Under the Cybersecurity Maturity Model Certification (CMMC), all DoD contractors are required to be evaluated on the maturity and reliability of their cybersecurity infrastructure, earning certifications ranging from Level 1 (basic cyber hygiene) to Level 5 (advanced security). The five CMMC certification levels are tiered, so the requirements and processes for each level builds upon the previous. Future DoD contracts will indicate the certification level required to bid, and only companies certified to the level specified or higher will be allowed to submit a proposal for those contracts.
CMMC Level 4 focuses on the proactive activities an organization can take to protect, detect, and respond to threats. Organizations certified at CMMC Level 4 should have a robust cybersecurity program, while also having an understanding of the security processes and methods necessary to protect and defend controlled unclassified information (CUI) against Advanced Persistent Threats (APTs). Similar to CMMC Level 2, the Department of Defense (DoD) considers Level 4 a transitional step as they expect most organizations at this level to continue on to a Level 5 certification. But, even though CMMC Level 4 will appear less in RFPs than CMMC Level 3, earning a certification at Level 4 can offer a significant competitive advantage when bidding on future DoD contracts.
In the fourth installment of our five-part series, Exploring the Five Certification Levels of the CMMC, we’ll take a closer look at the CMMC Level 4 certification, guidelines for complying with its process, and the 26 new practices required for certification.
Need a quick refresher on the requirements of the CMMC Level 3?
Check out this blog for a closer look.
The main purpose of CMMC Level 4 is to enhance the detection and response capabilities of an organization in order to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs. An APT is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive information over an extended period of time. APTs are deliberate and carefully planned in order to infiltrate a specific organization, evading existing security measures. Common goals of an APT attack include:
At CMMC Level 4, organizations are expected to review and evaluate their practices for effectiveness against these types of threats, taking corrective action when necessary and regularly informing senior management and executives of any issues. Level 4 encompasses a subset of the security requirements from Draft NIST 800-171B, along with additional cybersecurity best practices, including ISO 27002, NIST 800-53, and CERT RMM v1.2. Continuing to build on the controls specified in the three previous levels, Level 4 includes a total of 156 hygiene practices. There are also 16 capabilities across 11 different domains at Level 4.
CMMC Level 4 is considered an intermediate step for obtaining a Level 5 certification. At this level, organizations must demonstrate they can create and document a managed plan (a Level 3 requirement), and, more importantly, use that plan to defend against ongoing, dynamic cyberattacks. The proper processes must also be implemented to adequately review and measure the efficacy of the practices deployed. We take a more in-depth look at the required Level 4 process below.
The Level 4 process is designed to directly review and measure the various domain activities against the resource plan created at Level 3. An organization certified at Level 4 should be able to define their measurement criteria, periodically measure their domain activities, evaluate these results, and take corrective action where needed to detect and defeat threats. Establishing the appropriate metrics and measuring effectiveness ensures activities can be maintained and corrective action can be taken, if necessary.
A few examples of domain activities that should be periodically reviewed and evaluated for effectiveness include:
Since Level 4 is intended to work in coordination with leadership, senior management and executives should be provided regular status updates and visibility into the various domain activities. This allows them to provide guidance for corrective actions, resolve issues requiring remediation, and ensure the policies implemented are being properly enforced. The risks associated with the domain activities, recommendations for improvement, the status of these improvements, and the schedules for achieving these milestones should also be communicated to senior management and executives.
DOMAIN |
CAPABILITY |
PRACTICE |
PRACTICE DESCRIPTION |
Access Control (AC) |
Control internal system access | AC.4.023 | Control information flows between security domains on connected systems |
AC.4.025 | Periodically review and update CUI program access permissions | ||
Control remote system access |
AC.4.032 | Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role | |
Asset Management (AM) |
Manage asset inventory |
AM.4.226 |
Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory |
Audit and Accountability (AU) |
Review and manage audit logs | AU.4.053 | Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity |
AU.4.054 | Review audit information for broad activity in addition to per-machine activity | ||
Awareness and Training (AT)
|
Conduct security awareness activities | AT.4.059 | Provide awareness training focused on recognizing and responding to threats from social engineering, APT actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat |
AT.4.060 | Include practical exercises in awareness and training that are aligned with current threat scenarios and provide feedback to individuals involved in the training | ||
Configuration Management (CM) |
Perform configuration and change management |
CM.4.073 |
Employ application whitelisting and an application vetting process for systems identified by the organization |
Incident Response (IR) |
Plan incident response | IR.4.100 | Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution |
Develop and implement a response to a declared incident | IR.4.101 | Establish and maintain a security operations center capability that facilitates a 24/7 response capability | |
Risk Management (RM) |
Identify and evaluate risk | RM.4.149 | Catalog and periodically update threat profiles and adversary TTPs |
RM.4.150 | Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities | ||
RM.4.151 | Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries | ||
Manage supply chain risk | RM.4.148 | Develop and update, as required, a plan for managing supply chain risks associated with the IT supply chain | |
Security Assessment (CA) |
Develop and manage a system security plan | CA.4.163 | Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvements Define and manage controls |
Define and manage controls | CA.4.164 | Conduct penetration testing periodically, leveraging automation scanning tools and ad hoc tests using human experts | |
CA.4.227 | Periodically perform red teaming against organizational assets in order to validate defensive capabilities | ||
Situational Awareness (SA) |
Implement threat monitoring | SA.4.171 | Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, attack, and disrupt threats that evade existing controls |
SA.4.173 | Design network and system security capabilities to leverage, integrate, and share indicators of compromise | ||
System and Communications Protections (SC) |
Define security requirements for systems and communications | SC.4.197 | Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization |
SC.4.228 | Isolate administration of organizationally defined high-value critical network infrastructure components and servers | ||
Control communications at system boundaries | SC.4.199 | Utilize threat intelligence to proactively block DNS requests from reaching malicious domains | |
SC.4.202 | Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing internet network boundaries or other organizationally defined boundaries | ||
SC.4.229 | Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization | ||
System and Information Integrity (SI) |
Identify and manage information system flaws |
SI.4.221 |
Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting |
Designed to increase the protection of CUI, CMMC Level 4 goes one step further by requiring security processes that reduce the risk of APT attacks to be in place. While Level 4 is considered a preliminary step for a Level 5 certification and won’t be a common requirement in DoD RFPs, companies compliant to Level 4 will have an advantage when bidding on contracts requiring a Level 3 certification. Whether you’re preparing for CMMC Level 5 or want an advantage on future contracts, ensuring the proper controls are in place now will help you obtain a CMMC Level 4 certification with ease.
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.