Level 3

CMMC Level 3 is considered “good cybersecurity hygiene” and builds on CMMC Levels 1 and 2 by adding 58 additional practices (controls)– for a total of 130 practices – and one additional process. The additional process is a cybersecurity plan that describes your cybersecurity program. The plan may contain your mission, goals, project plan, resourcing, training program, and the involvement of relevant stakeholders.

It is estimated that 30% of the Defense Industrial Base (DIB) will need to be certified to CMMC Level 3. The requirement to be certified to Level 3 is based on the assumption that a contractor will process, store or create controlled unclassified information (CUI). The 130 practices in CMMC Level 3 are designed to protect CUI.  For More Information about CUI, go to the FCI/CUI tab.

The CMMC Level 3 Assessment Guide  provides guidance to assessors for conducting a CMMC Level 3 assessment.


  1. Unless your company has a strong cyber/IT department or your Managed Service Provider is familiar with and compliant to CMMC Level 3, you will need to engage a cybersecurity consultant to assist with compliance. Click Here for the list of cybersecurity consulting companies that have registered with the NCMBC. (NOTE: the NCMBC does not vet the companies that sign up on our website).
  2. CMMC Level 1 in a Box provides a framework that can be followed to help you work toward CMMC Level 3 compliance.
  3. If you are pursuing compliance the CMMC Level 3, it is likely that you have already achieved compliance to the DFARS clause that requires compliance to the 110 controls in NIST SP 800-171. CMMC Level 3 adds 20 additional controls to the 110 in NIST. See below:
    • AM3.036 Define procedures for the handling of CUI data.
    • AU3.048 Collect audit information (e.g. logs) into one or more central repositories.
    • AU2.044 Review audit logs.
    • IR2.093 Detect & report events.
    • IR2.094 Analyze & triage events to support event resolution & incident declaration.
    • IR2.096 Develop & implement responses to declared incidents according to pre-defined procedures.
    • IR2.097 Perform root cause analysis on incidents to determine underlying causes.
    • RE2.137 Regularly perform & test data back-ups.
    • RE3.139 Regularly perform complete, comprehensive & resilient data backups as organizationally defined.
    • RM3.144 Periodically perform risk assessments to identify & prioritize risks according to the defined risk categories, risk sources & risk measurement criteria.
    • RM3.146 Develop & implement risk mitigation plans.
    • RM3.147 Manage non-vendor supported products (e.g. end of life) separately & restrict as necessary to reduce risk.
    • CA3.162 Employ a security assessment of enterprise software that has been developed internally, for internal use, & that has been organizationally defined as an area of risk.
    • SA3.169 Receive & respond to cyber threat intelligence from information sharing forums/sources & communicate to stakeholders.
    • SC2.179 Use encrypted sessions for the management of network devices.
    • SC3.192 Implement Domain Name System (DNS) filtering services.
    • SC3.193 Implement a policy restricting the publication of CUI on externally owned, publicly accessible websites (FB, LinkedIn, Twitter, etc.)
    • SI3.218 Employ spam protection mechanisms at information system access & entry points.
    • SI3.219 Implement email forgery protections.
    • SI3.220 Utilize email sandboxing to detect or block potentially malicious email.