What Are the CMMC Level 3 Controls?


What Are the CMMC Level 3 Controls?

While the controls introduced in CMMC levels 1 and 2 present the bare minimum of adequate security, the third level is where things culminate. This is also the level that most organizations should be aiming for, not least because it presents the minimum baseline security standards required for an organization to legally handle controlled unclassified information (CUI).

CMMC level 3 is especially important to organizations that already have contracts with the US Department of Defense. These organizations already have to adhere to the DFARS 252.204-7012 clause, which is an interim solution based on the NIST SP 800-171 framework. However, CMMC level 3 also introduces some additional controls that are not covered in NIST’s scope.

What is good cyber hygiene?

Good cyber hygiene is the minimum standard organizations must meet before they can take on high-value contracts with the DoD. To that end, it also serves as a springboard for higher levels, which will become mandatory once CMMC is fully implemented in October 2025. Level 3 includes full coverage of all NIST SP 800-171 rev. 1 controls, as well as 13 additional security practices from other sources.

Reaching the demands of CMMC level 3 is a lofty goal, but it can also be a highly lucrative one for any would-be defense contractor or subcontractor. However, implementing all CMMC controls from this level isn’t something you can expect to achieve in a few weeks or months. After all, it includes a grand total of 130 controls, which includes 58 new ones, as well as all those from the previous two levels.

Here are some of the new practices introduced in CMMC level 3:

Audit and accountability (AU)

Before organizations can evolve their security measures to the point of becoming proactive, they need to first implement comprehensive auditing and accountability processes. Auditing and accountability are first introduced in CMMC level 2, but level 3 introduces 7 new controls governing more advanced auditing practices. For example, compliance now requires setting up automated alerts when an auditing or logging process fails. It also requires the collection of all audit information into centralized repositories for in-depth review and analysis. Insights collected during these auditing processes will help feel a cycle of continuous improvement of security routines, thus forming a foundational element of CMMC level 4.

Related article: Technology Checklist for CMMC Level 3

Asset management (AM)

Asset management is one of two new domains introduced under CMMC level 3. There is only one control included in this level, which is to document specific practices and procedures for handling CUI. This is a foundational element of the domain that eventually encompasses the ability to detect, classify, inventory, and monitor all hardware and software assets and their various dependencies, which are involved in the storage or transmission of CUI. Achieving a robust asset management routine is vital for protecting sensitive data at scale.

Situational awareness (SA)

The second of two new domains introduced under CMMC level 3, situational awareness builds upon the closely related awareness and training domain introduced in CMMC level 2. There is only one control required to achieve a level 3 certification, which is to collect, analyze, and share with stakeholders all relevant cyberthreat intelligence. This is far more technical in scope than regular security awareness training, since it involves information used by security experts to proactively hunt down threats. Cyberthreat intelligence can come from internal sources like system logs, as well as external sources like reputable cybersecurity blogs and forums.

System and communications protection (SC)

CMMC levels 1 and 2 introduced just four systems and communications protection practices, while level 3 adds a whopping 15 new controls. These controls govern the protection of data at rest or in transit, and it revolves around technical measures and procedures. Compliance requires measures to be applied across system architectures, software development routines, and system engineering principles. Many of the new controls center around data encryption, monitoring, and network connection session controls. Fortunately, many security information and event management (SIEM) solutions encompass a large number of these controls.

Charles IT offers expert guidance and cybersecurity services to get your organization ready for your first CMMC audit. Call today to schedule your first consultation!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”