Under the Cybersecurity Maturity Model Certification (CMMC), all DoD contractors are required to be evaluated on the maturity and reliability of their cybersecurity infrastructure, earning certifications ranging from Level 1 (basic cyber hygiene) to Level 5 (advanced security). The five CMMC certification levels are tiered, so the requirements and processes for each level builds upon the previous. Future DoD contracts will indicate the certification level required to bid, and only companies certified to the level specified or higher will be allowed to submit a proposal for those contracts.

CMMC Level 4 focuses on the proactive activities an organization can take to protect, detect, and respond to threats. Organizations certified at CMMC Level 4 should have a robust cybersecurity program, while also having an understanding of the security processes and methods necessary to protect and defend controlled unclassified information (CUI) against Advanced Persistent Threats (APTs). Similar to CMMC Level 2, the Department of Defense (DoD) considers Level 4 a transitional step as they expect most organizations at this level to continue on to a Level 5 certification. But, even though CMMC Level 4 will appear less in RFPs than CMMC Level 3, earning a certification at Level 4 can offer a significant competitive advantage when bidding on future DoD contracts.

In the fourth installment of our five-part series, Exploring the Five Certification Levels of the CMMC, we’ll take a closer look at the CMMC Level 4 certification, guidelines for complying with its process, and the 26 new practices required for certification.

Need a quick refresher on the requirements of the CMMC Level 3?

Check out this blog for a closer look.

CMMC Level 3


CMMC Level 4 Certification

The main purpose of CMMC Level 4 is to enhance the detection and response capabilities of an organization in order to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs. An APT is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive information over an extended period of time. APTs are deliberate and carefully planned in order to infiltrate a specific organization, evading existing security measures. Common goals of an APT attack include:

  • Theft of intellectual property
  • Theft of classified data
  • Theft of Personally Identifiable Information (PII) or other sensitive data
  • Sabotage (i.e., database deletion)
  • Complete site takeover
  • Obtaining data on infrastructure for reconnaissance purposes
  • Obtaining credentials to critical systems
  • Access to sensitive or incriminating communications

At CMMC Level 4, organizations are expected to review and evaluate their practices for effectiveness against these types of threats, taking corrective action when necessary and regularly informing senior management and executives of any issues. Level 4 encompasses a subset of the security requirements from Draft NIST 800-171B, along with additional cybersecurity best practices, including ISO 27002, NIST 800-53, and CERT RMM v1.2. Continuing to build on the controls specified in the three previous levels, Level 4 includes a total of 156 hygiene practices. There are also 16 capabilities across 11 different domains at Level 4.

CMMC Level 4 Process Guidelines

CMMC Level 4 is considered an intermediate step for obtaining a Level 5 certification. At this level, organizations must demonstrate they can create and document a managed plan (a Level 3 requirement), and, more importantly, use that plan to defend against ongoing, dynamic cyberattacks. The proper processes must also be implemented to adequately review and measure the efficacy of the practices deployed. We take a more in-depth look at the required Level 4 process below.


Process 1: Review and Measure [DOMAIN NAME] activities for effectiveness.

The Level 4 process is designed to directly review and measure the various domain activities against the resource plan created at Level 3. An organization certified at Level 4 should be able to define their measurement criteria, periodically measure their domain activities, evaluate these results, and take corrective action where needed to detect and defeat threats. Establishing the appropriate metrics and measuring effectiveness ensures activities can be maintained and corrective action can be taken, if necessary.

A few examples of domain activities that should be periodically reviewed and evaluated for effectiveness include:

  • The measurement of actual performance against the plan for performing the process
  • A review of the activities’ accomplishments and results of the process against the plan for performing the process
  • A review of the activities, status, and results of the process with the immediate level of managers responsible for the process
  • Identification and evaluation of the effects of significant deviations from the plan for performing the process

Since Level 4 is intended to work in coordination with leadership, senior management and executives should be provided regular status updates and visibility into the various domain activities. This allows them to provide guidance for corrective actions, resolve issues requiring remediation, and ensure the policies implemented are being properly enforced. The risks associated with the domain activities, recommendations for improvement, the status of these improvements, and the schedules for achieving these milestones should also be communicated to senior management and executives.

CMMC Level 4 Practices





Access Control (AC)

Control internal system access AC.4.023 Control information flows between security domains on connected systems
AC.4.025 Periodically review and update CUI program access permissions

Control remote system access

AC.4.032 Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role

Asset Management (AM)

Manage asset inventory


Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory

Audit and   Accountability (AU)

Review and manage audit logs  AU.4.053 Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity
AU.4.054 Review audit information for broad activity in addition to per-machine activity

Awareness and Training (AT)


Conduct security awareness activities AT.4.059 Provide awareness training focused on recognizing and responding to threats from social engineering, APT actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat
AT.4.060 Include practical exercises in awareness and training that are aligned with current threat scenarios and provide feedback to individuals involved in the training

Configuration Management (CM)

Perform configuration and change management


Employ application whitelisting and an application vetting process for systems identified by the organization

Incident Response (IR)

Plan incident response  IR.4.100 Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution
Develop and implement a response to a declared incident IR.4.101 Establish and maintain a security operations center capability that facilitates a 24/7 response capability

Risk Management (RM)

Identify and evaluate risk RM.4.149 Catalog and periodically update threat profiles and adversary TTPs
RM.4.150 Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities
RM.4.151 Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries
Manage supply chain risk RM.4.148 Develop and update, as required, a plan for managing supply chain risks associated with the IT supply chain

Security Assessment (CA)

Develop and manage a system security plan  CA.4.163 Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvements
Define and manage controls
Define and manage controls CA.4.164 Conduct penetration testing periodically, leveraging automation scanning tools and ad hoc tests using human experts
CA.4.227 Periodically perform red teaming against organizational assets in order to validate defensive capabilities

Situational Awareness (SA)

Implement threat monitoring SA.4.171 Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, attack, and disrupt threats that evade existing controls
SA.4.173 Design network and system security capabilities to leverage, integrate, and share indicators of compromise

System and Communications Protections (SC)

Define security requirements for systems and communications  SC.4.197 Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization
SC.4.228 Isolate administration of organizationally defined high-value critical network infrastructure components and servers
Control communications at system boundaries SC.4.199 Utilize threat intelligence to proactively block DNS requests from reaching malicious domains
SC.4.202 Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing internet network boundaries or other organizationally defined boundaries
SC.4.229 Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization

System and Information Integrity (SI)

Identify and manage information system flaws


Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting


Designed to increase the protection of CUI, CMMC Level 4 goes one step further by requiring security processes that reduce the risk of APT attacks to be in place. While Level 4 is considered a preliminary step for a Level 5 certification and won’t be a common requirement in DoD RFPs, companies compliant to Level 4 will have an advantage when bidding on contracts requiring a Level 3 certification. Whether you’re preparing for Level 5 or want an advantage on future contracts, ensuring the proper controls are in place now will help you obtain a CMMC Level 4 certification with ease.

Want more CMMC updates in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.