The DoD Contractor's Guide to CMMC Level 3

Cybersecurity Maturity Model Certification Logo

Our cost-effective, simplified CMMC and DFARS compliance solutions will allow your business to become and stay compliant:

First Step to Compliance

Our no-cost tool will help you learn if your company is subject to CMMC Level 3 requirements, obtain a gap analysis, and track your NIST SPRS score.
Free CMMC NIST 800 171 Tool Compliance Checklist

Most Cost-effective Remediation Method

CyberSecure 360 Comprehensive Cyber Security Program

All-in-One Cyber Security Program

CMMC compliance at a fraction of the cost of building your own cyber security program. Pay 2-3x less for an all-in-one security and compliance program with our experts, process, and technology.
CyberSecure 360_Logo Suite 300dpi_Icon Blue

Call 972-922-3100 or contact us below for CMMC help specific to your company's needs.

The Need for the Cybersecurity Maturity Model Certification

In a recent Identity Theft Resource Center report, they estimate that the United States government and military faced over 80 data breaches in 2019. As a result, over 3.5 million sensitive records were exposed. With cyber threats posing more significant hazards for the defense supply chain than ever before, along with physical threats from rival nation states, now is the time to reinforce cybersecurity priorities across the board.

DFARS, NIST, and CMMC

While the U.S. government's initial approach to introducing fundamental security controls into the national defense supply chain called for compliance with NIST SP 800-171 through DFARS 252.204-7012, these measures weren't enough. The Cyber Security Model Certification (CMMC) was released in early 2020 to reduce unauthorized disclosure of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Unlike the NIST SP 800-171, the CMMC does not offer the option to self-certify, as it requires a sign-off from a C3PAO, third party assessor. The CMMC certification process will begin as C3PAOs become available (est. late 2021). Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility.

CMMC will replace NIST SP 800-171. As a precursor to CMMC, the DFARS Interim Rule (252.204-7019) establishes requirements for NIST SP 800-171 compliance scoring (SPRS score) and remediation beginning November 30, 2020.

Free CMMC NIST 800 171 Tool Compliance Checklist
Find your NIST SPRS score with our free self-assessment tool.

Understanding CUI

There are currently 20 organizational index groups and 125 categories of data that are considered controlled unclassified information. Category groupings are either specific or general, but some of the more common specific categories include:

Many defense contractors also create, store or process general categories such as:

> Request our CMMC Level 3 Self-Assessment Tool for a complete list of CUI categories

CMMC Compliance Requirements

The CMMC framework features five levels of cyber security maturity. Organizations with access to CUI must be certified at CMMC Level 3, whereas those with access to FCI only will need to be compliant at CMMC Level 1. As defined in DFARS 252.204-7019-7021, almost all 300,000+ DoD contractors have or handle CUI and must become CMMC Level 3 certified by October 2025 to remain eligible for DoD contracts.

To prevent exclusion from contracts as CMMC is implemented, contractors must determine whether their organization is subject to CMMC requirements, assess their compliance against the requirements of the level they need, obtain a gap analysis, remediate those gaps in compliance, and be audited through a Certified Third-party Assessor Organization (C3PAO) certification assessment.

* InfoDefense is a C3PAO candidate.

Level 01

BASIC CYBER HYGIENE

Basic Safeguarding of FCI

17 Cybersecurity Practices

PERFORMED

  • Applies to companies handling Federal Contract Information (FCI)
  • 17 Cybersecurity Practices
  • Company must comply and perform all practices

Level 02

INTERMEDIATE CYBER HYGIENE

Transition Step to Protect CUI

+ 55 Cybersecurity Practices

DOCUMENTED

  • Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)
  • 72 Cybersecurity Practices
  • Company must perform and document practices 

Level 03

GOOD CYBER HYGIENE

Increasing Protection of CUI

+ 58 Cybersecurity Practices

MANAGED

  • Applies to companies handling Controlled Unclassified Information (CUI)
  • 130 Cybersecurity Practices
  • Must perform, document, and manage practices

Level 04

PROACTIVE

Reducing Risk of APIs

+ 26 Cybersecurity Practices

REVIEWED

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 156 Cyber Practices 
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Level 05

ADVANCED/PROGRESSIVE

+ 15 Cybersecurity Practices

OPTIMIZING

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 171 Cybersecurity Practices
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Steps to CMMC Compliance

1. Determine Your CMMC Requirements

First off, you need to determine what level of CMMC your business requires. Organizations with access to CUI must be certified at CMMC Level 3, whereas those with access to FCI only will need to be compliant at CMMC Level 1. Well over 90% of DoD contractors require CMMC Level - 3 compliance. Along with our no-cost self-assessment tool, our CMMC experts can help you determine whether your business is subject to CMMC requirements and which compliance level you require.

Level 01

BASIC CYBER HYGIENE

17 Cybersecurity Practices

Level 02

INTERMEDIATE CYBER HYGIENE

+ 55 Cybersecurity Practices

17 Cybersecurity Practices

Level 03

GOOD CYBER HYGIENE

+ 58 Cybersecurity Practices

55 Cybersecurity Practices

17 Cybersecurity Practices

Level 04

PROACTIVE

+ 26 Cybersecurity Practices

58 Cybersecurity Practices

55 Cybersecurity Practices

17 Cybersecurity Practices

Level 05

ADVANCED/
PROGRESSIVE

+ 15 Cybersecurity Practices

26 Cybersecurity Practices

58 Cybersecurity Practices

55 Cybersecurity Practices

17 Cybersecurity Practices

Basic Safeguarding
of FCI

Transition Step to
Protect CUI

Increasing Protection of CUI

Reducing Risk
of APIs

"PERFORMED"

- Applies to companies handling Federal Contract Information (FCI)

- 17 Cybersecurity Practices

- Company must comply and perform all practices

"DOCUMENTED"

- Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)

- 72 Cybersecurity Practices

- Company must perform and document practices 

"MANAGED"

- Applies to companies handling Controlled Unclassified Information (CUI)

- 130 Cybersecurity Practices

- Must perform, document, and manage practices

"REVIEWED"

- Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)

- 156 Cyber Practices 

- Companies must perform, document, manage, and review practices to determine their effectiveness

"OPTIMIZING"

- Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)

- 171 Cybersecurity Practices

- Companies must perform, document, manage, and review practices to determine their effectiveness

Level 01

BASIC CYBER HYGIENE

Basic Safeguarding of FCI

17 Cybersecurity Practices

PERFORMED

  • Applies to companies handling Federal Contract Information (FCI)
  • 17 Cybersecurity Practices
  • Company must comply and perform all practices

Level 02

INTERMEDIATE CYBER HYGIENE

Transition Step to Protect CUI

+ 55 Cybersecurity Practices

DOCUMENTED

  • Applies to companies transitioning towards the handling of Controlled Unclassified Information (CUI)
  • 72 Cybersecurity Practices
  • Company must perform and document practices 

Level 03

GOOD CYBER HYGIENE

Increasing Protection of CUI

+ 58 Cybersecurity Practices

MANAGED

  • Applies to companies handling Controlled Unclassified Information (CUI)
  • 130 Cybersecurity Practices
  • Must perform, document, and manage practices

Level 04

PROACTIVE

Reducing Risk of APIs

+ 26 Cybersecurity Practices

REVIEWED

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 156 Cyber Practices 
  • Companies must perform, document, manage, and review practices to determine their effectiveness

Level 05

ADVANCED/PROGRESSIVE

+ 15 Cybersecurity Practices

OPTIMIZING

  • Applies to companies requiring increased protection of Controlled Unclassified Information (CUI) and protection against advanced persistent threats (ADT)
  • 171 Cybersecurity Practices
  • Companies must perform, document, manage, and review practices to determine their effectiveness

2. Get Your Gap Analysis

Now that you know which CMMC level your business requires, the next step is a CMMC Gap Analysis that determines your state of compliance for each requirement. This can be accomplished through our CMMC Level 3 Self-Assessment Tool or a CMMC Gap Analysis performed by our compliance experts. Once complete, the analysis will detail each requirement and determine if your organization is currently prepared to meet compliance for it.


3. Implement Your Remediation

Once the assessment is completed and you have your gap analysis in hand, a detailed Plan of Action and Milestones (POA&M) should be created so that solutions required to ensure certification can be implemented. Your existing IT Team(s) can accomplish this, or you can partner with InfoDefense and we will help you achieve 100% compliance through our Standalone Services or CyberSecure 360, our comprehensive security and compliance managed services program.


4. Complete a C3PAO Certification Assessment

Unlike the NIST SP 800-171, contractors must be audited through a Certified Third-party Assessor Organization (C3PAO)* certification assessment to receive CMMC certification. The CMMC certification process will begin as C3PAOs become available. It is important to note that C3PAO cyber security consultants that aid a contractor with CMMC compliance remediation cannot perform that same contractor's Certification Assessment.

Failure to meet any qualifications required by a level will result in a lower level of certification and loss of DoD contract eligibility. As such, our CMMC Pre-Audit Assessment helps ensure that you've remediated any outstanding practices or processes found in your Gap Analysis, verifying 100% compliance before the auditing process takes place.

*InfoDefense is a C3PAO candidate.

CMMC is as simple as that with InfoDefense.

Call 972-922-3100 or contact us below for more information and guidance for your compliance needs.

Virtual CISO Icon

Schedule a Call with our CMMC Experts