CMMC Level 3 Checklist and Guide

Good cybersecurity practices are created through long-term efforts and dedication to digital maturity. Knowing what needs to be done to reach stated goals is only the first step in an ongoing process.

Improving existing processes and establishing goals and expectations for others to follow makes strategic management of digital resources much more accessible. This approach means abiding by standards and ensuring network users are held accountable for their actions.

Such diligence is especially important for those within the Defense Industrial Base (DIB).

What Is CMMC?

The United States Department of Defense (DoD) has strict expectations for contractors working with controlled unclassified information (CUI). Those expectations are laid out in the three-level schema of the Cybersecurity Maturity Model Certification (CMMC.)

CMMC Level 3 compliance is essential for IT directors and security professionals who want to work with CUI. Maturity levels are reached by meeting a wide set of controls distributed across specified cybersecurity domains.

CMMC Level 3

CMMC Level 3 represents the highest level of digital hygiene that a company can attain. Level 3 adds 58 control practices across 17 domains.

At Level 3, best practices should be integrated across the organization as a foundational part of day-to-day operations.

Access Control (AC)

CMMC Level 3 compliance requires eight controls for the AC domain.

  • AC.3.012: Wireless access is secured with proper authentication and encryption practices
  • AC.3.014: Remote access sessions are protected with a cryptographic key
  • AC.3.017: Isolate individual responsibilities to mitigate malicious behavior and prevent collusion
  • AC.3.018: Control access to privileged accounts and prevent non-privileged users from operating
  • AC.3.019: Automatically deactivate user sessions when certain conditions are met
  • AC.3.020: Manage user-level devices used to access privileged systems
  • AC.3.021: Running remote security-related functions and accessing security-related information requires authorization
  • AC.3.022: CUI on user devices is properly encrypted

These clearly defined rules highlight who can and can’t access the system.

Asset Management (AM)

The AM domain contains a single control for dealing with digital information.

  • AM.3.036: Clear procedures are in place for dealing with CUI and digital information

Defining best practices and having support systems in place for those who need them is essential for improving cybersecurity hygiene.

Awareness and Training (AT)

CMMC Level 3 compliance adds a control for dealing with human resources.

  • AT.3.058: Staff is properly trained in tracking, discovering, and dealing with internal threats

Recognizing key security practices and providing support to staff increases trust and improves processes.

Audit and Accountability (AU)

AU adds seven controls for attaining CMMC Level 3 compliance.

  • AU.3.045: Do regular log audits and make necessary updates to the system
  • AU.3.046: Provide a warning to users alerting them in cases when auditing is unsuccessful
  • AU.3.048: Have a centralized repository for storing log data
  • AU.3.049: Audit logs are protected from unauthorized access
  • AU.3.050: Only authorized users have access to auditing capabilities
  • AU.3.051: Keep records of any investigations into illicit activities or events
  • AU.3.052: Maintain efficient policies and practices for ongoing analysis and reporting

Contractors should maintain records of their auditing process so requested information can be verified when needed.

Configuration Management (CM)

When discerning CMMC Level 3 compliance, CM relies on three controls for defining and improving systems throughout the organization.

  • CM.3.067: Use up-to-date security practices to control and monitor system access
  • CM.3.068: Remove all non-essential software and services from the system
  • CM.3.069: Use blacklisting and whitelisting to prohibit or permit access to systems

IT directors and security professionals should know when changes to protected systems occur and who made them.

Identification and Authentication (IA)

CMMC Level 3 compliance adds four additional controls to the IA domain.

  • IA.3.083: Require multi-factor identification for all privileged accounts and non-privileged accounts requesting network access
  • IA.3.084: Have “replay resistant” systems in place for access to any account
  • IA.3.085: Disallow reuse of terminated account credentials for a set period
  • IA.3.086: Disable credentials for inactive accounts after a set period

These security measures will ensure those attempting to access accounts are the correct users.

Incident Response (IR)

The IR domain provides two additional controls for CMMC Level 3 compliance.

  • IR.3.098: Security incidents are continuously monitored and documented for proper incident reporting
  • IR.3.099: Incident response capabilities are regularly tested

Anticipating potential issues and putting policies in place to deal with them is essential for attaining the highest level of cybersecurity readiness.

Media Protection (MP)

Four additional controls are needed to maintain CMMC Level 3 compliance in the MP domain.

  • MP.3.122: Restrict the distribution of media storage used for CUI
  • MP.3.123: Unauthorized media storage devices with no clear owner aren’t used
  • MP.3.124: Restrict access to media storage devices containing CUI that has left the controlled environment
  • MP.3.125: Storage media containing CUI is secured using cryptography and other available means during storage and transport

Storing and maintaining CUI presents many hazards. The MP domain provides tips for safeguarding data.

Physical Protection (PE)

Those seeking CMMC Level 3 compliance have an additional control associated with the PE domain.

  • PE.3.136: CUI protection policies are used in every location

Good data security practices require equipment to be protected from unauthorized access at all times.

Recovery (RE)

At Level 3, CMMC guidelines offer one control for improving protection in the RE domain.

  • RE.3.139: Have internal policies in place for maintaining data backups according to a set schedule

Regularly backing up data and doing security audits will ensure recoveries go as expected in the unfortunate event that they’re needed.

Risk Management (RM)

The RM domain adds three controls for CMMC Level 3 compliance.

  • RM.3.144: Do regular risk assessments of targeted systems and data management practices
  • RM.3.146: Have a risk-mitigation strategy in place
  • RM.3.147: Isolate goods used by different vendors to reduce the risk of exposure to unforeseen vectors

Regularly monitoring and maintaining core systems will ensure they remain secure while operating with CUI.

Security Assessment (CA)

CMMC Level 3 compliance adds two new controls to the CA domain.

  • CA.3.161: Continuously monitor security services to maintain good working order
  • CA.3.162: All internally developed software used for CUI or related purposes is subject to security audits

The CA domain is primarily concerned with improving the resilience of internal cybersecurity practices by assessing their capabilities and improving deficiencies.

Situational Awareness (SA)

CMMC Level 3 compliance provides the only control in the SA domain.

  • SA.3.169: Share any and all relevant information related to cyber activities and cyber threats with internal and external stakeholders

Having a clear picture of potential threats and taking them seriously is a core part of good cybersecurity hygiene.

System and Communications (SC)

There are 15 controls that expand the SC domain for CMMC Level 3 compliance.

  • SC.3.177: Protect CUI with cryptographic encryption according to FIPS standards
  • SC.3.180: Architectural and infrastructure designs, software development techniques, and systems engineering practices are optimized across the entire IT stack
  • SC.3.181: User-level access and system management capabilities are separated from each other
  • SC.3.182: Restrict unmonitored internal and external transfers of sensitive data
  • SC.3.183: Block all incoming network communications except those deemed necessary by authorized personnel
  • SC.3.184: Prevent unauthorized users from using “split tunneling” to connect internal systems to an external network
  • SC.3.185: Protect CUI with cryptography and other digital or physical defenses while being used or transported
  • SC.3.186: Network-connected sessions are terminated immediately or after a specified amount of time when done being used or inactive
  • SC.3.187: Cryptographic keys are properly managed across the entire organization
  • SC.3.188: Use of mobile code(s) is tightly monitored by management
  • SC.3.189: The adoption of Voice over Internet Protocol (VoIP) is controlled
  • SC.3.190: All communications are properly authenticated
  • SC.3.191: Stored CUI is well secured
  • SC.3.192: Effective Domain Name System (DNS) filtering is used
  • SC.3.193: Posting or sharing of CUI on public platforms is strictly prohibited

SC involves the use of cryptography and digital best practices to prevent unauthorized dissemination of CUI to external sources.

Systems and Information Integrity (SI)

The SI domain includes three controls geared toward finding vulnerabilities and making the needed changes before issues occur.

  • SI.3.218: IT systems are properly protected from spam at all points
  • SI.3.219: All available assets are leveraged to find and prevent document forgeries
  • SI.3.220: Emails use “sandboxing” to find and assess suspicious communications

IT directors and security professionals should maintain their systems and follow best practices when doing updates.

Achieve CMMC Level 3 Compliance with Touchstone Security

Do you want to improve your CMMC domain compliance but aren’t sure where to start? At Touchstone Security, we offer trusted cybersecurity support so that our partners can operate without fear of liability.

Touchstone’s fully managed security solutions were designed to give you peace of mind when dealing with all forms of data. Our military-trained staff offers deep experience backed by decades of cybersecurity operations. We’re here to support your critical operations.

Don’t wait to achieve CMMC Level 3 compliance. Contact Touchstone for a CMMC assessment!