For companies and entities pursuing certification within the Cybersecurity Maturity Model Certification realm, or CMMC, there are several levels of the program to be aware of depending on the sort of controls and information you have access to. And while each of these levels is important, likely the most significant, especially in comparison to the levels below it, is CMMC Level 3.
At Rimstorm, we’re proud to offer robust CMMC compliance and other forms of government security compliance services, including NIST 800-171 and HIPAA as well. We’ve assisted numerous clients with obtaining CMMC Level 3 compliance, plus the significant efforts that are generally required to attain this level. What exactly is CMMC Level 3, how does it compare to Level 2 below it, and what are the numerous different control domains that will differ from previous levels? We’ll go over these, plus some basic steps for preparing for a CMMC audit and passing Level 3 certification.
CMMC Level 3
CMMC Level 3 is the third of five levels within this program, one that builds on the concepts found in Level 2. This means it includes a full range of FAR (Federal Acquisition Regulation) practices, plus NIST 800-171 Rev 1 controls. On top of these, however, it also includes an additional 20 separate practices that support cyber hygiene in simple ways, with a specific emphasis on planning and maintaining cybersecurity programs.
One of the key factors in Level 3 is the requirements for defense contractors who are creating or accessing Controlled Unclassified Information (CUI). Level 3, which is also termed “Good Cyber Hygiene” for simplicity, involves a number of protocols and requirements that speak specifically to CUI.
And as you may have guessed, Level 3 certification is still limited compared to Levels 4 and 5 – athough the leaps here generally aren’t quite as large as the jump from Level 2 to Level 3. That said, certain advanced persistent threats (APTs) may be a problem for organizations certified only for Level 3, and not above.
Comparisons to Level 2
The biggest difference between these two levels, for those who are wondering: The process maturity of each, also known as ongoing security management. Level 2 is plenty detailed here, requiring contractors to establish policies and practices while laying out a comprehensive plan for required security elements – but Level 3 goes much further.
It does this by requiring a detailed review of all these practices, plus specific resources that are dedicated to meeting practice goals. If Level 2 is a “set” in a volleyball game, Level 3 is the “spike,” if you will. It confirms that all the proper solutions have been implemented and are regularly being monitored on an active basis.
Level 3 Control Domains
As we noted above, progression to Level 3 involves all the same controls as Levels 1 and 2 – but also many more, with 130 separate controls comprising Level 3 in total. These controls can be grouped into 17 separate domains, each of which we’ll take a quick look at here to help you understand all the requirements that come with Level 3:
- Domain AC: Access Control: Identifying and limiting people and entities allowed access to systems, plus the functions and transactions that authorized users can perform.
- Domain AM: Asset Management: Requirements for managing services that store or interact with data, including cloud.
- Domain AT: Awareness and Training: Requires maintenance of a training program for staff, contractors, and vendors so they can overcome any security threats.
- Domain AU: Audit and Accountability: Creating and maintaining audit trails that allow for tracking of user and system activity.
- Domain IA: Identification and Authentication: Similar to Domain AC, but with an emphasis on confirming that the person using an account is the proper individual.
- Domain CA: Security Assessment: Assessment and testing of the system to confirm the working order of security plans.
- Domain CM: Configuration Management: Lists all the requirements for creating baseline configurations and inventories, plus making changes to those systems.
- Domain IR: Incident Response: Creating a plan that predicts security incidents and specifies a response plan.
- Domain MP: Media Protection: Covering the use of removable media for data storage, including both paper and electronic storage devices.
- Domain MA: Maintenance: Protecting critical computing devices and their data against vulnerabilities in case of a system failure.
- Domain RE: Recovery: Covering data backups to prevent permanent data loss.
- Domain PE: Physical Protection: Involves the protection of the actual data facility itself, plus its various equipment, from unauthorized access that may expose threats.
- Domain PS: Personal Security: Involves requirements for screening people before they have access to any system, including those featuring CUI. This area also includes transferring or terminating those who have lost data access.
- Domain RM: Risk Management: Conducting regular risk assessments of both data and the system itself.
- Domain SC: Systems and Communications Protection: A long, detailed list of controls for the secure transmission of information within your system, including the prohibition of sharing CUI on any public forum.
- Domain SA: Situational Awareness: Requires organizations to take intelligence regarding cyber threats seriously, plus respond to them in the proper ways.
- Domain SI: System and Information Integrity: Monitoring for issues and promptly adding security patches as they come out, allowing the system to always be updated.
Preparing for Audit and Passing Level 3
To move to CMMC Level 3, your organization will have to pass a detailed Level 3 audit. This will involve all the varying controls and requirements of this level, and the better you understand these, the more prepared you will be. This is an area where our CMMC compliance professionals play a huge role, helping entities understand areas they aren’t familiar with so they can achieve comprehensive compliance ahead of their audit.
For more on achieving CMMC Level 3 compliance and the steps that will get you there, or to learn about any of our government security compliance services, speak to the staff at Rimstorm today.