MSU SBDC CyberSecurity

Level 3 Header

Overview

level 3 graphic image Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

As a good cyber hygiene level, Level 3 was designed for the protection of CUI in government contracts. It encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats.

Government contractors that are required to comply with practices up to Level 3 should also be aware of the incident reporting requirements listed in DFARS clause 252.204-7012 ("Safeguarding of Covered Defense Information and Cyber Incident Reporting").