CMMC Level 3

CMMC Level 3

Processes: Managed
Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

Level 3 Required Process:
ML.3.997: Establish, maintain, and resource a plan that includes [DOMAIN NAME].
o Reference: CERT RMM v1.2 GG2.GP2
o Publicly Available Resources (Templates/Guides/Examples/etc.)

Practices: Good Cyber Hygiene
Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.

Achieving CMMC Level 3 requires the implementation of the practices listed below plus CMMC Level 1 Practices and CMMC Level 2 Practices.