Level 3 Requirements

What does it take to achieve Level 3 compliance?

Practices found in CMMC Levels 1-3 most closely align to the 110 controls found in NIST 800-171 for handling Controlled Unclassified Information, but 20 practices and 52 maturity processes go beyond NIST. 

Level 3 CMMC Practices

Here are the most significant areas of CMMC to consider if you are already meeting DFARS 7012 and NIST 800-171.

  • Logging, monitoring, incident response, and reporting capabilities with a SIEM or similar technical solution - Domain Reference: Incident Response (IR) and Audit and Accountability (AU)
  • The ability to backup and restore data through tested, comprehensive, and resilient in backup efforts
  • Logically and technically separate management of unsupported products with network restrictions and regular risk assessments to identify vulnerabilities - Domain Reference: Risk Management (RM)
  • DNS filtering, spam protection, and email sandboxing to protect agains malicious traffic - Domain Reference: System and Communication Protection (SC) and System and Information Integrity (SI)

To pass a Level 3 audit, companies will be assessed on their ability to meet and demonstrate all practices (130 broken down below) to address Levels 1, 2, and 3. This will include technical architecture and solutions, along with written policies.


DFARS Overlap

How do DFARS and CMMC Level 3 overlap?

CMMC and DFARS 7012 collectively consists of three basic requirements:

  1. Adequate Security: NIST 800-171's 110 distinct security controls (DFARS) plus the additional 20 practices (CMMC) as mentioned in the previous section
  2. Contractual Flowdown: If the prime contractor has to meet DFARS and CMMC requirements, so do their subcontractors or vendors - though CMMC may require a lesser level
  3. Event and Incident Reporting: In response to an incident or cyber event, DFARS requires your organization to notify DoD through formal reporting mechanisms and DoD will need access to your environment - including cloud tenants and other cloud systems handling CUI

As Scott Edwards, President of Summit 7, stated in a previous presentation on CMMC Level 3 "If you're NOT NIST 800-171 compliant, go back and do that. You can't tackle CMMC if you are not NIST compliant; it's also just practicing basic cyber hygiene".



Next Steps

What technical and procedural practices do you need to implement?

Upon NIST 800-171 compliance, there are an additional 10 technical and 10 procedural practices to implement to achieve CMMC Level 3 compliance.

A few examples:

  • Define procedures for the handling of CUI data
  • Analyze and triage events to support event resolutions and incident declaration
  • Regularly perform complete and comprehensive and resilient data backups as organizationally defined
  • Manage non-vendor support products separately and restrict as necessary to reduce risk
  • Implement DNS filtering services
  • Employ spam protection mechanisms at information system access entry and exit

To start with a proper understanding of L3, watch this 20 min excerpt from the most watched CMMC Level 3 discussion on YouTube.


Potential Technical Solutions

What solution sets can get you to Level 3 CMMC compliance?

SIEM solutions to meet incident response requirements:

  • LogRhythm
  • LogVault
  • AlientVault
  • Splunk
  • Others

Summit 7 Preferred: Microsoft Azure Government Sentinel


Resilient data backup and restoration solutions meeting FedRAMP Moderate standards and able to backup Office 365 GCC High:

  • Veeam
  • AvePoint (US based)

Summit 7 Preferred: AvePoint and Azure Backup


DNS Filtering:

  • Webroot
  • Cisco Umbrella
  • TitanHQ
  • PaloAlto DNS Security service

Summit 7 Preferred: OpenDNS


SPAM and Email protections:

  • Cisco Email
  • Proofpoint
  • Barracuda
  • Fireeye

Summit 7 Preferred: Office 365 GCC High Exchange Online Protection and ATP

Summit 7 has architected a complete solution set to help organizations achieve CMMC Level 3 compliance. The set is developed within Office 365 GCC High and Azure Government as part of the initiative to protect the warfighter and keep the Defense Industrial Base secured.

You can learn more about it here.

Related Pages:

The Foundation and Levels

As the image below represents, meeting Level 3 requires organizations to practice "Good Cyber Hygiene", while actively "managing" security processes. CMMC officials, including Katie Arrington of the Office of the Under Secretary of Defense (OUSD), have publicly stated the majority of defense contractors will need to certify at Level 1 on the outset. Nevertheless, most prime contractors and many of their subs in the DIB will need to meet Level 3, as it most closely aligns to the preexisting requirements of DFARS 7012. This is especially true for organizations that more regularly handle Controlled Unclassified Information (CUI) or interact with more sensitive data sets. Access a more detailed explanation and overview of CMMC, as well as history and background here.

CMMC Level Model

Still Have Questions?

If you still have questions about CMMC Level 3, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.

Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance:

Start The Conversation