CMMC Level 3 CMMC: Description and Tips for Fast Tracking

By Amy Williams, PhD, CISSP, CMMC-RP - Director of Proactive Services

Welcome back to the BlueVoyant CMMC Blog. If you have been following along, you may recall that the first post included an overview on what CMMC is and the differences in the five levels of possible compliance. We also unpacked a bit about why CMMC is here and how it will all work within the ecosystem. The second blog provided a deeper dive into the first two levels of compliance as well as an introduction to the COTS exception.

In this post we will take the next logical step and explore some of the practicalities of achieving Level 3 compliance, the most commonly requested level from BlueVoyant clients. We will talk about what it is, who needs to comply at this level and provide some tips for fast tracking to compliance with Level 3.

What Is Level 3?

CMMC Level 3 is required of any company handling Controlled Unclassified information (CUI). CUI is Federal Contract Information (FCI) that has been marked for special safeguarding, meaning that despite the fact that the information is not classified, it is sensitive enough that it could potentially be damaging to our national security if it fell into the wrong hands. Level 3 is also the level that will seem most familiar to companies that have recently held DoD contracts as it is essentially NIST 800-171 with the addition of 20 more controls.

Beyond the required controls, however, companies are also expected to have more mature processes at Level 3 than with lower levels of compliance. The specific expectation is that the processes should be well managed and the practices well documented. This is a significant step up from level 1 where ad hoc implementation of 17 basic security measures is acceptable.

Another practical point worth mentioning – a common misconception is that CMMC levels follow organizational size, but some very large companies may only need to be level 1 and some very small companies may need to be level 3. For the DoD in particular, smaller suppliers are often the creative engine in the design process, holding some of the highest levels of creativity within our nation’s defense system. Technical drawings, design specifications, product formulas and even information such as delivery destinations are all examples of CUI that are valuable to our nation’s competitors and may be managed by smaller engineering firms.

Is CUI the Only Reason To Comply at Level 3?

In a word, no. Most of the defense industrial base is made up of subcontractors, or even subcontractors to subcontractors, and the vast majority of those companies are expected to only need Level 1 certification. However, we work with a number of companies who will likely only need to be certified at Level 1 but are choosing Level 3 for a couple of different reasons.

First, the higher your level of certification, the more opportunities your company will have to bid on contracts. A second subtler reason is that CMMC puts cyber security at the forefront and some company leaders who have been concerned about security are using the compliance requirement as an opportunity to up their game and to become more proactive. These leaders believe that if they are going to put time and resources into compliance, they want to aim higher in hopes of being more secure as well as opening up new opportunities.

Tips for Fast Tracking Compliance

To achieve Level 3, companies must document their compliance with 130 controls within 15 domains. While all of these controls are important and time consuming to put into place, some of the L3 controls are more daunting than others to companies just getting started. Most notably, some of the requirements under the Audit and Accountability, Configuration Management, and Incident Response CMMC domains are larger hurdles for many companies. Detect and Report Events, Document and Report Incidents, Ensure Users Can Be Uniquely Traced are all examples of some of the L3 compliance security requirements that commonly present challenges for clients.

Finding and retaining the talent to properly manage events, alerts and logs, and then respond in a timely manner is an even greater challenge than building out the complex technology stack needed to meet these requirements. For SMBs especially, outsourcing the managed security requirements tends to be both more effective and less expensive than developing and managing these capabilities in-house.

The number of BlueVoyant’s CMMC consulting clients interested in our Managed Security as a way to fast track CMMC compliance has been trending up. Accordingly, we have responded with a discounted offering for clients looking for Managed Security and Compliance Consulting Services together. Layering in MSS has provided a quicker, easier and highly effective approach to meeting 40 of the more challenging 130 L3 requirements for many of our clients.

Time To Get Moving. Need Help?

The DoD is taking a crawl walk run approach to rolling out CMMC requirements, but the first proposals will come out in the next couple of months. Given that it takes time to line up a C3PAO, receive and negotiate services for consulting, remediate everything on your POAM, mature your practices to the point that they are in fact practices, line up an assessor, get an assessment, get the assessment validated by the C3PAO and get your certificate from the CMMC-AB, you are really looking at the better part of a year to complete the process, at minimum. Accordingly, companies wishing to comply at Level 3 should really get started right now if they want to be certified in time to bid on 2022 contracts. Let us know how we can help you.