CMMC Level 3 Requirements

What does it take to achieve Level 3 compliance?

Practices found in CMMC Levels 1-3 most closely align to the 110 controls found in NIST 800-171 for handling Controlled Unclassified Information, but 20 practices and 52 maturity processes go beyond NIST. 

Level 3 CMMC Practices

Here are the most significant areas of CMMC to consider if you are already meeting DFARS 7012 and NIST 800-171.

  • Logging, monitoring, incident response, and reporting capabilities with a SIEM or similar technical solution - Domain Reference: Incident Response (IR) and Audit and Accountability (AU)
  • The ability to backup and restore data through tested, comprehensive, and resilient in backup efforts
  • Logically and technically separate management of unsupported products with network restrictions and regular risk assessments to identify vulnerabilities - Domain Reference: Risk Management (RM)
  • DNS filtering, spam protection, and email sandboxing to protect agains malicious traffic - Domain Reference: System and Communication Protection (SC) and System and Information Integrity (SI)

To pass a Level 3 audit, companies will be assessed on their ability to meet and demonstrate all practices (130 broken down below) to address Levels 1, 2, and 3. This will include technical architecture and solutions, along with written policies.


DFARS Overlap

How do DFARS and CMMC Level 3 overlap?

CMMC and DFARS 7012 collectively consists of three basic requirements:

  1. Adequate Security: NIST 800-171's 110 distinct security controls (DFARS) plus the additional 20 practices (CMMC) as mentioned in the previous section
  2. Contractual Flowdown: If the prime contractor has to meet DFARS and CMMC requirements, so do their subcontractors or vendors - though CMMC may require a lesser level
  3. Event and Incident Reporting: In response to an incident or cyber event, DFARS requires your organization to notify DoD through formal reporting mechanisms and DoD will need access to your environment - including cloud tenants and other cloud systems handling CUI



As Scott Edwards, President of Summit 7, stated in a previous presentation on CMMC Level 3 "If you're NOT NIST 800-171 compliant, go back and do that. You can't tackle CMMC if you are not NIST compliant; it's also just practicing basic cyber hygiene".




Next Steps

What technical and procedural practices do you need to implement?

Upon NIST 800-171 compliance, there are an additional 10 technical and 10 procedural practices to implement to achieve CMMC Level 3 compliance.

A few examples:

  • Define procedures for the handling of CUI data
  • Analyze and triage events to support event resolutions and incident declaration
  • Regularly perform complete and comprehensive and resilient data backups as organizationally defined
  • Manage non-vendor support products separately and restrict as necessary to reduce risk
  • Implement DNS filtering services
  • Employ spam protection mechanisms at information system access entry and exit

To start with a proper understanding of L3, watch this 20 min excerpt from the most watched CMMC Level 3 discussion on YouTube.


Potential Technical Solutions

What solution sets can get you to Level 3 CMMC compliance?

SIEM solutions to meet incident response requirements:

  • LogRhythm
  • LogVault
  • AlientVault
  • Splunk
  • Others

Summit 7 Preferred: Microsoft Azure Government Sentinel


Resilient data backup and restoration solutions meeting FedRAMP Moderate standards and able to backup Office 365 GCC High or GCC:

  • Veeam
  • AvePoint (US based)

Summit 7 Preferred: AvePoint and Azure Backup


DNS Filtering:

  • Webroot
  • Cisco Umbrella
  • TitanHQ
  • PaloAlto DNS Security service

Summit 7 Preferred: OpenDNS


SPAM and Email protections:

  • Cisco Email
  • Proofpoint
  • Barracuda
  • Fireeye

Summit 7 Preferred: Microsoft (Office) 365 GCC High Exchange Online Protection and Defender for Office 365 

Summit 7 has architected a complete solution set to help organizations achieve CMMC Level 3 compliance. The set is developed within Microsoft (Office) 365 GCC High (or GCC) and Azure Government as part of the initiative to protect the warfighter and keep the Defense Industrial Base secured. Contact us about the CMMC Level 3 Solution set below.

CMMC Level 3 Solution

The Foundation and Levels

As the image below represents, meeting Level 3 requires organizations to practice "Good Cyber Hygiene", while actively "managing" security processes. CMMC officials, including Katie Arrington of the Office of the Under Secretary of Defense (OUSD), have publicly stated the majority of defense contractors will need to certify at Level 1 on the outset. Nevertheless, most prime contractors and many of their subs in the DIB will need to meet Level 3, as it most closely aligns to the preexisting requirements of DFARS 7012; this will also hold true for higher education institutions, or research organizations handling sensitive information for the DoD. This is especially true for organizations that more regularly handle Controlled Unclassified Information (CUI) or interact with more sensitive data sets. Access a more detailed explanation and overview of CMMC, as well as history and background here.

Note: The release of the DFARS Interim Rule requires CMMC certification at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years (similar to DFARS 7019 and 7020 reporting requirements). Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts until September 30, 2025. 

OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.

Related Pages:

CMMC Level Model

Still Have Questions?

If you still have questions about CMMC Level 3, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.

Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance:

Start The Conversation