Module 10: Level 3 Enhancements and Advanced Threat Protection

Step 1 – Where Level 3 Fits in the Current CMMC Landscape

Context: CMMC 2.0 and Level 3 (as of late 2025)

Before diving into advanced protections, you need a precise picture of where CMMC Level 3 sits today.

• CMMC 2.0 structure (DoD)
• Level 1 – Foundational: FAR 52.204-21 basic safeguarding (17 practices)
• Level 2 – Advanced: NIST SP 800-171 Rev. 2 (110 requirements) for most Controlled Unclassified Information (CUI)
• Level 3 – Expert: A selected subset of NIST SP 800-172 (Enhanced Security Requirements for Protecting CUI from Advanced Persistent Threats)

• Status as of December 2025
• CMMC 2.0 rulemaking for DFARS 252.204-7021 has substantially matured; DoD’s public materials consistently describe Level 3 as NIST 800-171 + prioritized 800-172 controls for the most critical programs.
• Level 3 is not for routine CUI. It is reserved for:
• High value programs (HVPs)
• Programs with enhanced CUI or CUI closely related to critical warfighting capabilities
• Environments where DoD expects targeting by Advanced Persistent Threats (APTs)

• Key distinction from Level 2
• Level 2 = “keep CUI reasonably safe from capable but not state‑level adversaries”
• Level 3 = “assume a state‑sponsored, persistent, well‑resourced adversary already has footholds and insider‑like visibility”

> Anchor idea for this module: Level 3 is not just ‘more controls’; it is a different threat model (APT) and a different design philosophy (resilience, deception, and active defense).

Step 2 – From 800-171 to 800-172: What Actually Changes?

Conceptual jump from Level 2 to Level 3

NIST SP 800-171 Rev. 2 (used at CMMC Level 2) assumes:

• Adversaries may be sophisticated, but
• You mainly need strong basic hygiene: access control, encryption, logging, incident response, etc.

NIST SP 800-172 (selectively applied at Level 3) assumes:

• The adversary will bypass or subvert many of your basic controls.
• You must:

1. Harden critical paths (e.g., admin access, build pipelines, CUI enclaves).
2. Detect subtle anomalies and lateral movement.
3. Contain and recover even when the attacker is entrenched.

In practice, this means enhancements in three big buckets:

1. Advanced Analytics & Monitoring

• Behavior‑based analytics, UEBA (User and Entity Behavior Analytics)
• Threat hunting playbooks and continuous hypothesis‑driven search
• Fusion of logs from endpoints, network, identity, and cloud

1. Stronger Isolation & Segmentation

• Highly segmented networks and CUI enclaves
• Privileged access workstations (PAWs) and just‑in‑time admin
• Protection of critical data flows (e.g., code repos, build systems, OT/ICS where relevant)

1. Enhanced Logging, Response, and Resilience

• High‑fidelity logging with integrity protection (e.g., write‑once or cryptographic signing)
• Formal threat‑hunting and red‑team programs
• Deception (honeypots/honeytokens) and rapid reconstitution of compromised assets

> Mental model: If Level 2 is like installing strong locks and alarms on your house, Level 3 is assuming a professional burglar team is already inside and designing the house so they cannot easily find, exfiltrate, or corrupt the valuables—and so you can spot, mislead, and eject them.

Step 3 – Subset of NIST 800-172 Used at Level 3 (Conceptual Map)

How Level 3 selects from 800-172

DoD has not simply adopted all 800‑172 requirements wholesale. Instead, Level 3 focuses on a subset that most directly addresses APT tactics. While the exact selection is contract‑ and program‑specific, the themes are consistent:

1. Enhanced Identity & Privilege Protections

• Risk‑adaptive access control (context‑aware decisions)
• Stronger admin isolation, PAWs, and tiered admin models
• Continuous verification of identity and device health (zero‑trust‑inspired)

1. Critical Data & Service Protection

• Stronger protection of keys, credentials, and security tooling (e.g., protecting the SIEM, EDR, and backup infrastructure)
• Hardening of code repositories, CI/CD pipelines, and critical OT/ICS if CUI is processed there
• Data‑centric protections: tagging, encryption, and strict policy enforcement on high‑value CUI subsets

1. Advanced Detection & Response

• Advanced monitoring (deep packet inspection where appropriate, EDR/XDR everywhere CUI lives)
• Anomaly detection using baselines and behavioral analytics
• Threat hunting and continuous improvement of detection logic

1. Cyber Resilience & Deception

• Architectures that assume compromise and still preserve mission
• Rapid reconstitution strategies for key services (e.g., re‑image, re‑key, re‑deploy)
• Deception mechanisms (honeynets, honeytokens, canary accounts)

> You should be able to look at any 800‑172 control and ask: “Does this help against an APT that already has a foothold?” If the answer is yes, it is a good candidate for Level 3.

Step 4 – Concrete Technical Enhancements: From Level 2 to Level 3

Side‑by‑side comparison

Below is a practical comparison of typical Level 2 vs. Level 3 implementations for selected domains. This is not exhaustive but illustrates the qualitative jump.

#### 1. Identity & Access Management

• Level 2 (800‑171)
• MFA for remote and privileged access
• Role‑based access control (RBAC) for CUI
• Periodic account review
• Level 3 (800‑172‑style)
• Risk‑adaptive access: login decisions factor device posture, geolocation, behavior history
• Just‑in‑time (JIT) admin: privileged roles granted temporarily via workflow approval
• Privileged Access Workstations (PAWs): hardened, isolated devices used only for admin tasks

#### 2. Network & Workload Isolation

• Level 2
• Basic VLAN segmentation between user, server, and DMZ networks
• Firewall rules restricting inbound/outbound traffic
• Level 3
• Micro‑segmentation: per‑application or per‑workload segmentation (e.g., via SDN or host‑based firewalls)
• Dedicated CUI enclaves with tightly controlled egress and deep inspection
• Separate management networks for infrastructure and security tools

#### 3. Logging & Monitoring

• Level 2
• Centralized log collection (SIEM or log management)
• Alerts for failed logins, malware detections, and critical changes
• Level 3
• EDR/XDR on all CUI endpoints and servers with behavior‑based detection
• Log integrity protection (e.g., write‑once storage, cryptographic signing, or immutable cloud storage tiers)
• Correlation of identity, endpoint, network, and cloud events to detect subtle lateral movement

#### 4. Incident Response & Threat Hunting

• Level 2
• Documented IR plan and playbooks
• Periodic tabletop exercises
• Level 3
• Dedicated threat hunting function with recurring hunts (e.g., monthly) based on current intel
• Regular purple‑team exercises (red + blue) to tune detections
• Pre‑approved rapid containment actions (e.g., auto‑isolate endpoint, auto‑disable account) for high‑confidence detections

> Notice how Level 3 repeatedly emphasizes: “What if the attacker is already inside and skilled?” This drives the design of each enhancement.

Step 5 – Thought Exercise: Is This Level 2 or Level 3?

Activity: Classify the control intention

For each scenario below, decide whether it sounds more like Level 2 (800‑171) or Level 3 (800‑172‑style), and justify your reasoning in one sentence.

1. Scenario A

The organization requires MFA for all remote access to systems containing CUI. Logs of successful and failed logins are stored centrally and reviewed weekly.

1. Scenario B

The organization maintains a baseline of normal admin account behavior (login times, accessed systems, commands used). A threat hunter reviews deviations from this baseline weekly and creates new detection rules in the SIEM.

1. Scenario C

Build servers for mission‑critical software are placed in a separate enclave. Only PAWs with hardware‑backed attestation can connect, and all build artifacts are cryptographically signed with keys stored in an HSM.

1. Scenario D

The organization runs quarterly phishing simulations and provides security awareness training to all staff handling CUI.

Your task:

• Write down for each scenario: `Level 2` or `Level 3`, and a one‑sentence explanation focusing on the threat model.
• Then check your reasoning against the sample solution below.

<details>

<summary>Sample reasoning (click to reveal)</summary>

• Scenario A – Level 2: Strong but standard access control and logging; assumes preventing and retrospectively reviewing compromise, not active hunting for APTs.
• Scenario B – Level 3: Behavior baselining and proactive hunting target subtle APT actions, not just obvious alerts.
• Scenario C – Level 3: High‑assurance enclave, PAWs, and HSM‑protected keys are classic 800‑172 themes for protecting critical build pipelines from APTs.
• Scenario D – Level 2: Security awareness and phishing tests are fundamental hygiene; they are necessary at Level 3 but not distinctive of 800‑172.

</details>

Step 6 – When Is Level 3 Likely Required?

Understanding the business and program context

Level 3 is not a marketing badge; it is an expensive posture aimed at a specific threat profile. You should understand when DoD is likely to demand it.

Typical indicators that a program may require Level 3:

1. High‑value program designation

• Program is labeled High Value Asset (HVA) or equivalent in DoD risk frameworks.
• CUI relates to weapons systems, advanced sensors, critical comms, or emerging tech with strategic advantage.

1. Enhanced CUI or mission‑critical data

• CUI that, if compromised, would materially degrade warfighter capability or give adversaries a long‑term strategic edge.
• CUI tightly coupled to operational plans, targeting data, or advanced R&D.

1. Adversary interest and intelligence community assessments

• Intelligence or threat reports indicating active targeting by state‑sponsored groups.
• Programs associated with critical supply chains (e.g., microelectronics, hypersonics, AI‑enabled systems).

1. DoD direction in the contract

• DFARS clauses and solicitation documents (RFP/RFQ) explicitly reference CMMC Level 3 and may specify additional program‑unique requirements beyond the generic Level 3 baseline.

> For your future role: You should be able to read a program description and threat intel summary and argue whether Level 2 is sufficient or Level 3‑style protections are warranted.

Step 7 – Designing Advanced Monitoring and Threat Hunting

Building a credible Level 3 monitoring stack

To credibly pursue Level 3, monitoring cannot be an afterthought. It must be architected.

Core design elements:

1. Data sources (telemetry)

• Endpoints: EDR/XDR agents capturing process creation, module loads, registry changes, script execution.
• Identity: Authentication logs, conditional access decisions, privilege elevation events.
• Network: NetFlow, DNS logs, proxy logs, and where feasible, full packet capture for high‑value segments.
• Cloud/SaaS: Audit logs for M365, AWS/Azure/GCP, code repos (Git), CI/CD, ticketing systems.

1. Analytics & detection

• Rule‑based detections: Known bad indicators (IOCs), suspicious sequences (e.g., PowerShell + credential dumping tool).
• Behavioral analytics: UEBA for rare or out‑of‑pattern actions (e.g., admin logging in from new country at odd hours).
• Threat intel integration: Automated ingestion of DoD and commercial threat feeds; mapping to your environment.

1. Threat hunting program

• Hypothesis‑driven: e.g., “If an APT is exfiltrating via DNS, what would we see?”
• Tooling: Query languages (KQL/SPL), hunt workbooks, graph views of identity and lateral movement paths.
• Feedback loop: Successful hunts become new detections; false positives refine rules.

1. Operationalization

• Runbooks for triage and escalation (who does what in the first 15, 60, 240 minutes?).
• 24×7 coverage: In‑house SOC or vetted MSSP with clear SLAs and playbooks tuned to Level 3 requirements.
• Metrics: Mean Time to Detect (MTTD), Mean Time to Contain (MTTC), coverage of high‑value assets.

> Rule of thumb: If your monitoring cannot reconstruct who did what, where, when, and how across your high‑value CUI environment, you are not yet at a realistic Level 3 posture.

Step 8 – Practical Analytics Example: Detecting Suspicious Lateral Movement

Example: Simple query logic for lateral movement

Below is a pseudo‑KQL (Kusto‑like) query you might run in a SIEM to hunt for suspicious lateral movement using remote management tools. This is illustrative, not vendor‑specific.

Step 9 – Check Understanding: Distinguishing Level 3 Capabilities

Answer the following question to test your understanding of Level 3 enhancements.

Step 10 – Key Term Review

Flip these cards to reinforce critical Level 3 concepts.