What If I Am A Level 3 and I Don’t Know?

The reason we say this is because, even on the U.S. Department of Defense's official website, it states that Level 3 is still under development. When you click the link, found on this page, it leads nowhere. A key indicator that you’re at Level 3 is if you need to protect against Advanced Persistent Threat (APT) actors that typically target the DoD supply chain1.

As long as you are establishing and maintaining security activities, reviewing your business’ policies and procedures regularly, and thoroughly documenting security plans and priorities, you’ll be in good shape at fulfilling the CMMC Level 3 requirements2.

Pro Tip: According to official guidance, level 3 requirements include all NIST SP 800-171 controls and a subset of controls of NIST SP 800-172. It is evident that level 3 requirements are still being worked out, however, you can get a head start toward what is likely going to be required by complying with all controls found in NIST SP 800-171 and the controls found in NIST SP 800-172. There isn’t much to lose by implementing additional security controls in your organization and doing so greatly benefits your organization’s security posture.

- Kloud9 IT