Welcome to the fourth installment of our series on the Cybersecurity Maturity Model Certification (CMMC), a framework required for companies contracting with the US Department of Defense (DoD). In this guide, we’ll break down everything you need to know about CMMC Level 4. For information about other levels of the CMMC, see our guides, levels 1, 2, 3, and 5.
Overview of CMMC Level 4 Requirements
The key to complying with CMMC requirements at all levels is understanding exactly what is required. To that end, this blog (and the whole series) is built around descriptions of all practices for each given level, sourced directly from CMMC Volume 1.02 from March 2020.
Like all articles in the series, we’ll begin with an overview (or recap) of the CMMC Framework, including baseline definitions and concepts that apply across all levels. Then, like the past few installments, the structure below breaks down as follows:
- Synopsis of CMMC Level 4
- Guide to Level 4 compliance
Let’s get started!
Overall CMMC Framework at a Glance
The CMMC is a robust system of interlocking cybersecurity controls, spread across various categories, that track the ongoing growth of an organization’s cybersecurity. In particular, the main structural elements of the framework are:
- Maturity levels – 5 in total, indexing advancement of cyberdefense by way of:
- The institutionalization of processes (“performed” to “optimizing”)
- The implementation of practices (171 total), distributed across…
- Cybersecurity Domains – 17 in total, indicating general areas of concern, as well as:
- Capabilities (43 total), or approaches that inform practices
This scheme is intended to increase a company’s overall cyberdefense posture. But it is also intended to safeguard two particular categories of information. Namely:
- Federal Contract Information (FCI) – Data related to federal contracts and contractors that are critical to the safety and privacy of employees and other stakeholders.
- Controlled Unclassified Information (CUI) – Information that does not have formal classified status, but that is nonetheless protected by laws and other statutes.
These forms of information are relatively unique to a certain sector, the Defense Industrial Base sector (DIB), which comprises the vast network of DoD contractors that make up its supply chain. Given the importance of this information to the DoD, and how critical the DoD is to the security of all Americans, the stakes of safeguarding FCI and CUI are incredibly high.
That’s why the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) worked together with University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDs) to develop the CMMC.
Importantly, the CMMC also incorporates controls from a variety of other sources, and Level 4 involves the addition of new sources not present at earlier levels. Let’s take a quick look.
Breakdown of Control Sources at Level 4
As we’ve touched on in earlier installments, The CMMC framework is not a completely new set of controls with no precedents. Instead, much of its substance is a patchwork of various other cybersecurity frameworks; the CMMC collects and integrates them in one cohesive whole.
In particular, the other frameworks include, but are not limited to:
- Federal Acquisition Regulation (FAR) Clause 52.203-21, which designates FCI as a protected class on data and informs the various requirements for their protection.
- Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, which designates CUI as protected and specifies requirements for their protection
- The National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171), which realizes the requirements for CUI set forth in DFARS.
- The NIST’s Federal Information Processing Standards Publication 200 (FIPS), which provides the basic structure on which the 17 cybersecurity domains are loosely based.
The primary focus of the first three levels is protecting FCI and CUI, which culminates at Level 3 with the implementation of all of NIST SP 800-171. But at Level 4, a key new source text is introduced: Draft NIST SP 800-171B, recently superseded by NIST SP 800-172.
This new draft builds on CUI protections detailed in SP 800-171, modernizing those controls in response to the increasing prevalence of Advanced Persistent Threats (APT). The focus at Level 4 shifts to prioritize APT, which necessitates advanced controls from this novel source.
Synopsis of CMMC Level 4 Controls
Level 4 of the CMMC adds just 26 new practices, for a total of 156 — this is a drastic change from the previous 2 levels, each of which added over 50 new controls. However, the lower number of new practices is offset by their relative depth and breadth, as well as the cumulative challenge of balancing all 156. Of the 26 new Level 4 practices, 11 come from SP 800-172.
Another major challenge in Level 4 is the advancement in the institutionalization of processes. Whereas Level 3 brought the challenge of management to its 130 practices, Level 4 adds another layer, “reviewed,” to its 156. This involves the systematic assessment of implementation and management, as well as regular and prompt corrective actions taken when issues arise.
This dimension of review is meant to counteract APTs. By definition, these adversaries “possess sophisticated levels of expertise” and leverage “multiple attack vectors.” So, enhanced visibility and transparency, in real-time, is needed to combat them. That’s what Level 4 accomplishes.
Let’s take a look at the practices, broken down by domain.
Level 4 Access Control Practices
There are 3 new AC controls introduced at Level 4:
- AC.4.023 – Control the flow of information between different domains of security, even within the same individual systems or connected systems in-network.
- AC.4.025 – Review and update permissions for CUI access regularly and periodically.
- AC.4.032 – Restrict capabilities for remote access to networks and systems according to risk factors defined by the organization, including but not limited to:
- Properties of the user requesting access
- Day, date, and time of day during access
- Physical location and/or location of access
- State of network and/or connectivity during access
Level 4 Asset Management Practice
There is just 1 new AM control introduced at Level 4:
- AM.4.226 – Employ some capability for discovery and identification of systems by component attribute within an inventory (such as “type of OS,” “firmware level,” etc.).
Level 4 Audit and Accountability Practices
There are 2 new AU controls introduced at Level 4:
- AU.4.053 – Automate the analysis of audit logs; facilitate immediate identification of and response to critical indicators and any suspicious activity, as defined by the organization.
- AU.4.054 – Review audit information for both broad trends and activity per-machine, per-user, per-asset, etc. Analyze activities at both levels in relation to each other.
Level 4 Awareness and Training Practices
There are 2 new AT controls introduced at Level 4:
- AT.4.059 – Provide training on an awareness that focuses on recognizing and responding to specific targeted and advanced persistent threats (APT); and update training when new information becomes available on threats, including but not limited to:
- Social engineering (phishing, etc.)
- APT actors, internal and/or external
- Data breaches and suspicious behaviors
- AT.4.060 – Optimize security awareness training with practical exercises and modules related to actual threats currently or recently faced by the organization.
Level 4 Configuration Management Practices
There is just 1 new CM control introduced at Level 4:
- CM.4.073 – Employ application vetting, along with “whitelisting” (permit by exception), for any and all applications used by the organization, by anyone, and for any reason.
Level 4 Incident Response Practices
There are 2 new IR controls introduced at Level 4:
- IR.4.100 – Ensure robust and up to date information on relevant cyber attacks shapes the entire process of planning and implementing incident response management.
- IR.4.101 – Establish and maintain a permanent and centralized security operations center that facilitates 24/7 incident management, including reporting and response.
Level 4 Risk Management Practices
There are 4 new RM controls introduced at Level 4:
- RM.4.148 – Develop a plan for managing risks associated with supply chain(s), independent of broader risk management; update the plan regularly and as necessary.
- RM.4.149 – Catalog and update threat profiles as necessary, especially related to new, incoming information about evolving attacker practices or procedures.
- RM.4.150 – Use all available threat intelligence to inform:
- Development of security architectures for risk management
- Selection of appropriate security measures in response to risk
- Implementation of monitoring, threat hunting, response, and recovery
- RM.4.151 – Scan regularly for unauthorized ports across all organizationally defined boundaries, including but not limited to physical (perimeter) and digital (internet).
Level 4 Security Assessment Practices
There are 3 new CA controls introduced at Level 4:
- CA.4.163 – Develop and leverage security strategies and a “roadmap” for organizational cybersecurity improvement across all systems, especially those identified as weak(er).
- CA.4.164 – Conduct regular penetration testing, utilizing both automated scanning tools and ad hoc “ethical hacking” via internal or external human experts.
- CA.4.227 – Perform periodic “red team” testing against organizational assets, leveraging both internal and external resources to verify defenses and uncover weaknesses.
Level 4 Situational Awareness Practices
There are 2 new SA controls introduced at Level 4:
- SA.4.171 – Develop one or more cyber threat “hunting” capabilities, including methods for seeking out compromise indicators, as well as detecting and disrupting APT that evade existing threat, risk, and vulnerability scanning controls.
- SA.4.173 – Design capabilities to identify, act upon, and report on compromise indicators, both to responsible internal resources and external stakeholders.
Level 4 System and Communications Protection Practices
There are 5 new SC controls introduced at Level 4:
- SC.4.197 – Utilize logical, physical, and other techniques for isolation of information in security architecture and in any and all contexts deemed necessary by the organization.
- SC.4.199 – Mobilize threat intelligence to prevent illegitimate DNS requests, including but not limited to those originating from or related to malicious domains.
- SC.4.202 – Utilize all available capabilities to analyze executable scripts and code that traverse boundaries on the internet or internal to and defined by the organization.
- SC.4.228 – Isolate controls for and administration of the most valuable and critical network infrastructure components and servers, as defined by the organization.
- SC.4.229 – Implement URL categorization and filter out websites not allowed by the organization, disallowing visits to such “blacklisted” (denied by exception) sites.
Level 4 System and Information Integrity Practice
There is just 1 new SI control introduced at Level 4:
- SI.4.221 – Utilize all available data sources to inform the processes of “hunting” (detecting and addressing) intrusions and threats, including but not limited to:
- Internal threat intelligence related to protected systems
- Reports on peer organizations’ effective mitigation techniques
How to Meet CMMC Level 4 Requirements
As we went over above, Level 4 adds relatively few new practices. However, the challenge of certification comes with the need to manage and review all 156 current practices, cumulatively.
Like all prior levels, the only way to achieve certification at Level 4 is through a Certified Third Party Assessment Organization (C3PAO). Assessors qualified by the CMMC Accreditation Body are your ticket to proving to the OUSD(S&A) and DoD that your organization is safe enough to work with. But that’s not all; a C3PAO can also help you build everything you need to pass.
For instance, RSI Security is a C3PAO. Our suite of CMMC services goes way beyond just certifying your company; we’re also fully equipped to build up your cyberdefenses from the ground up. We can help you perform, document, manage, and review all the practices listed above as well as all 130 from lower levels, assuring full process institutionalization for Level 4.
Protect CUI and Reduce APT Threats
Plus, RSI Security isn’t just happy to help you comply with everything CMMC requires, at Level 4 and beyond. We’re also happy to help with any and all elements of your infrastructure, from niche areas like cloud security to more holistic elements, like managed IT. Need a cybersecurity technical writer or even a virtual CISO? No matter what you need, we have you covered.
For CMMC Level 4 made simple and robust overall cyberdefense, contact RSI Security today!