The Department of Defense (DoD) continues to roll out Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0). CMMC is a set of standards designed to protect the Controlled Unclassified Information (CUI) shared by the DoD and its contractors. By October 2025, all contractors working with the Department of Defense (DoD) must comply with security standards and pass through government-enhanced security controls for all Controlled Unclassified Information (CUI).

The primary purpose of the CMMC framework is to provide organizations with a structured approach for safeguarding their sensitive data, data and help them demonstrate compliance with security best practices to reduce their risk of cyberattacks. CMMC 2.0 cybersecurity is formulated into three compliance levels: Foundation, Advanced, and Expert. This is an expensive process so most contractors will comply with the minimum level of compliance for their industry. For this post, we’ll explore what it means to move the company to Level 3: Expert. A company must first certify to Level 1, which includes demonstrating that they have implemented 15 cybersecurity practices to protect against primary cyber threats before it can embark on higher levels of certification. Obtaining Level 1 includes developing a security policy and conducting risk assessments to identify potential vulnerabilities.

Obtaining Level 2, Advanced, which builds upon the foundational practices of Level 1, is next. At Level 2, organizations must demonstrate over 100 additional security practices based on NIST SP 800-171 & 172 standards. This includes establishing an incident response plan and implementing encryption for sensitive data. The Expert level, Level 3, requires organizations to demonstrate over 300 more cybersecurity practices, including additional measures to protect against advanced persistent threats (APTs). Organizations at Level 3 must also have an institutionalized management plan and demonstrate the ability to manage and respond to cybersecurity incidents effectively. Here are the top 10 cybersecurity practices within Level 3, chosen from the list of over 300 practices:

  1. Threat Intelligence: Establish and maintain a formal process to collect, analyze, and share threat intelligence information from internal and external sources. This includes continuously monitoring for emerging threats, conducting threat assessments, and using threat intelligence to inform security strategies and decision-making.
  2. Continuous Monitoring: Implement continuous monitoring practices to detect and respond to real-time security events and incidents. This includes using security information and event management (SIEM) tools, security analytics, and other monitoring technologies to identify and respond to potential cybersecurity threats promptly.
  3. Security Operations Center (SOC): Establish and operate a Security Operations Center (SOC) to centralize and coordinate cybersecurity operations. This includes monitoring, detecting, analyzing, and responding to cybersecurity events and incidents across the organization and managing security incidents in a coordinated and efficient manner.
  4. Advanced Authentication: Implement advanced authentication methods, such as smart cards, biometrics, or multi-factor authentication (MFA), for all users accessing sensitive information systems. This includes using strong authentication methods to ensure only authorized personnel can access critical systems and data.
  5. Advanced Network Security: Implement advanced network security controls to protect against APTs and other sophisticated cyber-attacks. This includes using next-generation firewalls, intrusion prevention systems (IPS), and other advanced security technologies to detect and block malicious activities in the network.
  6. Advanced Malware Protection: Implement advanced malware protection measures to detect and respond to sophisticated malware, including ransomware, zero-day exploits, and other advanced threats. This includes using advanced antivirus software, sandboxing, and threat intelligence to identify and mitigate malware attacks.
  7. Security Incident Response Plan: Establish and maintain a comprehensive security incident response plan that outlines the roles, responsibilities, and processes for responding to cybersecurity incidents. This includes conducting regular drills and exercises to test the effectiveness of the incident response plan and ensure that personnel are prepared to respond to security incidents effectively.
  8. Supply Chain Risk Management: Implement supply chain risk management practices to identify, assess, and mitigate risks associated with third-party suppliers and contractors. This includes conducting thorough risk assessments, vetting suppliers’ cybersecurity practices, and establishing controls to manage supply chain risks effectively.
  9. Insider Threat Detection: Implement measures to detect and respond to insider threats, including privileged users who may misuse their access to sensitive information systems. This includes monitoring and analyzing user behavior, conducting background checks, and implementing access controls to prevent unauthorized access and data breaches by insiders.
  10. Cybersecurity Governance: Establish a formal cybersecurity governance structure to ensure cybersecurity is integrated into the organization’s overall management and decision-making processes. This includes defining roles and responsibilities, establishing cybersecurity policies and procedures, and conducting regular cybersecurity reviews to assess the effectiveness of the cybersecurity program.

Summary of Level 3:

These are the top 10 cybersecurity practices within Level 3 of CMMC 2.0, and there are many more practices that organizations need to implement to achieve this high level of certification. Level 3 requires organizations to have a comprehensive and mature cybersecurity program to protect against advanced threats and respond to cybersecurity incidents effectively.
By implementing these practices, organizations can enhance their cybersecurity posture and demonstrate their ability to manage and mitigate sophisticated cyber threats effectively. That said, it is essential to note that in order to become CMMC-certified, organizations must meet the requirements of all previous levels. Certification can be costly, with estimates ranging from $75,000 for initial certification to an average of $50,000 for annual renewals and re-certifications. It can take an organization over a year to properly prepare and implement Level 3 certification. Taking the necessary steps to become CMMC 2.0 certified may seem daunting. Still, the US government contends it will be worth the time and effort to protect your organization from cyber threats and build customer trust. Investing money and time into achieving Level 3 certification for your business demonstrates an industry-leading commitment toward cybersecurity best practices.

If you missed our CMMC Level 1 post, you can access it here.
If you missed our CMMC Level 2 post, you can access it here.
If you are looking for training provided by the DoD on Controlled Unclassified Information (CUI), it is free of charge here.