Most organizations wanting to contract or subcontract with the Department of Defense should aim for CMMC level 3. This is the minimum required level for handling controlled unclassified information (CUI), and compliance will be fully enforced from October 2025.
While the enforcement date might sound like a long way off, implementing all the controls and practices required to achieve a level 3 CMMC certification takes time. However, if you currently follow the NIST SP 800-171 security framework, you should already be well on the way.
What is a level 3 CMMC certification?
While the previous two CMMC levels are foundational, CMMC level 3 pertains to a moderate cybersecurity maturity. This encompasses the safeguards necessary to protect against most common threats and offer some resilience against more advanced threats.
By earning a level 3 CMMC certification, you will be able to demonstrate adequate security for protecting CUI in accordance with the standards mandated by the US Department of Defense. This means that your organization will be able to bid on high-value requests for proposals.
#1. Managing user access rights
Access controls govern who has access to which information. By far the most robust access controls follow the principle of zero trust, in which logins are never assumed to be legitimate and must always be verified and logged. One of the most important preparational steps to take is to implement multifactor authentication for verifying user identities.
In line with the principles of zero-trust security, there should be a definition between privileged and non-privileged user access. In other words, no one individual should have access to data they do not need to do their jobs, just as no individual system should be able to access data it does not need to perform its role.
#2. Protecting mobile devices
Cryptographic measures are also essential, especially for mobile devices and other endpoints that lie outside the main perimeter. All communications must also be encrypted to prevent any unauthorized access attempts, such as wireless eavesdropping or man-in-the-middle attacks. This is essential for protecting remote workforces.
Today, many organizations have a bring your own device (BYOD) policy allowing employees to use their own devices for work. While ideal from a convenience and cost-saving perspective, this presents additional security challenges. These can be mitigated with a clear BYOD policy, account-based security controls, and avoiding having sensitive data stored on the device itself.
#3. Security awareness training
When it comes to cybersecurity, the weakest link is usually people rather than technology. A huge percentage of attacks include a phishing element, which targets human ignorance and unpreparedness rather than vulnerabilities in technology itself. As such, the only effective way to guard against phishing is by building a security-aware workforce.
Security awareness training is a central requirement for meeting the demands of CMMC level 3. Your training program should focus on accountability and creating a security-first workforce in which everyone acquires at least a basic level of cybersecurity knowledge. There are many ways to achieve this, such as simulated phishing attacks and hands-on training.
#4. Protecting against malware
While antimalware software is an essential component of any robust cybersecurity strategy, it is also one of the most elementary. Protection against malware goes far beyond the primarily reactive measures of antivirus software to include things like SIEM (security incident and event management) and MDR (managed detection and response).
Security should primarily be proactive in nature. In other words, malware should never end up on your network in the first place. This also requires blacklisting and whitelisting applications and implementing physical and logical access restrictions. For example, you should restrict the usage of removable storage devices, since they can contain malicious code.
How long does it take to reach CMMC level 3?
If you have contracts with the DoD, then your existing security posture should already align with the NIST SP 800-171 framework, which is required under the DFARS clause. CMMC also includes practices and processes that fall outside the original framework, some of which may be difficult to implement for smaller organizations. Fortunately, you still have time before the new rules are fully enforced in October 2025. Moreover, working with a managed security services provider and consultancy firm can greatly accelerate your compliance efforts.
As a Registered Provider Organization, Charles IT can make sure you have everything in place to earn your level-3 CMMC certification. Get in touch today to get started!