While CMMC levels one and two encompass the transitional work required to get your cyber hygiene up to scratch, the third level is the one that most organizations will be aiming for. This level is currently the most common certification to aim for, as it is a requirement for businesses that handle controlled unclassified information (CUI) on behalf of the Department of Defense. You generally won’t be able to work with the DoD as a contractor or subcontractor unless you meet the CMMC level 3 requirements.
CMMC level 3 requirements require you to incorporate all the controls specified in the NIST SP 800-171 framework, along with several measures from other sources. Specifically, level 3 adds a further 58 controls for a total of 130 when we include the controls of previous levels. 45 of these new controls come from the NIST SP 800-171 framework, while 13 come from various other sources selected by the DoD. These new controls span 16 of the 17 domains outlined by the CMMC framework.
Here are the main areas you need to focus on to achieve a CMMC level 3 certification:
#1. Establish and maintain security activities
Only at the most basic level are cybersecurity measures something you implement once and then leave them to do their work. However, for these measures to be truly effective, especially in today’s constantly changing technology environment, it is vital to review them regularly and update them as necessary.
To meet the demands of CMMC level 3, organizations are expected to establish and maintain operational security measures, such as security information and event management (SIEM) and external vulnerability scanning. Rather than approaching cybersecurity as a list of tasks to be done and forgotten about, it is important to view it as an ongoing journey.
#2. Review policies and processes regularly
CMMC compliance is not just about technology, but also about people and processes, hence the commonly used acronym PPT, or people, process, and technology. People are often the weakest link in any cybersecurity strategy due to the proliferation of social engineering scams and other threats that exploit human ignorance and unpreparedness.
CMMC level 3-compliant organizations are expected to have up-to-date security policies that are regularly reviewed and rigidly enforced. There should also be a clear employee awareness training program and documented processes for what people should do in the event of unusual or suspicious behavior.
#3. Document security plans and priorities
While CMMC level 2 introduces the need for documenting all security plans and priorities, the third level builds upon this by focusing on long-term strategy and adaptability. To meet these demands, organizations must establish, maintain, and support a plan that demonstrates the management of security-related activities and projects.
Documenting your security plans and priorities does not only help you prioritize remediation strategies and provide the necessary resources – it serves as evidence of your compliance efforts as well. If, for example, your organization still suffers a data breach despite your best efforts, your documentation could save you from litigation.
What is the difference between CMMC level 3 and DFARS?
If you currently do business with the DoD in the capacity of a contractor or subcontractor, then your contracts will almost certainly already contain the DFARS 252.204-7012 clause. The key difference between the DFARS clause and CMMC is that, in the case of the latter, you cannot self-certify.
That being said, if you are already DFARS-compliant, which is mandatory if you handle CUI, you should be ready, or very nearly ready, to earn a CMMC level 3 certification. However, you may still need to implement additional security controls, because CMMC expands significantly upon the NIST SP 800-171 framework that DFARS refers to. In total, there are 20 new controls included in CMMC level 3, none of which are specified by the current NIST framework. You will also need to implement these before engaging with a CMMC auditor.
Charles IT can help prepare your organization for earning a CMMC level 3 certification starting with a thorough assessment of your existing IT environment. Book your assessment today!