This document provides assessment guidance for Level 3 of the Cybersecurity Maturity Model Certification (CMMC).
Level 3 of CMMC addresses the protection of Federal Contract Information (FCI) and encompasses the basic safeguarding requirements for FCI specified in Federal Acquisition Regulation (FAR) Clause 52.204-21, which defines FCI as:
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. Assessments are conducted by CMMC Third-Party Assessment Organizations (C3PAOs) and Certified Assessors.
DoD contracts that specify the need for a contractor to process, store, or transmit FCI require the company to comply with CMMC Level 1 practices. There is no CMMC process maturity assessed at Level 3.