Contractors and subcontractors for the United States Department of Defense (DoD) should have a working knowledge of the Cybersecurity Maturity Model Certification (CMMC) framework. It’s the set of guidelines set by the DoD in implementing cybersecurity protocols for contractors. These guidelines augment, and overlap with, the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) compliance.
What Is CMMC Level 3?
There are five CMMC maturity levels under the framework, but let’s focus on the third level. Under a CMMC Level 3 certification, organizations must follow protocols on protecting controlled unclassified information (CUI). Compared to prior levels, a Level 3 certification entails handling more confidential data sets.
To achieve Level 3 certification, companies must have Good Cyber Hygiene and actively manage cybersecurity processes. This means complying with Level 1–Basic Cyber Hygiene (comprising 17 basic safeguarding requirements specified in FAR 48 CFR 52.204-21) and Level 2–Intermediate Cyber Hygiene (an additional 55 cybersecurity practices) requirements.
How CMMC Level 3 Certification Requirements Overlap with DFARS Requirements
Some CMMC Level 3 requirements overlap with DFARS requirements, which is why organizations aiming for Level 3 must enforce security controls implemented by both NIST 800-171 (110 security controls) and CMMC (additional 20 controls). In fact, complying with NIST 800-171 makes it easier to meet the CMMC Level 3 requirements.
These certification requirements trickle down to subcontractors, meaning contractors must work with subcontractors who meet DFARS and CMMC requirements. And in case of a security incident, contractors must notify the DoD and allow access to their systems handling CUI, all of which should be done according to DFARS’ prescribed reporting protocols.
What Are the CMMC Level 3 Requirements?
Refer to this checklist to understand the CMMC Level 3 controls:
✓ Wireless access protection
- This involves implementing authentication and encryption methods that safeguard access to wireless networks.
✓ Remote access protocols
- This entails cryptographic mechanisms to protect the confidentiality of users’ remote access sessions, whether they’re accessing systems via a home workstation or any alternative workspace.
✓ Separation of employees’ duties and responsibilities
- Tasks must be properly divided among employees to avoid the risk of malicious activities. Employees may commit errors and/or fraud if critical duties are not clearly defined, and only one person is tasked to perform them from start to finish.
✓ Privileged and nonprivileged user access
- Prevent nonprivileged users from executing privileged functions. Only privileged users must be given permissions to privileged functions, especially those involving security functions, and the execution of security functions must be captured in audit logs.
- Only a small subset of privileged users should modify audit logs, audit settings, and perform other audit management tasks.
✓ Automatic termination of user sessions
- Users’ sessions must be terminated based on an organization’s policy. This policy should indicate circumstances and particular triggers that will necessitate automatically ending a user’s session to avoid attackers from abusing unattended sessions.
✓ Control connection of mobile devices
- This requires organizations to establish guidelines on the proper use and configuration of mobile devices. All devices must be identified, authenticated, and running the proper software versions for their corresponding operating systems. They must also have antivirus software installed and hardware settings configured so that unauthorized features are disabled.
✓ Remote execution for privileged users
- Privileged users need to be able to execute privileged commands and be allowed remote access to security-relevant information, with important restrictions. These users and the changes they make must be identified and documented.
✓ CUI Encryption on mobile devices
- CUI on all mobile devices (laptops, smartphones, tablets, etcal.) and mobile platforms must be encrypted using container-based encryption mechanisms.
- This also includes enabling an encryption scheme that protect CUI transported in various media devices.
✓ Establish procedures for handling CUI data
- These must include guidance on how to categorize, implement access, receive, transmit, and destroy physical and digital CUI.
✓ Security awareness training on identifying insider threats
- Training sessions must cover how to identify staff behavior that indicates the risk for insider threats, and processes on reporting such behavior.
✓ Review and update logged events
- Regularly reviewing logged events will allow organizations to recognize potential security events. When logging non-security events, on the other hand, include installed software and attempts to connect to a virtual private network (VPN) server.
✓ Audit logging process failure alerts
- Security officers and system administrators must automatically be notified of audit log failures, so they’ll always be aware of any suspicious activity.
✓ Audit information collected/stored in centralized locations
- This is to provide the organization with complete information on audit logs.
✓ Audit information protection
- Organizations must protect audit information from unauthorized access, modification, and deletion by enabling proper configuration of logs or audit logging tools.
✓ Audit record review and analysis
- This involves the review, analysis, and reporting of audit records to identify and report security incidents so that they may be investigated on time.
✓ Audit record reduction
- This includes removing unnecessary information pertaining to audit files such as details on nightly backups, to avoid irrelevant information on audit record reports.
✓ Ongoing monitoring of security controls
- This process lets you assess your organization’s overall security posture.
✓ Deployment of security assessment of enterprise software
- This is another step to identify and mitigate security risks and vulnerabilities.
✓ Physical and logical access restrictions
- Only qualified, authorized individuals must be able to make physical and logical changes to hardware, software, software libraries, and other relevant components.
✓ Restriction of nonessential programs
- Create a policy on disabling or removing nonessential programs, functions, ports, protocols, and services from servers.
✓ Blacklisting/Whitelisting policies to prevent the use of unauthorized software
- This can be done by creating an unauthorized software list.
✓ Multifactor authentication (MFA)
- MFA should be enabled for privileged accounts’ local and network access and nonprivileged accounts’ network access.
✓ Replay-resistant authentication mechanisms
- These mechanisms apply to privileged and nonprivileged accounts’ network access, aimed at preventing man-in-the-middle attacks.
✓ Do not reuse identifiers for a certain period
- This is to avoid reusing identifiers within the organization’s specified time period.
✓ Disable inactive identifiers
- Remove unnecessary user accounts.
✓ Testing incident response
- This should address and document everything that has to do with an incident.
✓ Media checks
- This involves checking media for malicious codes and controlling access to media containing CUI.
✓ Prohibiting the use of portable storage
- Particularly, portable storage devices (such as small hard drives) that have no identifiable owner.
✓ Physical protections
- This pertains to physical protective measures such as file drawers not just for the organization’s premises but also to alternate work sites.
✓ Resilient and comprehensive data backups
- Systems and data essential to business continuity should be backed up regularly.
✓ Risk assessments and protection plans
- This applies to identifying risks to an organization’s functions and assets including IT systems, people, data, and facilities. An organization must develop a mitigation plan for every identified risk.
✓ End-of-life technologies management and support
- Some end-of-life technologies may be used for an extended period to support a business, but others will need to be removed to reduce security risks.
✓ External cyberthreat information
- Leverage information sharing forums to enhance situational awareness, and these must be communicated to the organization’s stakeholders.
✓ Effective information security systems
- Use a resource like the NIST SP 800-160 System Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems to develop a guideline for your organization’s security engineering and design principles.
✓ Shared system resources restrictions
- Hard disks and other shared system resources must not transmit information from user to user to protect confidentiality of information.
✓ Network communications traffic restrictions
- Deny all incoming and outgoing traffic in the network, but permit specific ones per your organization’s set policies.
✓ Controlled use of mobile codes
- Unauthorized mobile codes, whether they’re Java, Flash, or other codes, should not be allowed to execute on the network.
✓ Controlled use of Voice over Internet Protocol (VoIP) technologies
- Set guidelines for using VoIP technologies to avoid threats such as eavesdropping on calls and caller ID spoofing.
✓ Protection for the authenticity of communication sessions
- Authenticating a session requires users to enter their login credentials to establish communication.
✓ Protection for CUI at rest
- Implement security controls for CUI stored in drives and does not move through the network.
✓ Domain Name System (DNS) filtering
- Implement a DNS filter to block access to malicious websites and IP addresses.
✓ CUI publication restrictions
- Prohibit staff from publishing CUI and CUI-related information to externally owned, publicly accessible websites such as forums and social media platforms like LinkedIn, Facebook, and Twitter.
✓ Spam protections
- Enable spam filters on inbound and outbound emails.
✓ Email forgery protections
- These augment your spam filters and other email protections. Some of these tools’s functions include displaying servers allowed to send email for a given domain and authenticating email messages.
- Implementing an email sandbox entails developing an isolated environment where file attachments and linked URLs can be executed, and allows you to detect suspicious activity before such files enter your network.
Take the first step to achieving a CMMC Level 3 certification with the help of Charles IT’s CMMC compliance experts. Call us to start your gap assessment now — we promise you’ll get a call in one hour.