by Michael Peters
Bookmark

CMMC 2.0 and Level 3 Maturity

CMMC 2.0 Level 3 transcends the foundational and advanced cyber hygiene practices enumerated in Level 1 and Level 2, respectively, venturing into a realm where the mitigation of Advanced Persistent Threats (APTs) is at the forefront. 

This article will cover CMMC Maturity Level 3 and the controls mandated by the framework, specifically those outlined in NIST Special Publication 800-172.

 

What Is CMMC Level 3?

CMMC Maturity Level 3, titled “Expert,” aims to reduce a system’s vulnerability to advanced persistent threats (APTs). This is achieved by mandating organizations to establish, maintain, and resource a plan for managing the activities necessary to implement cybersecurity practices. The plan can encompass specific topics like goals, missions, projects, resourcing, training, and stakeholder involvement. 

The cybersecurity practices at this level are considered good cyber hygiene practices, focusing on protecting Controlled Unclassified Information (CUI). They also include all the security requirements specified by NIST SP 800-171 and roughly 20 additional controls from NIST SP 800-172

As the replacement for the original Level 5 included in the first version of CMMC, this maturity level is considered the highest in the standard. It is reserved for data and organizations that pose a significant risk if disclosed… and, subsequently, that often face the most severe security threats. 

 

What are the Differences Between Maturity Levels 2 and 3?

CMMC compliance automation image - best GRC tool for defense contractors FedRAMP integration AI-powered cybersecurity 2025 zero trust ransomware protection supply chain security regulatory compliance operational resilience

The differences between CMMC 2.0 Level 2 (Advanced) and Level 3 are significant as they pertain to the cyber hygiene practices, documentation requirements, and the data they are designed to protect.

  • Expectations and Capabilities: Level 2 is characterized by advanced cyber practices that support handling CUI. Level 3, on the other hand, focuses on protecting CUI from advanced threats, which means it isn’t enough to implement controls. Organizations at level 3 must implement more controls, which include requirements for advanced monitoring and risk management. 
  • Documentation and Process Requirements: Level 2 requires organizations to document their processes to guide their efforts toward achieving maturity. This documentation should allow users to repeat these processes, ensuring consistency in cybersecurity practices. Level 3 necessitates organizations to establish, maintain, and resource a plan to manage the activities needed to implement cybersecurity practices. This plan can encompass various topics, including goals, missions, projects, resourcing, training, and stakeholder involvement.
  • Security Controls and Domains: Level 3 encompasses all the security requirements of  NIST SP 800-171 (110 controls in total) and includes an additional 20+ controls from NIST SP 800-172 to address advanced threats.  
  • Assessment Requirements: For Level 2, assessment requirements vary based on whether the CUI data handled is critical or non-critical to national security. Typically, a Level 2 organization will undergo a triennial third-party assessment, while a Level 3 organization will undergo a triennial government-guided assessment. 

 

Assessment Requirements at CMMC Level 3

The assessment requirements between CMMC 2.0 Level 2 (Advanced) and Level 3 (Expert) reflect the differing levels of cybersecurity maturity and the types of data being handled at each level.

Level 2 organizations generally fall into one of two categories. The first and most common group will undergo third-party assessments via a C3PAO once every three years. The second, less common group may be able to self-assess once every three years (similar to Level 1 maturity) if the data that the organization controls is deemed a sufficiently low risk.

Assessments for Level 3 organizations are still fuzzy. The official CMMC 2.0 program page notes that organizations will undergo government-led assessment once every three years, which suggests an increased level of assessment and scrutiny at the highest levels of security. 

 

What Controls Will Be Required from NIST SP 800-172?

The controls outlined for CMMC Level 3  involve various domains to enhance cybersecurity measures within an organization. Here’s a breakdown of these controls, clustered by their respective domains?:

 

Access Control

  • Organizationally Controlled Assets (3.1.2e): Restrict access to system assets to authorized users in the organization.
  • Secured Information Transfer (3.1.3e): Employ secure information transfer solutions to control information flows between security domains on connected systems.

 

Awareness and Training

  • Advanced Threat Awareness (3.2.1e): Employees should receive training on advanced threats upon hire, annually, and whenever major security events occur.
  • Practical Training Exercises (3.2.2e): Include practical exercises in awareness training for all users aligned with current threat scenarios.

 

Security Assessment

  • Penetration Testing (3.12.1e): Conduct penetration testing at least annually or after a significant threat event. 

 

Configuration Management

  • Authoritative Repository (3.4.1e): Establish an authoritative source and repository to provide accountability for implemented security controls.
  • Automated Detection & Remediation (3.4.2e): Employ automated mechanisms to detect misconfigured or unauthorized system components. Remove components if caught either through quarantine or remediation. 
  • Automated Inventory (3.5.1e): Maintain an accurate and automated inventory of all controls and control statuses.

 

Identification and Authentication

  • Bidirectional Authentication (3.5.1e): Identify and authenticate systems and system components before establishing network connections using bidirectional authentication that is cryptographically based and replay resistant.
  • Block Untrusted Assets (3.5.3e): Block any access to or from critical system assets to untrusted assets or users. Controls should be maintained with configuration settings or trust profiles.

 

Incident Response

  • Security Operations Center (3.6.1e): Establish and maintain a security operations center capability. The SOC must always be operational with access to emergency services for on-site and off-site teams.
  • Cyber Incident Response Team (3.6.2e): Establish and maintain a cyber incident response team. This team must be able to respond to security threats within 24 hours. 

 

Personnel Security

  • Adverse Information (3.9.2e): Ensure that organizational systems are protected if unfavorable information about individuals with access to CUI develops or is obtained.

 

Risk Assessment

  • Threat-Informed Risk Assessment (3.11.1e): Employ threat intelligence, at a minimum, from open or commercial sources and any DoD-provided sources.
  • Threat Hunting (3.11.2e): Conduct cyber threat hunting activities on an ongoing aperiodic basis or when indications warrant to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
  • Advanced Risk Identification (3.11.3e): Employ advanced automation and analytics capabilities to support analysts in predicting and identifying risks to organizations, systems, and system components.
  • Security Solution Rationale (3.11.4e): Document or reference the security solution selected and provide the reasoning for deploying that solution.
  • Security Solution Effectiveness (3.11.5e): Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information or in response to a relevant cyber incident to address the anticipated risk to organizational systems based on current and accumulated threat intelligence.
  • Supply Chain Risk Response (3.11.6e): Assess and address supply chain risks for security gaps. 
  • Supply Chain Risk Plan (3.11.7e): Have a plan for managing risk introduced via supply chain products, services, or vendors.

 

System and Communications Protection

  • Isolation (3.13.4e): Employ physical or logical isolation to separate mission-critical or sensitive data from unnecessary exposure. 

 

System and Information Integrity

  • Integrity Verification (3.14.1e): Verify the integrity of security-critical and essential software using the root of trust mechanisms or cryptographic signatures.
  • Specialized Asset Security (3.14.3e): Ensure that specialized assets, including Internet of Things (IoT) technologies and testing tools, are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks.
  • Threat-Guided Intrusion Detection (3.14.6e): Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources and any DoD-provided sources to guide and inform intrusion detection and threat hunting.

CMMC 2.0 is still being reviewed, and these controls may change. 

 

Stay on Top of CMMC Compliance with Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • GDPR
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2
  • HIPAA
  • PCI DSS 4.0
  • IRS 1075
  • COSO SOX
  • ISO 27000 Series
  • ISO 9000 Series
  • ISO Assessment and Audit Standards

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cybersecurity® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]