Introduction
The Cybersecurity Maturity Model Certification (CMMC) is a set of cybersecurity standards developed by the United States Department of Defense (DoD) to ensure that companies that work with the government have adequate cybersecurity measures in place. CMMC Level 3 is the third level of certification in the CMMC model and is designed for companies that handle Controlled Unclassified Information (CUI) that is critical to the mission of the DoD. In this article, we will discuss the basics of CMMC Level 3 and what you need to know to achieve compliance.
What is CMMC Level 3
CMMC Level 3 is the third level of certification in the CMMC model. It is designed for companies that handle Controlled Unclassified Information (CUI) that is critical to the mission of the DoD. CMMC Level 3 requires the implementation of 130 cybersecurity practices. These practices are based on the requirements of the National Institute of Standards and Technology (NIST) Special Publication 800-171.
What are the 130 cybersecurity practices?
The 130 cybersecurity practices are divided into 17 domains as follows:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (CA)
- Situational Awareness (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
Each domain has six to nine practices that must be implemented for a total of 130 cybersecurity practices.
How to achieve compliance with CMMC Level 3?
To achieve compliance with CMMC Level 3, companies must implement the 130 cybersecurity practices mentioned above. The following are the steps that companies can take to achieve compliance:
- Identify the scope of the system that requires compliance with CMMC Level 3.
- Perform a self-assessment to determine the company's compliance with the 130 cybersecurity practices.
- Identify any gaps and deficiencies and develop a plan to address them.
- Implement the plan and ensure that all 130 cybersecurity practices are in place.
- Obtain a third-party assessment to verify compliance with CMMC Level 3.
- Upload the assessment results to the DoD's Supplier Performance Risk System (SPRS).
Conclusion
CMMC Level 3 is a higher level of certification than Level 2, and it is designed for companies that handle Controlled Unclassified Information (CUI) that is critical to the mission of the DoD. Compliance with CMMC Level 3 requires the implementation of 130 cybersecurity practices. Companies can achieve compliance by identifying the scope of the system that requires compliance, performing a self-assessment, identifying any gaps and deficiencies, developing a plan to address them, implementing the plan, obtaining a third-party assessment, and uploading the assessment results to the DoD's SPRS. Achieving compliance with CMMC Level 3 is a significant step towards ensuring the security of the nation's critical infrastructure and protecting sensitive government information.
Carl B. Johnson, President of Cleared Systems, is a highly experienced and a ITAR, CMMC 2.0, Microsoft GCC High, and Microsoft DLP/AIP consultant. With over twenty years of experience in information assurance, cybersecurity, policy development, risk management, and regulatory compliance, he brings a wealth of knowledge and expertise to his clients.
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
-
Carl B. Johnsonhttps://clearedsystems.com/author/cs-man/
