Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the
management of activities for practice implementation. The plan may include information on missions,
goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
As an good cyber hygiene level, lLevel 3 focuses on the protection of CUI and encompasses all of the
security requirements specified in NIST SP 800-171  as well as additional practices from other
standards and references to mitigate threats.
It is noted that DFARS clause 252.204-7012 ("Safeguarding of Covered Defense Information and Cyber
Incident Reporting")  specifies additional requirements beyond the NIST SP 800-171 security
requirements such as incident reporting.
The CMMC model consists of 17 domains. The majority of these domains originate from the security-related
areas in Federal Information Processing Standards (FIPS) Publication 200  and the related security
requirement families from NIST SP 800-171 . Level 3 consist of the following CMMC domains.
Click each domain to review the practices specified for level 3 accreditation.