Level 3 Assessment Guide
Source of Reference: The official CMMC Level 3 Assessment Guide Version 2.13, September 2024 from the Department of Defense Chief Information Officer (DoD CIO).
For inquiries and reporting errors on this wiki, please contact us. Thank you.
NOTICES
The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing CMMC requirements under the law or departmental policies.
DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.
Introduction
This document provides guidance in the preparation for and conduct of a Level 3 certification assessment under the Cybersecurity Maturity Model Certification (CMMC) Program as set forth in section 170.18 of title 32, Code of Federal Regulations (CFR). Certification at each CMMC level occurs independently. Guidance for conducting a Level 1 self-assessment can be found in CMMC Assessment Guide – Level 1. Guidance for conducting both a Level 2 self-assessment and Level 2 certification assessment, can be found in CMMC Assessment Guide – Level 2. More details on the model can be found in the CMMC Model Overview document.
An Assessment as defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system, or organization as defined in 32 CFR § 170.15 to 32 CFR § 170.18. A Level 3 certification assessment as defined in 32 CFR § 170.4 is the activity performed by the Department of Defense (DoD) to evaluate the CMMC level of an Organization Seeking Certification (OSC). For Level 3, assessments are conducted exclusively by the DCMA DIBCAC.
An OSC seeking a Level 3 certification assessment must have first achieved a CMMC Status of Final Level 2 (C3PAO), as set forth in 32 CFR § 170.18(a), for all applicable information systems within the CMMC Assessment Scope, and the OSC must implement the Level 3 requirements specified in 32 CFR § 170.14(c)(4). This is followed by the Level 3 certification assessment conducted by the DCMA DIBCAC.
OSCs may also use this guide to perform Level 3 self-assessments (for example, in preparation for an annual affirmation); however, they are not eligible to submit results from a self-assessment in support of a Level 3 certification assessment. Only the results from an assessment by DCMA DIBCAC are considered for award of the CMMC Statuses Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC). Level 3 reporting and affirmation requirements can be found in 32 CFR § 170.18 and 32 CFR § 170.22.
Level 3 Description
Level 3 consists of selected security requirements derived from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, with DoD-approved parameters where applicable. Level 3 only applies to systems that have already achieved a Final Level 2 (C3PAO) CMMC Status. Level 2 consists of the security requirements specified in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Like Level 2, Level 3 addresses the protection of Controlled Unclassified Information (CUI), as defined in 32 CFR § 2002.4(h):
- Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.
Level 3 provides additional protections against advanced persistent threats (APTs), and increased assurance to the DoD that an OSC can adequately protect CUI at a level commensurate with the adversarial risk, to include protecting information flow with the government and with subcontractors in a multitier supply chain.
Purpose and Audience
This guide is intended for assessors, OSCs, cybersecurity professionals, and individuals and companies that support CMMC efforts. This document can be used as part of preparation for and conducting a Level 3 certification assessment.
Document Organization
This document is organized into the following sections:
- Assessment and Certification: provides an overview of the Level 3 assessment processes set forth in 32 CFR § 170.18. It provides guidance regarding the scope requirements set forth in 32 CFR § 170.19(d).
- CMMC-Custom Terms: incorporates definitions from 32 CFR § 170.4, definitions included by reference from 32 CFR § 170.2, and provides clarification of the intent and scope of specific terms as used in the context of CMMC.
- Assessment Criteria and Methodology: provides guidance on the criteria and methodology (i.e., interview, examine, and test) to be employed during a Level 3 assessment, as well as on assessment findings.
- Requirement Descriptions: Provides guidance specific to each Level 3 security requirement.
Assessment and Certification
The DCMA DIBCAC will use the assessment methods defined in NIST SP 800-172A[1], Assessing Enhanced Security Requirements for Controlled Unclassified Information, along with the supplemental information in this guide to conduct Level 3 certification assessments. Assessors will review information and evidence to verify that an OSC meets the stated assessment objectives for all of the requirements.
An OSC can obtain a Level 3 certification assessment for an entire enterprise network or for specific enclave(s), depending on how the CMMC Assessment Scope is defined in accordance with 32 CFR § 170.19(d).
Assessment Scope
Prior to conducting a CMMC Level 3 certification assessment, the Level 3 CMMC Assessment Scope must be defined as addressed in 32 CFR § 170.19(d) and the CMMC Scoping Guide – Level 3 document[2]. The CMMC Assessment Scope informs which assets within the OSC’s environment will be assessed and the details of the assessment. The OSC must have achieved a CMMC Status of Final Level 2 (C3PAO) of all systems included within the Level 3 CMMC Assessment Scope prior to requesting the Level 3 assessment, as set forth in 32 CFR § 170.18.
The Level 3 assessment scoping is based on the requirements defined in 32 CFR § 170.19(d) and supported by the CMMC Scoping Guide – Level 3 document. The CMMC Scoping Guide – Level 3 document is available on the official CMMC documentation site at https://dodcio.defense.gov/CMMC/Documentation/. If a Final Level 2 (C3PAO) CMMC Status has not already been achieved for the desired CMMC Assessment Scope, the OSC may not proceed with the Level 3 assessment.
CMMC-Custom Terms
The CMMC Program has custom terms that align with program requirements. Although some terms may have other definitions in open forums, it is important to understand these terms as they apply to the CMMC Program.
The custom terms associated with Level 3 are:
- Assessment: As defined 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization defined in 32 CFR § 170.15 to 32 CFR § 170.18.
- Level 3 certification assessment is the term for the activity performed by the DCMA DIBCAC to evaluate the information system of an OSC when seeking a CMMC Status of Level 3 (DIBCAC).
- POA&M closeout certification assessment is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
- Assessment Objective: Means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
- Asset: Means an item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns. Understanding assets is critical to identifying the CMMC Assessment Scope; for more information see CMMC Scoping Guide – Level 3.
- CMMC Assessment Scope: As defined in 32 CFR § 170.4 means the set of all assets in the OSC’s environment that will be assessed against CMMC security requirements.
- CMMC Status: The result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally presented on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
- Conditional Level 3 (DIBCAC): Defined in 32 CFR § 170.18(a)(1)(ii). The OSC will achieve CMMC Status of Conditional Level 3 (DIBCAC) if a POA&M exists upon completion of the assessment and the POA&M meets all Level 3 POA&M requirements listed in 32 CFR § 170.21(a)(3).
- Final Level 3 (DIBCAC): Defined in 32 CFR § 170.18(a)(1)(iii). The OSC will achieve Final Level 3 (DIBCAC) CMMC Status for the information systems within the CMMC Assessment Scope upon implementation of all security requirements and, if applicable a POA&M closeout assessment within 180 days. Additional guidance can be found in 32 CFR §170.21.
- Enduring Exception: As defined 32 CFR § 170.4 means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and Government Furnished Equipment (GFE) may be Enduring Exceptions.
- Event: Any observable occurrence in a system[3]. As described in NIST SP 800-171A[4], the terms “information system” and “system” can be used interchangeably. Events sometimes provide indication that an incident is occurring.
- Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.[5]
- Monitoring: The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an organization-defined frequency and rate.[6]
- Operational plan of action: As used in security requirement CA.L2-3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies in implementation of requirements and documents how and when they will be mitigated, corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action is not the same as a POA&M associated with an assessment.
- Organization-defined: As determined by the OSC being assessed except as defined in the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing the configuration of a OSC’s solution.
- Organization-Defined Parameters (ODPs): Selected enhanced security requirements contain selection and assignment operations to give organizations[7] flexibility in defining variable parts of those requirements, as defined in NIST SP 800-172A. ODPs are used in NIST SP 800-172 and NIST SP 800-172A to allow Federal agencies, in this case the DoD, to customize security requirements. Once specified, the values for the assignment and selection operations become part of the requirement and objectives, where applicable.
- The assignments and selections chosen for Level 3 are underlined in the requirement statement and objectives. In some cases, further specificity of the assignment or selection will need to be made by the OSC. In those cases, the term and abbreviation ODPs is used in the assessment objectives to denote where additional definition is required.
- Periodically: Means occurring at a regular interval as determined by the OSA that may not exceed one year. As used in many requirements within CMMC, the interval length is organization-defined to provide OSC flexibility, with an interval length of no more than one year.
- Security Protection Data: As defined 32 CFR § 170.4 means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. Security Protection Data is security relevant information and includes, but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.
- System Security Plan (SSP): Means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems.
- Temporary deficiency: As defined 32 CFR § 170.4 means a condition where remediation of a discovered deficiency is feasible and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.
Assessment Criteria and Methodology
The CMMC Assessment Guide – Level 3 leverages the assessment procedure described in NIST SP 800-172A Section 2.1:
- An assessment procedure consists of an assessment objective and a set of potential assessment methods and objects that can be used to conduct the assessment. Each assessment objective includes a set of determination statements related to the CUI enhanced security requirement that is the subject of the assessment. Organization-defined parameters (ODP) that are part of selected enhanced security requirements are included in the initial determination statements for the assessment procedure. ODPs are included since the specified parameter values are used in subsequent determination statements. ODPs are numbered sequentially and noted in bold italics.
- Determination statements reflect the content of the enhanced security requirements to ensure traceability of the assessment results to the requirements. The application of an assessment procedure to an enhanced security requirement produces assessment findings. The findings are used to determine if the enhanced security requirement has been satisfied.
- Assessment objects are associated with the specific items being assessed. These objects can include specifications, mechanisms, activities, and individuals.
- * Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system.
- * Mechanisms are the specific hardware, software, or firmware safeguards employed within a system.
- * Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic).
- * Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.
- Assessment methods define the nature and the extent of the assessor’s actions. The methods include examine, interview, and test.
- * The examine method is the process of reviewing, inspecting, observing, studying, or analyzing assessment objects (i.e., specifications, mechanisms, activities).
- * The interview method is the process of holding discussions with individuals or groups of individuals to facilitate understanding, achieve clarification, or obtain evidence.
- * The test method is the process of exercising assessment objects (i.e., activities, mechanisms) under specified conditions to compare actual with expected behavior.
- The purpose of the assessment methods is to facilitate understanding, achieve clarification, and obtain evidence. The results obtained from applying the methods are used for making the specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.
Criteria
Assessment objectives are provided for each requirement and are based on existing criteria from NIST SP 800-172A. The criteria are authoritative and provide a basis for the assessor to conduct an assessment of a requirement.
Methodology
During the CMMC certification assessment, the assessor will verify and validate that the OSC has met the requirements. Because an OSC can meet the assessment objectives in different ways (e.g., through documentation, computer configuration, network configuration, or training), the assessor may use a variety of techniques, including one or more of the three assessment methods described above from NIST SP 800-172A, to determine if the OSC meets the intent of the requirements.
The assessor will follow the guidance in NIST SP 800-172A when determining which assessment methods to use:
- Organizations [DoD] are not expected to use all of the assessment methods and objects contained within the assessment procedures identified in this publication. Rather, organizations have the flexibility to establish the level of effort needed and the assurance required for an assessment (e.g., which assessment methods and objects are deemed to be the most useful in obtaining the desired results). The decision on level of effort is made based on how the organization can accomplish the assessment objectives in the most cost-effective and efficient manner and with sufficient confidence to support the determination that the CUI enhanced security requirements have been satisfied.
The primary deliverable of an assessment is a compliance score and accompanying report that contains the findings associated with each requirement. For more detailed information on assessment methods, see Appendix C of NIST SP 800-172A.
Figure 1 illustrates an example of an assessment procedure for requirement AC.L3-3.1.3e.
Who Is Interviewed
The assessor has discussions with OSC staff to understand if a requirement has been addressed. Interviews with applicable staff (possibly at different organizational levels) determine if CMMC security requirements are implemented and if adequate resourcing, training, and planning have occurred for individuals to perform the requirements.
What Is Examined
Examination includes reviewing, inspecting, observing, studying, or analyzing assessment objects. The objects can be documents, mechanisms, or activities. The primary focus will be to examine through demonstrations during interviews.
For some requirements, the assessor reviews documentation to determine if assessment objectives are met. Interviews with OSC staff may identify the documents uses. Documents need to be in their final forms; working papers (e.g., drafts) of documentation are not eligible to be submitted as evidence because they are not yet official and are still subject to change.
Common types of documents that can be used as evidence include:
- policy, process, and procedure documents;
- training materials;
- plans and planning documents; and
- system-level, network, and data flow diagrams.
This list of documents is not exhaustive or prescriptive. An OSC may not have these specific documents, and other documents may be used to provide evidence of compliance.
In other cases, the requirement is best assessed by observing that safeguards are in place by viewing hardware or associated configuration information or observe staff exercising a process.
What Is Tested
Testing is an important part of the assessment process. Interviews tell the assessor what the OSC staff believe to be true, documentation provides evidence of intent, and testing demonstrates what has or has not been done and is the preferred assessment method when possible. For example, staff may talk about how users are identified and documentation may provide details on how users are identified, but seeing a demonstration of user identification provides evidence that the requirement is met. The assessor will determine which requirements or objectives within a requirement need demonstration or testing. Most objectives will require testing.
Assessment Findings
The assessment of a CMMC security requirement results in one of three possible findings: MET, NOT MET, or NOT APPLICABLE as defined in 32 CFR § 170.24. To achieve CMMC Status of Final Level 3 (DIBCAC) as described in 32 CFR § 170.18, the OSC will need a finding of MET or NOT APPLICABLE on all Level 3 security requirements.
- MET: All applicable assessment objectives for the security requirement are satisfied based on evidence. All evidence must be in final form and a not draft. Unacceptable forms of evidence include working papers, drafts, and unofficial or unapproved policies. For each security requirement marked MET, it is best practice to record statements that indicate the response conforms to all objectives and document the appropriate evidence to support the response.
- Enduring Exceptions when described, along with any mitigations, in the system security plan shall be assessed as MET.
- Temporary deficiencies that are appropriately addressed in operational plans of action (i.e., include deficiency reviews, milestones, and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.
- NOT MET: One or more objectives for the security requirement is not satisfied. During a Level 3 certification assessment, for each requirement objective marked NOT MET, the assessor will document why the evidence provided by the OSC does not conform.
- NOT APPLICABLE (N/A): A security requirement and/or objective does not apply at the time of the assessment. For example, SI.L3-3.14.3e might be N/A if there are no Internet of Things (IoT), Industrial Internet of Things (IIoT), Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, or test equipment included in the Level 3 CMMC Assessment Scope.
If an OSC previously received a favorable adjudication from the DoD CIO indicating that a requirement is not applicable or that an alternative security measure is equally effective, the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. Implemented security measures adjudicated by the DoD CIO as equally effective are assessed as MET if there have been no changes in the environment.
Each assessment objective in NIST SP 800-171A and NIST SP 800-172A must yield a finding of MET or NOT APPLICABLE in order for the overall security requirement to be scored as MET. Assessors exercise judgment in determining when sufficient and adequate evidence has been presented to make an assessment finding.
CMMC certification assessments are conducted and results are captured at the assessment objective level. One NOT MET assessment objective results in a failure of the entire security requirement.
A security requirement can be applicable even when assessment objectives included in the security requirements are scored as N/A. The security requirement is NOT MET when one or more applicable assessment objectives is NOT MET.
Satisfaction of security requirements may be accomplished by other parts of the enterprise or an External Service Provider (ESP), as defined in 32 CFR § 170.4. A security requirement is considered MET if adequate evidence is provided that the enterprise or ESP, implements the requirement objectives. An ESP may be external people, technology, or facilities that the OSC uses, including cloud service providers, managed service providers, managed security service providers, or cybersecurity-as-a-service providers.
Requirement Descriptions
This section provides detailed information and guidance for assessing each Level 3 security requirement. The section is organized first by domain and then by individual security requirement. Each security requirement description contains the following elements as described in 32 CFR § 170.14(c):
- Requirement Number, Name, and Statement: Headed by the requirement identification number in the format DD.L#-REQ (e.g., AC.L3-3.1.2e); followed by the requirement short name identifier, meant to be used for quick reference only; and finally followed by the complete CMMC security requirement statement. In the case where the original NIST SP 800-172 requirement requires an assignment and/or selection statement, the Level 3 assignment (and any necessary selection) text is emphasized using underlining. See Section 2.2 in NIST SP 800-172 for the discussion on assignments and selections.
- Assessment Objectives [NIST SP 800-172A]: Identifies the specific list of objectives that must be met to receive MET for the requirement as defined in NIST SP 800-172A and includes the Level 3 assignment/selection text (as appropriate). In cases where a Level 3 assignment fully satisfies the definition(s) required in an organization-defined parameter (ODP) in NIST SP 800-172A, the ODP statement is not included as an objective, since that objective has been met by the assignment itself. However, when the assignment does not fully contain all required aspects of a NIST SP 800-172A ODP, the ODP is included as its own objective, using the original NIST SP 800-172A ODP number (e.g., “[ODP4]”). See the breakout box ORGANIZATION-DEFINED PARAMETERS in Section 2.1 of NIST SP 800-172A for additional details on an ODP. In all cases where an assignment is used within an objective, it also emphasized using underlining.
- Potential Assessment Methods and Objects [NIST SP 800-172A]: Defines the nature and extent of the assessor’s actions. Potential assessment methods and objects are as defined in NIST SP 800-172A. The methods include examine, interview, and test. Assessment objects identify the items being assessed and can include specifications, mechanisms, activities, and individuals.
- Discussion [NIST SP 800-172]: Contains discussion from the associated NIST SP 800-172 security requirement.
- Further Discussion:
- Expands upon the NIST content to provide supplemental information on the requirement intent.
- Contains examples illustrating how the OSC might apply the requirement. These examples provide insight but are not intended to be prescriptive of how the requirement must be implemented, nor comprehensive of all assessment objectives necessary to achieve the requirement. The assessment objectives met within the example are referenced by letter in brackets (e.g., [a,d] for objectives “a” and “d”) within the text. Note that some of the examples contain company names; all company names used in this document are fictitious.
- Provides potential assessment considerations. These may include common considerations for assessing the requirement and potential questions the assessor may ask when assessing the objectives.
- Key References: Lists the security requirement from NIST SP 800-172.
Access Control (AC)
AC.L3-3.1.2e – Organizationally Controlled Assets
| SECURITY REQUIREMENT
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
AC.L3-3.1.3e – Secured Information Transfer
| SECURITY REQUIREMENT
Employ secure information transfer solutions to control information flows between security domains on connected systems. |
ASSESSMENT OBJECTIVES
|
| More Practice Details... |
Awareness and Training (AT)
AT.L3-3.2.1e – Advanced Threat Awareness
| SECURITY REQUIREMENT
Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
AT.L3-3.2.2e – Practical Training Exercises
| SECURITY REQUIREMENT
Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
Configuration Management (CM)
CM.L3-3.4.1e – Authoritative Repository
| SECURITY REQUIREMENT
Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
CM.L3-3.4.2e – Automated Detection & Remediation
| SECURITY REQUIREMENT
Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, remove the components or place the components in a quarantine or remediation network to facilitate patching, re-configuration, or other mitigations. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
CM.L3-3.4.3e – Automated Inventory
| SECURITY REQUIREMENT
Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
Identification and Authentication (IA)
IA.L3-3.5.1e – Bidirectional Authentication
| SECURITY REQUIREMENT
Identify and authenticate systems and system components, where possible, before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
IA.L3-3.5.3e – Block Untrusted Assets
| SECURITY REQUIREMENT
Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
Incident Response (IR)
IR.L3-3.6.1e – Security Operations Center
| SECURITY REQUIREMENT
Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/on-call staff. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
IR.L3-3.6.2e – Cyber Incident Response Team
| SECURITY REQUIREMENT
Establish and maintain a cyber incident response team that can be deployed by the organization within 24 hours. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
Personnel Security (PS)
PS.L3-3.9.2e – Adverse Information
| SECURITY REQUIREMENT
Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
Risk Assessment (RA)
RA.L3-3.11.1e – Threat-Informed Risk Assessment
| SECURITY REQUIREMENT
Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
RA.L3-3.11.2e – Threat Hunting
| SECURITY REQUIREMENT
Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
RA.L3-3.11.3e – Advanced Risk Identification
| SECURITY REQUIREMENT
Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
RA.L3-3.11.4e – Security Solution Rationale
| SECURITY REQUIREMENT
Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
RA.L3-3.11.5e – Security Solution Effectiveness
| SECURITY REQUIREMENT
Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
RA.L3-3.11.6e – Supply Chain Risk Response
| SECURITY REQUIREMENT
Assess, respond to, and monitor supply chain risks associated with organizational systems and system components. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
RA.L3-3.11.7e – Supply Chain Risk Plan
| SECURITY REQUIREMENT
Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response to a relevant cyber incident. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
Security Assessment (CA)
CA.L3-3.12.1e – Penetration Testing
| SECURITY REQUIREMENT
Conduct penetration testing at least annually or when significant security changes are made to the system, leveraging automated scanning tools and ad hoc tests using subject matter experts. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
System and Communications Protection (SC)
SC.L3-3.13.4e – isolation
| SECURITY REQUIREMENT
Employ physical isolation techniques or logical isolation techniques or both in organizational systems and system components. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
System and Information Integrity (SI)
SI.L3-3.14.1e – Integrity Verification
| SECURITY REQUIREMENT
Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic signatures. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
SI.L3-3.14.3e – Specialized Asset Security
| SECURITY REQUIREMENT
Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test equipment are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
SI.L3-3.14.6e – Threat-Guided Intrusion Detection
| SECURITY REQUIREMENT
Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting. |
| ASSESSMENT OBJECTIVES
Determine if:
|
| More Practice Details... |
Appendix A – Acronyms and Abbreviations
| AC | Access Control |
| ACL | Access Control List |
| ACM | Automated Configuration Management |
| ACMS | Automated Configuration Management System |
| APT | Advanced Persistent Threat |
| AT | Awareness and Training |
| C3PAO | CMMC Third-Party Assessment Organization |
| CA | Certification Authority |
| CA | Security Assessment |
| CERT | Computer Emergency Response Team |
| CFR | Code of Federal Regulations |
| CIO | Chief Information Officer |
| CIRT | Computer Incident Response Team; Cyber Incident Response Team |
| CISO | Chief Information Security Officer |
| CM | Configuration Management |
| CMMC | Cybersecurity Maturity Model Certification |
| CUI | Controlled Unclassified Information |
| DCSA | Defense Counterintelligence and Security Agency |
| DFARS | Defense Federal Acquisition Regulation Supplement |
| DIB | Defense Industrial Base |
| DLP | Data Loss Prevention |
| DMZ | Demilitarized Zone |
| DoD | Department of Defense |
| DRM | Digital Rights Management |
| ESP | External Service Provider |
| FIPS | Federal Information Processing Standard |
| GFE | Government Furnished Equipment |
| GPO | Group Policy Object |
| HR | Human Resources |
| IA | Identification and Authentication |
| ICS | Industrial Control System |
| IIoT | Industrial Internet of Things |
| IOC | Indicators of Compromise |
| IoT | Internet of Things |
| IP | Internet Protocol |
| IR | Incident Response |
| ISAC | Information Sharing and Analysis Center |
| ISAO | Information Sharing and Analysis Organization |
| IT | Information Technology |
| MLS | Multi-Level Secure |
| N/A | Not Applicable |
| NAC | Network Access Control |
| NIST | National Institute of Standards and Technology |
| ODP | Organization-Defined Parameters |
| OS | Operating System |
| OT | Operational Technology |
| PKI | Public Key Infrastructure |
| PS | Personnel Security |
| RA | Risk Assessment |
| SC | System and Communications Protection |
| SCADA | Supervisory Control and Data Acquisition |
| SCRM | Supply Chain Risk Management |
| SI | System and Information Integrity |
| SIEM | Security Information and Event Management |
| SOAR | Security Orchestration, Automation, and Response |
| SOC | Security Operations Center |
| SP | Special Publication |
| SSP | System Security Plan |
| TEE | Trusted Execution Environment |
| TLS | Transport Layer Security |
| TPM | Trusted Platform Module |
| TTP | Tactics, Techniques, and Procedures |
| UEFI | Unified Extensible Firmware Interface |
| USB | Universal Serial Bus |
| VLAN | Virtual Local Area Network |
| VPN | Virtual Private Network |
| XDR | Extended Detection and Response |
- ↑ NIST SP800-172A, March 2022
- ↑ Note that an OSC ought to be mindful of their full Level 3 scoping in their request for a Level 2 assessment.
- ↑ NIST SP 800-53 Rev. 5, p. 402
- ↑ NIST SP 800-171A, June 2018, p. v
- ↑ NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)
- ↑ NIST SP 800-160 Vol. 1 R1, Engineering Trustworthy Secure Systems, 2022, Appendix B., p. 55
- ↑ The organization defining the parameters is the DoD.