Cybersecurity Maturity Model Certification Level 3
The Cybersecurity Maturity Model Certification Level 1 is designed to help organizations establish the framework for cybersecurity maturity. This certification level requires that an organization have a documented risk management plan with defined roles and responsibilities, along with written policies on data classification and protection. The goal of this certification is not only to protect against cyber threats but also maintain compliance standards set by legislation such as HIPAA, PCI DSS, or GDPR.
The Cybersecurity Maturity Model Certification levels are based on a system increasing from level one (least) to five (most).
The CMMC is designed to certify and measure the levels of maturity in an organization’s Cybersecurity Program.
The ultimate goal of the Cybersecurity Maturity Model Certification is to provide protection for two types of information:
- Confidential digital information such as private emails, financial records, and data collected through work.
- Non-digital assets that are physically present at your site or elsewhere (e.g., research files).
The CMMC provides a systematic evaluation of the organization’s cybersecurity program based on best practices and current standards.
You can use this certification to measure progress toward your goals, identify gaps in defense posture, make informed decisions about investments or outsourcing relationships for security services.
The Cybersecurity Maturity Model Certification is centered around ascending levels of preparedness from level 1, level 2, level 3, level 4 and level 5.
The goal of CMMC is to protect two types of data from unauthorized access.
- Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
- Federal Contract Information (FCI): Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public.
CMMC Level 3 Processes and Practices
Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
CMMC Level 3 Access Control Processes
- IA.3.997 – Establish, maintain, and resource a plan that includes Identification and Authentication.
CMMC Level 3 Access Control Practices
Practices are presented in the order in which they appear in the CMMC Model Matrix from top to bottom, not numerical order
- AC.3.017 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- AC.3.018 – Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs
- AC.3.019 – Terminate (automatically) a user session after a defined condition.
- AC.3.012 – Protect wireless access using authentication and encryption.
- AC.3.020 – Control connection of mobile devices.
- AC.3.014 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- AC.3.021 – Authorize remote execution of privileged commands and remote access to security-relevant information.
- AC.3.022 – Encrypt CUI on mobile devices and mobile computing platforms.
CMMC Level 3 Asset Management (AM)
Level 2 Maturity Processes will be addressed at Level 3 for Asset Management because there are no Level 2 Practices.
- AM.3.997 – Establish, maintain, and resource a plan that includes Asset Management.
CMMC Level 3 Asset Management Practices
- AM.3.036 – Define procedures for the handling of controlled unclassified information CUI data.
CMMC Level 3 Audit and Accountability Process
- AU.3.997 – Establish, maintain, and resource a plan that includes Audit and Accountability.
CMMC Level 3 Audit and Accountability Practices
- AU.3.045 – Review and update logged events.
- AU.3.046 – Alert in the event of an audit logging process failure.
- AU.3.048 – Collect audit information (e.g., logs) into one or more central repositories.
- AU.3.049 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
- AU.3.050 – Limit management of audit logging functionality to a subset of privileged users.
- AU.3.051 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
- AU.3.052 – Provide audit record reduction and report generation to support on-demand analysis and reporting.
CMMC Level 3 Awareness and Training Process
- AT.3.997 – Establish, maintain, and resource a plan that includes Awareness and Training.
CMMC Level 3 Awareness and Training Practices
- AT.3.058 – Provide security awareness training on recognizing and reporting potential indicators of insider threat.
CMMC Framework Level 3 Configuration Management Practices
- CM.3.067 – Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- CM.3.068 – Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
- CM.3.069 – Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
CMMC Level 3 Identification and Authentication (IA) Process
- IA.3.997 – Establish, maintain, and resource a plan that includes Identification and Authentication.
CMMC Level 3 Identification and Authentication (IA) Practices
- IA.3.083 – Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- IA.3.084 – Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
- IA.3.085 – Prevent reuse of identifiers for a defined period.
- IA.3.086 – Disable identifiers after a defined period of inactivity.
CMMC Level 3 Incident Response (IR) Process
- IR.3.997 – Establish, maintain, and resource a plan that includes Incident Response.
CMMC Level 3 Incident Response (IR) Practices
- IR.3.098 – Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
- IR.3.099 – Test the organizational incident response capability.
CMMC Certification Level 3 Maintenance Process
- MA.3.997 – Establish, maintain, and resource a plan that includes Maintenance.
Maturity Model Certification CMMC Level 3 Maintenance Practices
- MA.3.115 – Ensure equipment removed for off-site maintenance is sanitized of any CUI.
- MA.3.116 – Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
CMMC Certification Level 3 Media Protection Process
- MP.3.997 – Establish, maintain, and resource a plan that includes Media Protection.
CMMC Certification Level 3 Media Protection Practices
- MP.3.122 – Mark media with necessary CUI markings and distribution limitations.
- MP.3.123 – Prohibit the use of portable storage devices when such devices have no identifiable owner.
- MP.3.124 – Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
- MP.3.125 – Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
CMMC Certification Level 3 Physical Protection Process
- PE.3.997 – Establish, maintain, and resource a plan that includes Physical Protection.
CMMC Framework Level 3 Physical Protection Practices
- PE.3.136 – Enforce safeguarding measures for CUI at alternate work sites.
CMMC Framework level 3 Recovery Process
- RE.3.997 – Establish, maintain, and resource a plan that includes Recovery.
CMMC Framework Level 3 Recovery Practices
- RE.3.139 – Regularly perform complete, comprehensive, and resilient data backups as organizationally defined.
CMMC Framework Level 3 Risk Management Process
- RM.3.997 – Establish, maintain, and resource a plan that includes Risk Management.
CMMC Framework Level 3 Risk Management Practices
- RM.3.144 – Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.
- RM.3.146 – Develop and implement risk mitigation plans.
- RM.3.147 – Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
CMMC Framework Level 3 Security Assessment Process
- CA.3.997 – Establish, maintain, and resource a plan that includes Security Assessment.
CMMC Framework Level 3 Security Assessment Practices
- CA.3.161 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls
- CA.3.162 – Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.
Cybersecurity Maturity Level 3 Situational Awareness Process
Level 2 Maturity Processes will be addressed at Level 3 for Situational Awareness because there are no Level 2 Practices.
- SA.3.997 – Establish, maintain, and resource a plan that includes Situational Awareness.
Cybersecurity Maturity Level 3 Situational Awareness Practices
- SA.3.169 – Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.
Cybersecurity Maturity Model Certification CMMC System and Communications Protection Process
- SC.3.997 – Establish, maintain, and resource a plan that includes System and Communications Protection.
Cybersecurity Maturity Model Certification CMMC System and Communications Protection Practices
- SC.3.177 – Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
- SC.3.180 – Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
- SC.3.181 – Separate user functionality from system management functionality.
- SC.3.182 – Prevent unauthorized and unintended information transfer via shared system resources.
- SC.3.183 – Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
- SC.3.184 – Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling)
- SC.3.185 – Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
- SC.3.186 – Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity
- SC.3.187 – Establish and manage cryptographic keys for cryptography employed in organizational systems.
- SC.3.188 – Control and monitor the use of mobile code.
- SC.3.189 – Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
- SC.3.190 – Protect the authenticity of communications sessions.
- SC.3.191 – Protect the confidentiality of CUI at rest.
- SC.3.192 – Implement Domain Name System (DNS) filtering services.
- SC.3.193 – Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).
Cybersecurity Maturity Model Certification CMMC System and Information Process
- SI.3.997 – Establish, maintain, and resource a plan that includes System and Information Integrity.
Cybersecurity Maturity Model Certification CMMC System and Information Practices
- SI.3.218 – Employ spam protection mechanisms at information system access entry and exit points.
- SI.3.219 – Implement email forgery protections.
- SI.3.220 – Utilize sandboxing to detect or block potentially malicious email.
Are you worried that your company is vulnerable to cybercriminals?
The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture.
Cybersecurity Maturity Model Certification (CMMC) Free Resources:
- Understanding CMMC Level 1 Requirements
- Understanding CMMC Level 2 Requirements
- Understanding CMMC Level 3 Requirements
- Understanding CMMC Level 4 Requirements
- Understanding CMMC Level 5 Requirements
Implement CMMC Faster and Easier?
Who is ChatFortress
ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.