Level 3: Good cyber hygiene

CMMC level 3 increases the number of security practices required at level 1 and level 2 by 58 practices (45 from NIST 800-171r2 and 13 from other sources).  Bringing the total number of practices to maintain Level 3 compliance to 138, this includes the practices defined at Level 1 (17) and Level 2 (55).  Level 3 compliance will require an organisation to apply the compliance processes identified at Level 1 and Level 2 (practised and documented) to Level 3 practices.  In addition, the organisation will have to establish, maintaining and resource a plan to demonstrate that it is managing the activities for practice implementation.

By demonstrating that Level 3 practices are being performed, documented and managed the organisation will develop its cybersecurity maturity, for the protection of Controlled Unclassified Information (CUI).

Processes : ManagedLevel 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices : Good Cyber HygieneLevel 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 [4] as well as additional practices from other standards and references to mitigate threats.
It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) [5] specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 3 consist of 16 security domains addressing 27 capabilities with an additional 58 security practices.

DomainCapabilityPractice referencePractice decription
Access Control (AC)C002 Control internal system accessAC.3.012Protect wireless access using authentication and encryption.
AC.3.017Separate the duties of individuals to reduce the risk of malevolent activity
without collusion.
AC.3.018Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
AC.3.019Terminate (automatically) user sessions after a defined condition.
AC.3.020Control connection of mobile devices.
C003 Control remote system accessAC.3.014Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC.3.021Authorize remote execution of privileged commands and remote access to security-relevant information.
C004 Limit data access to authorized users and processesAC.3.022Encrypt CUI on mobile devices and mobile computing platforms.
Asset Management (AM)C005 Identify and document assetsAM.3.036Define procedures for the handling of CUI data.
Audit & Accountability (AU)C007 Define Audit requirementsAU.3.045Review and update logged events.
AU.3.046Alert in the event of an audit logging process failure.
C008 Perform AuditAU.3.048Collect audit information (e.g., logs) into one or more central repositories.
C009 Identify and protect audit informationAU.3.049Protect audit information and audit logging tools from unauthorized access, modification and deletion.
AU.3.050Limit management of audit logging functionality to a subset of privileged users.
C010 Review and manage audit logsAU.3.051Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity.
AU.3.052Provide audit record reduction and report generation to support on-demand analysis and reporting.
Awareness & Training (AT)C011
Conduct security awareness activities
AT.3.058Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Configuration Management (CM)C014 Perform configuration and change managementCM.3.067Define, document, approve and enforce physical and logical access restrictions associated with changes to organizational systems.
CM.3.068Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols and services.
CM.3.069Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Identification & Authentication (IA)C015
Grant access to authenticated entities
IA.3.083Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
IA.3.084Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
IA.3.085Prevent the reuse of identifiers for a defined period.
IA.3.086Disable identifiers after a defined period of inactivity.
Incident Response (IR)C018 Develop and implement a response to a declared incidentIR.3.098Track, document and report incidents to designated officials and/or authorities both internal and external to the organization.
C020 Test incident responseIR.3.099Test the organizational incident response capability.
Maintenance (MA)C021 Manage maintenanceMA.3.115Ensure equipment removed for off-site maintenance is sanitized of any CUI.
MA.3.116Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Media Protection (MP)C022 Identify and mark mediaMP.3.122Mark media with necessary CUI markings and distribution limitations.
MP.3.123Prohibit the use of portable storage devices when such devices have no identifiable owner.
C025 Protect media during transportMP.3.124Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
MP.3.125Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Physical Protection (PE)C028 Limit physical accessPE.3.136Enforce safeguarding measures for CUI at alternate work sites.
Recovery (RE)C029 Manage back-upsRE.3.139Regularly perform complete, comprehensive and resilient data backups as organizationally-defined.
Risk Management (RM)C031 Identify and evaluate riskRM.3.144Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.
C032 Manage riskRM.3.146Develop and implement risk mitigation plans.
RM.3.147Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
Security Assessment (CA)C035 Define and manage controlsCA.3.161Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
C036 Perform code reviewsCA.3.162Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally-defined as an area of risk.
Situational Awareness (SA)C037 Implement threat monitoringSA.3.169Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
System & Communications Protection (SC)C038 Define security requirements for systems and communicationsSC.3.177Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
SC.3.180Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems.
SC.3.181Separate user functionality from system management functionality.
SC.3.182Prevent unauthorized and unintended information transfer via shared system resources.
SC.3.183Deny network communications traffic by default and allow network communications traffic by exception (e.g., deny all, permit by exception).
SC.3.184Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (e.g., split tunneling).
SC.3.185Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
SC.3.186Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
SC.3.187Establish and manage cryptographic keys for cryptography employed in organizational systems.
SC.3.188Control and monitor the use of mobile code.
SC.3.189Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
SC.3.190Protect the authenticity of communications sessions.
SC.3.191Protect the confidentiality of CUI at rest.
C039 Control communications at system boundariesSC.3.192Implement Domain Name System (DNS) filtering services.
SC.3.193Implement a policy restricting the publication of CUI on externally-owned, publicly-accessible websites (e.g., forums, LinkedIn, Facebook, Twitter, etc.).
System & Information Integrity (SI)C042 Perform network and system monitoringSI.3.218Employ spam protection mechanisms at information system access entry and exit points.
C043 Implement advanced email protectionsSI.3.219Implement email forgery protections
SI.3.220Utilize email sandboxing to detect or block potentially malicious email.

Table:  CMMC Level 3 domains, capabilities and practices