Processes: Managed (i.e. “Describe in detail how you’ll follow them”)
At level 3, process documentation gets serious. Unlike level 2, where you’re supposed to create documentation around your processes but there’s no standardized way to determine if it measures up, level 3 forces you to create a plan for managing your practices across all relevant domains. That includes written documentation on who’s responsible for what, how you’ll pay for it, and what tools you’ll use to execute the practices.
Practices: Good Cyber Hygiene
The number of practices almost doubles at level 3, with level 2’s 72 practices getting augmented by 58 more for a total of 130, now spread over all 17 domains. One big advantage of level 3 is proving you can protect CUI, or controlled unclassified information–something that levels 1 and 2 can only dream of! Level 3 is expected to be the most common maturity requirement for contracts once CMMC is fully phased in. Aside from the new opportunities you’ll have with level 3 maturity, you also get the exhilaration of having your cyber hygiene officially designated as . . . “good.”
At Level 3, the Office of the Under Secretary of Defense for Acquisition & Sustainment once again offers an assessment guide for Cybersecurity Maturity Model Certification.