CMMC Level 3
Cybersecurity Maturity Model Certification (CMMC) Level 3 builds on Level 2, which means it includes Federal Acquisition Regulation (FAR) practices and NIST SP 800-171 Rev 1 controls. It also includes 20 other important practices to support cyber hygiene. This CMMC level emphasizes the importance of planning and maintaining cybersecurity efforts.
What Is CMMC Level 3?
CMMC Level 3 is the third certification for defense contractors out of five possible levels. Specifically, these requirements apply to defense contractors who create or access Controlled Unclassified Information (CUI). The levels range from “Basic Cyber Hygiene” to “Advanced/Progressive.” Level 3 is known as “Good Cyber Hygiene.” It includes all the same requirements you’d find in levels 1 and 2, plus some additional requirements focused on planning, sourcing and reviewing your security policies and procedures.
While CMMC level 3 indicates good cyber hygiene overall, it is still limited compared to higher levels. An organization that is CMMC level 3 certified may still struggle to effectively defend against advanced persistent threats (APTs).
How Does Level 3 Compare With Level 2?
The most significant differences between CMMC level 2 and level 3 come from the process maturity of both levels. This can also be referred to as ongoing security management. Level 2 requires defense contractors to establish policies, practices and a plan to implement the required security elements.
Level 3 takes that significant step further by also requiring a detailed review of those policies and practices, along with dedicated resources to meet the plan and activities as stated. These extra measures help to ensure that security solutions are implemented correctly and able to be fully effective. Achieving level 3 certification means your organizations has implemented the appropriate solutions and is actively monitoring them.