Level 3: Good cyber hygiene
CMMC level 3 increases the number of security practices required at level 1 and level 2 by 58 practices (45 from NIST 800-171r2 and 13 from other sources). Bringing the total number of practices to maintain Level 3 compliance to 138, this includes the practices defined at Level 1 (17) and Level 2 (55). Level 3 compliance will require an organisation to apply the compliance processes identified at Level 1 and Level 2 (practised and documented) to Level 3 practices. In addition, the organisation will have to establish, maintaining and resource a plan to demonstrate that it is managing the activities for practice implementation.
By demonstrating that Level 3 practices are being performed, documented and managed the organisation will develop its cybersecurity maturity, for the protection of Controlled Unclassified Information (CUI).
Processes : Managed Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices : Good Cyber Hygiene Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171  as well as additional practices from other standards and references to mitigate threats.
It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”)  specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
CMMC Level 3 consist of 16 security domains addressing 27 capabilities with an additional 58 security practices.
Domain Capability Practice reference Practice decription
Access Control (AC) C002 Control internal system access AC.3.012 Protect wireless access using authentication and encryption.
AC.3.017 Separate the duties of individuals to reduce the risk of malevolent activity
AC.3.018 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
AC.3.019 Terminate (automatically) user sessions after a defined condition.
AC.3.020 Control connection of mobile devices.
C003 Control remote system access AC.3.014 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC.3.021 Authorize remote execution of privileged commands and remote access to security-relevant information.
C004 Limit data access to authorized users and processes AC.3.022 Encrypt CUI on mobile devices and mobile computing platforms.
Asset Management (AM) C005 Identify and document assets AM.3.036 Define procedures for the handling of CUI data.
Audit & Accountability (AU) C007 Define Audit requirements AU.3.045 Review and update logged events.
AU.3.046 Alert in the event of an audit logging process failure.
C008 Perform Audit AU.3.048 Collect audit information (e.g., logs) into one or more central repositories.
C009 Identify and protect audit information AU.3.049 Protect audit information and audit logging tools from unauthorized access, modification and deletion.
AU.3.050 Limit management of audit logging functionality to a subset of privileged users.
C010 Review and manage audit logs AU.3.051 Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity.
AU.3.052 Provide audit record reduction and report generation to support on-demand analysis and reporting.
Awareness & Training (AT) C011
Conduct security awareness activities
AT.3.058 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Configuration Management (CM) C014 Perform configuration and change management CM.3.067 Define, document, approve and enforce physical and logical access restrictions associated with changes to organizational systems.
CM.3.068 Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols and services.
CM.3.069 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Identification & Authentication (IA) C015
Grant access to authenticated entities
IA.3.083 Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
IA.3.084 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
IA.3.085 Prevent the reuse of identifiers for a defined period.
IA.3.086 Disable identifiers after a defined period of inactivity.
Incident Response (IR) C018 Develop and implement a response to a declared incident IR.3.098 Track, document and report incidents to designated officials and/or authorities both internal and external to the organization.
C020 Test incident response IR.3.099 Test the organizational incident response capability.
Maintenance (MA) C021 Manage maintenance MA.3.115 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
MA.3.116 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Media Protection (MP) C022 Identify and mark media MP.3.122 Mark media with necessary CUI markings and distribution limitations.
MP.3.123 Prohibit the use of portable storage devices when such devices have no identifiable owner.
C025 Protect media during transport MP.3.124 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
MP.3.125 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Physical Protection (PE) C028 Limit physical access PE.3.136 Enforce safeguarding measures for CUI at alternate work sites.
Recovery (RE) C029 Manage back-ups RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined.
Risk Management (RM) C031 Identify and evaluate risk RM.3.144 Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.
C032 Manage risk RM.3.146 Develop and implement risk mitigation plans.
RM.3.147 Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
Security Assessment (CA) C035 Define and manage controls CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
C036 Perform code reviews CA.3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally-defined as an area of risk.
Situational Awareness (SA) C037 Implement threat monitoring SA.3.169 Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
System & Communications Protection (SC) C038 Define security requirements for systems and communications SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
SC.3.180 Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems.
SC.3.181 Separate user functionality from system management functionality.
SC.3.182 Prevent unauthorized and unintended information transfer via shared system resources.
SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (e.g., deny all, permit by exception).
SC.3.184 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (e.g., split tunneling).
SC.3.185 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
SC.3.186 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
SC.3.187 Establish and manage cryptographic keys for cryptography employed in organizational systems.
SC.3.188 Control and monitor the use of mobile code.
SC.3.189 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
SC.3.190 Protect the authenticity of communications sessions.
SC.3.191 Protect the confidentiality of CUI at rest.
C039 Control communications at system boundaries SC.3.192 Implement Domain Name System (DNS) filtering services.
SC.3.193 Implement a policy restricting the publication of CUI on externally-owned, publicly-accessible websites (e.g., forums, LinkedIn, Facebook, Twitter, etc.).
System & Information Integrity (SI) C042 Perform network and system monitoring SI.3.218 Employ spam protection mechanisms at information system access entry and exit points.
C043 Implement advanced email protections SI.3.219 Implement email forgery protections
SI.3.220 Utilize email sandboxing to detect or block potentially malicious email.
Table: CMMC Level 3 domains, capabilities and practices