Under the Cybersecurity Maturity Model Certification (CMMC), all DoD contractors are required to be evaluated on the maturity and reliability of their cybersecurity infrastructure, earning certifications ranging from Level 1 (basic cyber hygiene) to Level 5 (advanced security). The five CMMC certification levels are tiered, so the requirements and processes for each level builds upon the previous. Future DoD contracts will indicate the certification level required to bid, and only companies certified to the level specified or higher will be allowed to submit a proposal for those contracts.

While similar to Level 4 in its focus on protecting controlled unclassified information (CUI) from advanced persistent threats (APTs), CMMC Level 5 requires that organizations have a mechanism in place to ensure their practices are standardized across the organization and then continuously optimized for improvement. Organizations certified at CMMC Level 5 should have an advanced, or proactive, cybersecurity program and uniform processes to achieve consistency for all domain practices. The CMMC Level 5 certification might be the hardest of the levels to achieve due to its advanced requirements but obtaining this certification will give organizations the opportunity to bid on all future DoD contacts.

In the final installment of our five-part series, Exploring the Five Certification Levels of the CMMC, we’ll take a closer look at the CMMC Level 5 certification, guidelines for complying with its process, and the 15 final practices required for certification.

Need a quick refresher on the requirements of the CMMC Level 4 certification?

Check out this blog for a closer look.

CMMC Level 4


CMMC Level 5 Certification

CMMC Level 5 requires that certified organizations have standardized documentation for the various domain practices, their implementation, and any related incidents. All practices, whether from Level 1 or Level 5, will be required to follow (at a minimum) a standard approach, providing consistency across the organization and the flexibility to tailor individual practices to meet unique business needs. CMMC Level 5 also requires the ongoing management and optimization of these processes in order to improve implementation, respond to opportunity and change, and protect against continually evolving cyber threats.

Since organizations certified at Level 5 have the most advanced cybersecurity programs, the security controls required are more extensive. Organizations should be able to demonstrate sophisticated cybersecurity capabilities to repel APTs and ensure the proper defenses are in place to protect CUI.

With a total of 171 required practices (and 12 capabilities), CMMC Level 5 encompasses all the requirements from the previous four levels and ensures organizations can meet even the most robust practices for protecting CUI. This level includes 15 more practices beyond the first four levels from Draft NIST SP 800-171 among others. These practices are spread across 8 different domains at Level 5. A few of these practices include:

  • Establishing a cyber incident response team that is available 24/7
  • Conducting unannounced incident response exercises to test the capabilities of the incident response team
  • Performing annual assessments using the latest threat intelligence to ensure the effectiveness of protection capabilities
  • Identifying improper log management

CMMC Level 5 Process Guidelines

CMMC Level 5 builds upon the foundational security controls found in the four previous levels. Not only do organizations have to demonstrate that Level 5 practices are being performed (Level 1), documented (Level 2), managed (Level 3), and reviewed (Level 4), but they must now also ensure each practice is being standardized and optimized across the organization.

Let’s take a closer look at the CMMC Level 5 process:

Process 1: Standardize and optimize a documented approach for [DOMAIN NAME] across all applicable organizational units.

The Level 5 process is focused on ensuring consistency in all activities across an enterprise to prevent ad hoc or conflicting practices. Organizations certified at Level 5 should have a mechanism that maintains and certifies that implementation of practices are standardized and continually optimized for improvement. These standard processes define the specific operational resilience management capability, along with the enterprise-level guidelines for tailoring these processes to meet the needs of the business.

Since organizations with a Level 5 certification must have an advanced cybersecurity program, each of the 17 domains of the CMMC model should have a standardized approach. This provides consistency because all business units are meeting a minimum standard established by the highest level of the organization. Organizations then have the flexibility to tailor their standard approach for each practice to meet their unique business operations, so long as the minimum standards defined are being achieved.

A standard practice can include:

  • Practice description
  • Practice activities to be performed
  • Process flow, including diagrams
  • Performance measures for improvement
  • Inputs and expected outputs
  • Procedures for process improvement

Since each process can be customized, the successes and lessons learned from planning and performing should be documented to continually optimize each domain. Improvements should be submitted to the organization's process asset library, which should also contain the procedures for each domain activity. This asset library should remain available to those in the organization who are planning and performing the same domain practices. This sets the stage for continual improvement for activities across the enterprise.

The 15 CMMC Level 5 Practices

Domain: Access Control

AC.5.024  Identify and mitigate risk associated with unidentified wireless access points connected to the network.

This practice is focused on regulating who and what is able to gain access to an organization's systems. Organizations will need to detect the unidentified and unauthorized wireless access points to their network and address any potential vulnerabilities. This practice can be implemented through the use of a Wireless Intrusion Detection System (WIDS), turning off unused RJ45 jacks, or by creating access controls limiting the connections of authorized devices.


Domain: Audit and Accountability

AU.5.055  Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.

Audit logs are essential to cybersecurity awareness and incident response, so organizations will need ensure that all the appropriate systems are generating the required logs. Cyber criminals will attempt to disrupt logging at the start of an attack, which is necessary to maintain a secure cyber posture. Identifying assets that are reporting logs and comparing them against the inventory of assets expected to provide audit logs allows for discrepancies to be detected and the remediation process to begin.


Domain: Configuration Management

CM.5.074  Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).

Modified from NIST SP 800-171, this practice requires that organizations verify the integrity and correctness of the software they consider to be essential or critical as these can be used as a primary attack vector for infiltrating an organization's systems. Root-of-trust mechanisms (e.g., secure boot) guarantee that only trusted code is executed during boot processes. Formal verification certifies that a software program has satisfied a set of properties, but this is often time consuming and not used by most commercial operating systems. To ensure the authenticity of software that stores, processes, transmits, and protects CUI, cryptographic signatures can be used.


Domain: Incident Response

IR.5.106  In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.

Organizations will need to have the ability to gather attack forensics when responding to security incidents. Since many attackers may hide their tactics for gaining access or erase logs to avoid detection, an organization's security operations center (SOC) should be able to collect forensic evidence to develop situational awareness across the infrastructure. Individual system security tools (i.e., anti-virus, endpoint detection and response) can help a SOC create logs for beginning an investigation.

IR.5.102 – Use a combination of manual and automated, real-time response to anomalous activities that match incident patterns.

Organizations should use a combination of authentication and encryption methods to protect access to wireless networks. Special attention should be placed on devices that are part of the Internet of Things (IoT). Open authentication should not be used since it can authenticate any user, which can be easily spoofed by a cyber attacker.

IR.5.108 – Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.

Drafted from NIST 800-171, organizations certified at Level 5 will need to have a team of individuals that are able to respond to a cyber incident within a 24-hour timeframe. Response teams should have access to the organization's networks and be able to perform the investigation virtually until local personnel can assist. Teams should also be able to coordinate with IT, system administrators, and physical security when responding to and investigating an incident.

IR.5.110 – Perform unannounced operational exercises to demonstrate technical and procedural responses.

Companies should be able to plan and initiate an unannounced incident response exercise in order to ensure response teams are qualified to handle an actual event. By performing this practice, organizations can identify procedural gaps and technical shortcomings in the current processes and help prioritize changes for future modifications.


Domain: Recovery

RE.5.140  Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.

This process requires that organizations take the necessary actions to ensure information security components operate effectively in order to achieve business success and protect CUI. Cybersecurity operations and solutions will need to operate without fail, even under an attack. Redundancies can add an extra layer of security (e.g., if a firewall fails, another firewall can take its place), along with proper planning and implementation.


Domain: Risk Management

RM.5.152  Utilize an exception process for non-whitelisted software that includes mitigation techniques.

Whitelisted technologies allow an organization to isolate their environment to only permit approved software from running on endpoint and server systems. This practice defines a risk reduction process for the software that is an exception to this whitelist. Trusted software can be whitelisted based on risk and need, but the organization will need to create a process for inspecting the software. If the risk of using the software is high, the organization can use mitigation strategies (e.g., running software on standalone systems or virtual machines) when installing or using the software.

RM.5.155  Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.

Regular assessments should be performed to ensure the effectiveness of an organization's cybersecurity capabilities to protect CUI against APTs, as specified in NIST 800-171. These assessments will help identify shortcomings of security controls and changes in the design, architecture, and configurations of the solutions used to protect against potential threats and attacks.


Domain: Systems and Communications Protection

SC.5.198  Configure monitoring systems to record packets passing through the organization's internet network boundaries and other organizationally defined boundaries.

Organizations will need to be able to configure a monitoring system that captures and saves all packets passing through the network boundary for a time period determined by the organization. The monitoring system should provide a detailed analysis listing which packets were received and transferred and be able to determine the content that was transmitted within a specific timeframe.

SC.5.230  Enforce port and protocol compliance.

Cyber criminals can capture sensitive data by running their own protocols over prominent ports. This practice ensures that organizations have established proper port policies to block unknown traffic or traffic that has not been approved by the organization's security policy.

SC.5.208  Employ organizationally defined and tailored boundary protections in addition to commercially available solutions.

Organizations will need to tailor the configuration and function of their boundary protection systems in order to protect against and detect cyberattacks that would go undiscovered by commercial security solutions. This can include internally developed security solutions to custom configurations and signatures.


Domain: Systems and Information Integrity

SI.5.222 – Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.

Organizations will need to use endpoint detection and response (EDR) to record the system activities and events that occur. These EDR records can detect a current exploit by identifying scripts that are operating outside of normal parameters. User and Entity Behavior Analytics solutions can also be used to identify malicious activity.


SI.5.223 – Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.


Drafted from NIST 800-171, this practice requires that organizations monitor internal systems and individuals for suspicious behavior on a regular basis. This can be achieved with signatures, statistical analysis, or analytics or machine learning.


Although it's the last and most difficult level to achieve, CMMC Level 5 is the ultimate goal for select defense contractors looking to bid on future DoD contracts that require such certification. Not only must all 171 practices be implemented, but they must also meet a minimum standard for implementation and continually monitored and enhanced for improvement. Although compliance at CMMC Level 5 will be a difficult process, the competitive advantage this certification provides will be worth all the effort.

Want more CMMC updates in your inbox?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.