For any Department of Defense (DoD) contractor or supplier that has access to controlled unclassified information (CUI), compliance with Cybersecurity Maturity Model Certification (CMMC) 2.0 is essential. CMMC 2.0 compliance allows private sector contractors to demonstrate the highest possible level of cybersecurity, and continue doing business with the DoD. CMMC 2.0 Level 3, also called Expert, focuses on the effectiveness of cybersecurity controls and practices around protecting CUI from advanced persistent threats (APTs). It replaces the previous CMMC 1.0 Level 5 and brings with it a number of significant changes. CMMC 2.0 Level 3 applies to companies that handle CUI for DoD programs with the highest priority.

For any contractor or organization that has access to CUI, compliance with CMMC 2.0 Level 3 is essential for maintaining the highest possible level of cybersecurity. This article will provide a comprehensive overview of the compliance requirements for CMMC 2.0 Level 3 and will help ensure that your organization starts the journey to compliance with the latest security regulations.

CMMC 2.0 Level 3 Compliance: A Definitive Guide

CMMC Level 3 Compliance: Business Benefits

The primary benefit of adhering to CMMC Level 3 requirements is that it provides the DoD needed assurance that the CUI contractors process, collect, send, receive, and store is secure and protected from unauthorized access. Ultimately, CMMC Level 3 compliance instills confidence in an organization’s ability to protect CUI and demonstrate a commitment to cybersecurity. Compliance with CMMC Level 3 requirements can also provide an organization with opportunities for increased access to government contracts and make them a more attractive potential partner for companies in the defense industry, and with potential private sector customers.

Is CMMC 2.0 Level 3 Compliance Mandatory?

No, CMMC 2.0 Level 3 compliance is not mandatory. Organizations that do business with the DoD are required to meet a minimum security posture as outlined by the CMMC, but the specific level of certification required depends on the required services of the organization. Organizations can achieve different levels of CMMC certification, namely Level 1, 2, or 3, depending on the security requirements of their contracts.

CMMC Level 3 Domains and Requirements

For CMMC 2.0 Level 3, there are 130 required controls. These controls are a means of managing risk that includes policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature, and are specified by NIST SP 800-171 and FAR 52.204-21. CMMC 2.0 Level 3 also contains 58 practices, or technical activities, that are required and performed to achieve a specific level of cybersecurity maturity for a given capability in a domain. These practices sit under 16 different domains, listed below, that are a subset of NIST SP 800-172. CMMC 2.0 requires the contractor to go beyond mere documentation of processes and instead have an active role in the management and implementation of the controls in order to provide the highest level of security possible. The 16 domains include:

Access Control

The Access Control domain introduces eight additional requirements under CMMC Level 3. They include:

  • Authentication and encryption measures for safeguarding wireless access
  • Cryptography to safeguard the confidentiality of remote sessions
  • Automatically terminate user sessions that meet defined conditions
  • Monitor and control all access via mobile devices
  • Require authorization for remote execution of functions and access to security-related information
  • Separate the duties of individuals to reduce the risk of malicious actions. These actions are distinct from collusion, which doesn’t require the identification of specific threats.
  • Prevent execution of privileged functions from non-privileged accounts. Audit logs must document and analyze all privileged functions.
  • Encrypt CUI on all computing platforms

Asset Management

The Asset Management domain is a new domain that has one practice: 

  • Define specific practices and procedures for handling CUI and related data

Audit and Accountability

The Audit and Accountability domain introduces seven additional requirements under CMMC 2.0 Level 3, including:

  • Regularly review all logged events and update or correct them when necessary
  • Protect information pertaining to audits and audit logs, from all forms of unauthorized access, including especially the use, modification, and deletion thereof
  • Restrict access to auditing functionalities to a subset of privileged users
  • Correlate review and analysis of audit records with reporting relative to investigation and response to unlawful, unauthorized, or otherwise irregular activities
  • Necessitate an alert in the event that the audit and/or logging process fails
  • Collect all information pertaining to audits into one or multiple central repositories to facilitate the review, analysis, and strategic decision-making regarding audit information
  • Facilitate immediate, on-demand analysis and reporting with efficient procedures for audit record reduction and generation of audit reports

Awareness and Training

There is only one practice introduced under the Awareness and Training domain in CMMC 2.0 Level 3:

  • Provide training on security awareness that includes best practices for monitoring, identifying, and reporting insider threats from other staff

Configuration Management

Under the Configuration Management domain, CMMC 2.0 Level 3 introduces three additional practices that include:

  • Define, document, and approve access to all physical and virtual systems. System access must be based on the current security configuration.
  • Minimize access through restriction, disablement, and prevention. These systems include hardware, software, functions, and services.
  • Deny access by exception, commonly known as blacklisting, to prohibit unauthorized access. Enable authorized access with permission by exception, also known as whitelisting.

Identification and Authentication

There are four additional requirements in the Identification and Authentication domain under CMMC 2.0 Level 3:

  • Utilize multi-factor authentication (MFA) for local and network access to privileged accounts. Network access to non-privileged accounts also requires MFA.
  • Prevent reuse of identification credentials like usernames by the same user or others for a defined period after changes to the account, including termination
  • Employ authentication mechanisms for access to privileged and non-privileged accounts that are “replay resistant.” These measures include cryptography, one-time authenticators, and Transport Level Security (TLS).
  • Disable identification credentials after an organizationally defined period of inactivity in the account. This action must also prevent reuse, per IA.3.085.

Incident Response

Under Incident Response, CMMC 2.0 Level 3 introduces two additional practices:

  • Ensure that all incidents are tracked, documented, and reported to all designated authorities, whether internal or external to the organization
  • Regularly test the organization’s incident response capabilities


The Maintenance domain has two additional requirements under CMMC 2.0 Level 3:

  • Sanitize equipment transported off-site for maintenance by removing all CUI, including traces and other potential pathways to unauthorized access to CUI
  • Monitor all media containing diagnostic or test programs to ensure it is free of all forms of malicious code prior to installing or using it on organizational systems

Media Protection

There are four additions to Media Protection under CMMC 2.0 Level 3:

  • Mark or code any media containing CUI intended for limited distribution
  • Disallow the use of any portable storage devices with unclear ownership or origin
  • Use cryptography or physical safeguards to protect the confidentiality of CUI stored on digital media, especially during transport
  • Restrict access to media containing CUI. Maintain accountability for this media during transport to areas not controlled by the organization.

Physical Protection

There is one practice under Physical Protection in CMMC 2.0 Level 3:

  • Expand physical safeguards for CUI to all alternative work sites


The Recovery domain has one practice under CMMC 2.0 Level 3:

  • Regularly perform robust and resilient data backups according to protocols and schedules defined by the organization’s security needs and storage media

Risk Management

There are three additions to Risk Management under CMMC 2.0 Level 3:

  • Perform periodic risk assessments that identify and prioritize risks according to criteria defined by the organization, including categories and sources
  • Develop and implement plans to mitigate those risks as they’re identified
  • Manage products separately if they’re unsupported by vendors. Enforce access restrictions to these products and use them independently of other assets to reduce the spread of malware.

Security Assessment

There are two additions to Security Assessment under CMMC 2.0 Level 3:

  • Monitor existing security controls to ensure ongoing efficacy and safety
  • Employ independent security assessments specific to software developed internally for internal use if identified as a risk

Situational Awareness

The Situational Awareness domain is introduced under CMMC 2.0 Level 3 and has one practice:

  • Collect, analyze, and share relevant cyber threat intelligence from external sources with stakeholders, including reputable reports and forums

System and Communications

For System and Communications, additional requirements under CMMC 2.0 Level 3 include:

  • Use cryptography up to the Federal Information Processing Standards (FIPS) for protecting CUI
  • Ensure that effective and efficient information security is optimized across all information system elements
  • Fully separate user functionalities access and system management
  • Prevent insecure transfers of sensitive information with shared internal and external system resources, including unintentional and unauthorized transfers
  • Implement a whitelist approach to network communications traffic, meaning such traffic is denied by default and allowed only by exception
  • Terminate network connections related to communication immediately upon the end of the session or after a period of inactivity defined by the organization
  • Maintain cryptographic keys for all cryptography used across all systems
  • Strictly monitor and control the use of mobile codes
  • Strictly monitor the use of Voice over Internet Protocol (VoIP) technology
  • Prevent the potentially dangerous occurrence of “split tunneling,” in which remote devices simultaneously establish a non-remote connection with the organization’s systems and a connection to resources in external networks
  • Use cryptography or physical safeguards to prevent unauthorized disclosure of CUI, especially during transmission or transportation
  • Ensure the authenticity of communications across sessions
  • Ensure protection of CUI while in storage or some other passive capacity
  • Use robust Domain Name System (DNS) filtering services
  • Develop and enforce a policy restricting the publication of CUI on external, publicly accessible media and platforms such as forums and social media

System and Information Integrity

This is a domain introduced under CMMC 2.0 Level 3 and has three practices:

  • Deploy mechanisms for detecting spam and protecting against it at all entry, exit, and access points to the organization’s information systems
  • Use all available resources to detect and prevent document forgery
  • Implement sandboxing techniques to detect, filter, block, or otherwise prevent malicious and suspicious email communications

CMMC Level 3 Compliance Challenges

Common challenges in implementing CMMC Level 3 requirements include an insufficient understanding of security processes, difficulty in assessing specific security controls, difficulty implementing technical controls, and difficulty obtaining or keeping personnel trained in the required areas. Additionally, organizations may face challenges in developing policies, procedures, and processes that are compliant with CMMC Level 3 requirements, and ensuring that all stakeholders understand their roles and responsibilities in ensuring the organization’s security posture.

Overcoming CMMC 2.0 Level 3 Challenges

Organizations can overcome the challenges associated with implementing CMMC Level 3 requirements by developing a comprehensive security plan, investing in security training and education for personnel, leveraging outside resources, leveraging automated solutions and/or outsourcing service providers to assist with implementation, and keeping stakeholders informed. Additionally, organizations should regularly monitor the security posture of the organization to ensure compliance and address any areas that may require additional attention. Organizations should also take a proactive approach to security and should prioritize responding to threats and vulnerabilities identified during their security assessment process.

CMMC 2.0 Level 3 Noncompliance Risks

If an organization fails to comply with CMMC 2.0 Level 3 requirements, it may lead to a loss of access to government contracts, and the organization may be subject to penalties and fines. Additionally, failure to comply with the requirements may lead to reputational damage and a loss of trust in the organization’s ability to secure CUI and other sensitive content.

Kiteworks Accelerates Time to Achieve CMMC 2.0 Compliance for DoD Suppliers

The Kiteworks Private Content Network (PCN) is FedRAMP Authorized for Moderate Level Impact. As a result, the Kiteworks PCN helps DoD contractors and subcontractors demonstrate CMMC 2.0 compliance. In fact, Kiteworks satisfies nearly 90 of CMMC Level 2 practice requirements. Other compliance vendors without FedRAMP Authorized certification are unable to achieve this level of compliance. Kiteworks, therefore, accelerates the time it takes DoD suppliers to achieve CMMC Level 2 compliance.

Using a content-defined zero-trust approach, supported by a FedRAMP-authorized platform featuring a hardened virtual appliance, Kiteworks protects sensitive communications involving CUI and FCI content across numerous channels—including email, file sharing, managed file transfer, web forms, and application programming interfaces (APIs). 

Schedule a custom demo today to see how the Kiteworks Private Content Network enables DoD contractors and subcontractors to accelerate and simplify their CMMC certification process.

Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo