Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the
management of activities for practice implementation. The plan may include information on missions,
goals, project plans, resourcing, required training, and involvement of relevant stakeholders.
As a good cyber hygiene level, Level 3 was designed for the protection of CUI in government contracts.
It encompasses all of the security requirements specified in NIST SP 800-171 as well as additional
practices from other standards and references to mitigate threats.
Government contractors that are required to comply with practices up to Level 3 should also be aware
of the incident reporting requirements listed in DFARS clause 252.204-7012 ("Safeguarding of Covered
Defense Information and Cyber Incident Reporting").