

Need a quick refresher on the requirements of the CMMC Level 1 and Level 2 certification?

Check out these two blogs for a closer look.

CMMC Level 1                     CMMC Level 2


CMMC Level 3 Certification

As discussed previously in our CMMC certification series, both CMMC Level 1 and Level 2 are primarily focused on safeguarding Federal Contract Information (FCI), or contract information necessary for delivering a product or service to the government, but not intended for public release (e.g., shipping and billing information, invoices, etc.). CMMC Level 3 is the first of the five levels designed for the protection of CUI, or government-created or owned information that requires safeguarding (e.g., personally identifiable information, legal documents, technical drawings, blueprints, etc.).

Since the security requirements specified in NIST SP 800-171 are aimed at protecting the confidentiality of CUI, CMMC Level 3 encompasses all 110 practices found within this framework (38 requirements added to those found at Level 2). In addition, there are 20 security practices from other standards and references required at Level 3 (13 from Level 3 and 7 from Level 2) to help mitigate threats and support cyber hygiene – a total of 130 practices. Level 3 also has 29 capabilities and 17 domains with Asset Management and Situational Awareness making their first appearance.

CMMC Level 3 Process Guidelines

The CMMC framework is a cumulative model, with each of the five levels building upon the other’s technical requirements. In order to achieve compliance with Level 3, all of the practices and processes defined in Level 1, Level 2, and Level 3 must be met. Therefore, defense contractors need to establish and document practices and policies for guiding the implementation of their CMMC efforts (i.e., the two Level 2 processes), and also create and document a “managed” plan (i.e., the Level 3 process). Let’s take a closer look at the CMMC Level 3 process:

Process 1: Establish, maintain, and resource a plan that includes [DOMAIN NAME]

At Level 3 companies are expected to establish and maintain security activities, review policies and processes, and demonstrate a plan for performing and managing practice implementation. Each domain should have one of these plans, which can be a stand-alone document, part of a larger document, or distributed among numerous documents, depending on how an organization maintains domain activities and practices. The plan should inform senior management on the status of domain activities and illustrate how they are being managed.

Typically, the plan includes the following information:

  • Mission and/or vision statement
  • Strategic goals/objectives, preferably in SMART format (i.e., Specific, Measurable, Attainable, Result-focused, Time-bound)
  • Relevant standards and procedures
  • A project plan to record activities, due dates, and organizational resources (e.g., funding, people, tools)
  • Required training necessary for performing the domain activities
  • Involvement of relevant stakeholders

Within the project plan, organizations must define the resources that are assigned to the management of the specific domain activities, which includes funding, people, and tools.

Process Plan Resources


Funding resources are the financial support necessary to fully execute the activities in the various domains. For each domain, financial needs should be identified, a budget should be established, and any gaps in funding should be resolved. Funding for the different domain activities can also help indicate the level of support needed from senior management and executives.


People resources represent the staff members assigned to support the different domain activities. Staff members should have the appropriate knowledge, skills, and abilities of the information systems to perform the various domain activities.


Tools refer to the specific technology necessary to guarantee domain activities can be carried out as documented in the resource plan. The tools required to execute the resource plan and the funds available to procure and manage the tools should be identified. The people resources should also be adequately trained in the use of these tools.

The Level 3 process also requires a detailed review of these policies and practices in order to assess adherence. If a company seeking a CMMC Level 3 certification only adheres to the process maturity of Level 2, only a certification at Level 2 will be possible, even if all 130 practices are in place.

The 20 Practices Beyond NIST SP 800-171

Certification at CMMC Level 3 ensures good cyber hygiene and the effective implementation of all 110 requirements of NIST SP 800-171. Companies that have already configured their security environment to align with the requirements of the NIST SP 800-171 framework should have a solid start for successfully achieving the CMMC Level 3 certification. However, there are an additional 20 practices beyond NIST SP 800-171 that must also be implemented.

Domain: Asset Management

AM.3.036 - Define procedures for the handling of CUI data.

Procedures for handling CUI should be defined and should include how to categorize data as CUI. These procedures should also include guidance on how to receive, transmit, store, and destroy CUI.

Domain: Audit and Accountability

AU.3.048 – Collect audit information (e.g., logs) into one or more central repositories.

Storing audit logs in a centralized location allows for a full picture of the audit logs and can support automated analysis capabilities. The central repository will need to have the appropriate infrastructure and the ability to meet the logging requirements of the organization.

AU.2.044 – Review audit logs.

Audit logs will need to be regularly checked in order to identify potential malicious activity.

Domain: Incident Response

IR.2.093 - Detect and report events.

The purpose of this practice is to detect events (any observable occurrence) on an organization’s network. These events can be detected through observations such as loss of productivity, alarms, or through the results of an audit or assessment.

IR.2.094 – Analyze and triage events to support event resolution and incident declaration.

To achieve compliance with this practice, events must be analyzed in order to determine how to handle the events. In the event of an incident, various responses can be taken including:  

  1. Declare an incident from the event
  2. Escalate it to someone outside of the organization
  3. Close the event because it does not have a large consequence on the organization

IR.2.096 – Develop and implement responses to declared incidents according to pre-defined procedures.

The procedures for responding to an incident should be written beforehand to help guide the development and implementation of the processes during an incident. These responses should either prevent or contain the impact of the incident and will vary depending on the incident.

IR.2.097 - Perform root cause analysis on incidents to determine underlying causes.

Organizations are expected to understand what happened during an incident and why. The causes of an event or incident should be examined as well as how it was responded to in order to help prevent future similar incidents.

Domain: Recovery

RE.2.137 - Regularly perform and test data backups.

Organizational data should be backed up to ensure it can be recovered from hardware failure, software failure, malware infections, or any other event. Backups can be scheduled to run automatically or manually.

RE.3.139 - Regularly perform complete, comprehensive, and resilient data backups as organizationally defined. 

Systems and data should be backed up at a regular interval to allow an organization to restore the system or data in accordance with business requirements. Backups should be scheduled to satisfy the needs of the organization.

Domain: Risk Management

RM.3.144 – Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

This practice expands upon the related Level 2 practice by requiring that defined risk categories, identified sources of risks, and specific risk measurement criteria are included in the risk assessment. Risk assessments should be performed periodically to identify potential risks and mitigate the recurrence of an incident.

RM.3.146 – Develop and implement risk mitigation plans.

Organizations should not only be aware of their organizational risks, but also have a risk mitigation plan for responding to them when they occur. Risk mitigation plans should include:

  • How the vulnerability or threat will be reduced
  • The actions that will limit risk exposure
  • Controls to be implemented
  • Staff responsible for the mitigation plan
  • The resources required for the plan
  • The implementation specifics (e.g., when, where, how)
  • How the plan implementation will be measured or tracked

RM.3.147 – Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

Sometimes it is necessary to continue using end-of-life technologies that extends beyond the support offered by the vendor (i.e., the vendor no longer provides software updates). In order to mitigate the risk of these end of life technologies present, unsupported products should be managed separately.

Domain: Security Assessment

CA.3.162 - Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.

Organizational code should undergo sufficient testing to identify and mitigate errors and vulnerabilities.

Domain: Situational Awareness

SA.3.169 – Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.

To enhance situational awareness, external sources should be leveraged to gather cyber threat information and ensure up-to-date threat information is being received.

Domain: System and Communications Protection

SC.2.179 – Use encrypted sessions for the management of network devices.

Encrypted sessions should be used when connecting to and managing a network device. The most common encryption method is Secure Shell (SSH).

SC.3.192 – Implement Domain Name System (DNS) filtering services.

This practice is a common practice in IT security. Organizations should use DNS filtering to help prevent access to known malicious websites or IP addresses.

SC.3.193 – Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).

A defined and communicated policy should be established and signed off on to prohibit employees from posting CUI on public websites, which includes social media outlets.

Domain: System and Information Integrity

SI.3.218 - Employ spam protection mechanisms at information system access entry and exit points.

Spam filters should be applied on all inbound and outbound emails to protect an organization from having its email server blacklisted for sending spam emails.

SI.3.219 - Implement email forgery protections.

This practice is used to reduce the effectiveness of phishing, spear phishing, and whaling attacks by requiring the implementation of email protections in addition to basic spam protections.

SI.3.220 - Utilize sandboxing to detect or block potentially malicious email.

This practice requires that sandboxing be used to quarantine emails that are suspected of having malicious attachments or links. Emails should be opened within the sandbox to detect malicious activity before it can be exposed on the internal network.

As the minimum level necessary to handle CUI, Level 3 is likely to be a common requirement on future DoD contracts. Although compliance with the NIST SP 800-171 framework will make earning the Level 3 certification an easier process, you will have to go a few steps farther to meet all the practices and processes for Level 3. However, taking the necessary steps now to meet the CMMC Level 3 compliance requirements will make all the difference when the certification process for Level 3 contracts begin.

Want more cybersecurity insights in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.