Welcome to the fifth and final installment of our series on the Cybersecurity Maturity Model Certification (CMMC), a framework required for companies contracting with the US Department of Defense (DoD). In this guide, we’ll break down everything you need to know about CMMC Level 5. For information about other levels of the CMMC, see our guides, levels 1, 2, 3, and 4.
Overview of CMMC Level 5 Requirements
The key to complying with CMMC requirements at all levels is understanding exactly what is required. To that end, this blog (and the whole series) is built around descriptions of all practices for each given level, sourced directly from CMMC Volume 1.02 from March 2020
Since this is the final level, we’ll begin with a more robust overview (or recap) of the CMMC Framework that touches on all its levels in detail, harkening back to our 101 from the very first installment. As a whole, the structure below breaks down as follows:
- A final review of the CMMC framework
- A detailed overview of CMMC Level 5
- A guide to CMMC Level 5 compliance
Let’s get started!
Final Review of CMMC Framework
The primary function of the CMMC is protecting the supply chain of the DoD. This umbrella term covers companies across a wide range of industries, all of which make up the Defense Industrial Base sector (DIB). If you contract with the DoD, your company is part of the DIB.
Likewise, you also likely transmit, harbor, and process two critical forms of information:
- Federal Contract Information (FCI) – Data pertaining to contracts with and for federal agencies (and their contractors), which is not intended for public access.
- Controlled Unclassified Information (CUI) – Data that is not technically “classified,” but which is protected from public access by other laws, statutes, and regulations.
Clause 52.203-21 of the Federal Acquisition Regulation (FAR) details requirements for the protection of FCI. Likewise, Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 specifies security requirements for CUI. These requirements are met in the CMMC by incorporating National Institute for Standards and Technology (NIST) Special Publication 800-171 in its entirety, among other source texts (NIST SP 800-172, etc).
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is responsible for publishing the CMMC Framework. To build it, it worked together with various DoD stakeholders and industry experts, including University Affiliated Research Centers (UARCs) and Federally Funded Research and Development Centers (FFRDs).
The various controls of the CMMC are distributed across domains, each of which has various controls added across the 5 maturity levels. Let’s take a closer look at the latter first.
Levels, Their Focuses, and Processes
Maturity levels of the CMMC exist to accommodate an organization’s gradual evolution in cybersecurity posture. Rather than expecting institutions to immediately implement all of the CMMC’s controls at once, the framework enables a tiered approach.
At each level, the change in an organization’s cybersecurity maturity is measured by its implementation of practices and its institutionalization of processes.
The level breakdown is as follows:
- Maturity Level 1 – Focusing on Federal Contact Information (FCI) and its safety.
- Processes are performed, at least, even if ad hoc and not documented.
- Practices (17 total) constitute “Basic Cyber Hygiene.”
- Maturity Level 2 – Preparing for protection of Controlled Unclassified Information (CUI).
- Processes are not just performed, but also documented.
- Practices (55 new, 72 total) constitute “Intermediate Cyber Hygiene.”
- Maturity Level 3 – Establishing cybersecurity safeguards for CUI.
- Processes are performed, documented, and managed.
- Practices (58 added, 130 total) constitute “Good Cyber Hygiene.”
- Maturity Level 4 – Protecting CUI; preparing for Advanced Persistent Threats (APT).
- Processes are performed, documented, managed, and reviewed.
- Practices (26 added, 156 total) constitute “Proactive” cyberdefenses.
- Maturity Level 5 – Maximizing cyberdefenses relative to CUI and APT.
- Processes are performed, documented, managed, reviewed, and optimizing.
- Practices (15 added, 171 total) constitute “Advanced/ Progressive” cyberdefense.
These levels may apply to the posture of the entire organization, or they may reflect only one part thereof. For example, a company might be at maturity level 1 overall, whereas a subdivision within the company may have advanced to level 3 or higher.
The 17 Domains of CMMC Security
The practices an organization needs to implement in order to ascend to level 5 are distributed across 17 domains of cybersecurity. These domains, based on NIST’s Federal Information Processing Standards Publication 200 (FIPS), divide the overall scope of cybersecurity into areas of concern, each of which contains capabilities (43 total) to address it.
The domain and capability scheme breaks down as follows:
- AC: Access Control – Comprising 4 capabilities that govern identification and authentication practices related to access:
- Establish requirements for system access
- Control and restrict internal system access
- Control and restrict remote system access
- Limit access based on authorization
- AM: Asset Management – Just 2 main capabilities governing the maintenance of resources across organizational systems:
- Identify and document all physical and digital assets
- Manage inventory of identified and documented assets
- AU: Audit and Accountability – Including 4 capabilities requiring and specifying parameters for periodic audits:
- Define requirements for audits
- Perform rigorous auditing and tests
- Protect any and all audit information
- Manage and regularly review audit logs
- AT: Awareness and Training – Including just 2 main capabilities requiring protocols for training and cultivating awareness across personnel:
- Conduct activities to foster security awareness
- Conduct regular and rigorous security training
- CM: Configuration Management – Including 2 main capabilities governing specific protocols for configurations and settings, with respect to security:
- Establish baseline configurations across devices and software
- Manage the maintenance of and changes to configurations
- IA: Identification and Authentication – Just 1 main capability further governing (with AC) the ways in which identification and authentication grant access to resources:
- Grant access only to authenticated users
- IR: Incident Response – Comprising 5 capabilities governing all stages of an institution’s approach to incidents, from planning through execution:
- Plan detailed incident response protocols
- Monitor for, detect and report security events
- Respond to incidents as they occur, per plans
- Review the efficacy of response post-incident
- Test incident response system regularly
- MA: Maintenance – Just 1 capability governing standards for security maintenance:
- Manage the maintenance of systems and security
- MP: Media Protection – Including 4 capabilities governing the approach to the privacy of media, especially resources containing CUI:
- Identify media and mark for control level
- Protect all media marked for control
- Sanitize media regularly and after use
- Protect media during transportation
- PS: Personnel Security – Just 2 capabilities governing protections against internal threats amongst staff and other stakeholders:
- Screen personnel thoroughly and carefully
- Protect CUI during all interactions with personnel
- PE: Physical Protection – Just 1 capability governing physical safeguards for sensitive information across systems:
- Restrict physical access to sensitive assets
- RE: Recovery – Just 2 capabilities defining processes for data recovery post-attack:
- Establish and maintain back-ups across systems
- Manage continuity of information security
- RM: Risk Management – Comprising 3 capabilities governing approach to risk management and resolution, from planning through execution:
- Identify risks through monitoring and analysis
- Manage and proactively mitigate identified risks
- Manage risks specific to supply chain
- CA: Security Assessment – Including 3 capabilities governing processes for organizational assessment, distinct from (but compounding with) AU:
- Manage security plan encompassing all systems
- Define particular controls to implement, per plan
- Perform regular code reviews and audits
- SA: Situational Awareness – Just 1 capability, governing the use of internal and external information to heighten awareness company-wide:
- Implement a threat monitoring system
- SC: Systems and Communications Protection – Comprising 2 capabilities that govern the security of information, especially in transit
- Define requirements for security across all systems and communications
- Monitor, restrict, and control communications at boundaries of the system
- SI: System and Information Integrity – Finally, 4 capabilities that govern the overall integrity and privacy of information and systems:
- Monitor and manage any and all flaws in information systems
- Identify and manage malware and other harmful content
- Perform regular system- and network-wide monitoring
- Safeguard email using advanced protections
Not every level contains practices in each domain, but the sum total of practices is cumulative. For example, level 5 does not add any IA controls. Nor does Level 4. Nevertheless, all prior IA practices from levels 1-3 are part of level 5 and thus must be performed, documented, managed, reviewed, and optimized, along with all other new and existing controls at this level.
With that in mind, let’s take a look at the practices that are added at Level 5.
The Final Stage: CMMC Level 5 Controls
As noted above, Level 5 adds the fewest number of practices (just 15) of any level — even fewer than the first (just 17). However, the specific controls added at the final stage are significantly more complex and burdensome than those at prior levels. And, at Level 5, an organization is responsible for the complete implementation and institutionalization of all practices in the CMMC.
Level 4 had seen a shift away from “cyber hygiene” concerns toward protection against Advanced Persistent Threats (APT). That carries over into level 5, where the goal of optimization (specifically optimizing) involves continued, ongoing improvement. CMMC’s notes for process institutionalization highlight the increasing “depth and sophistication” of defenses.
Let’s take a look at the 15 practices introduced, across the 8 domains they pertain to.
Level 5 Access Control Practice
There is just 1 final AC control introduced at Level 5:
- AC.5.024 – Identify any and all risks associated with unidentified wireless access points connected or attempting to connect to the network; mitigate according to RM protocols.
Level 5 Audit and Accountability Practice
There is just 1 final AU control introduced at Level 5:
- AU.5.055 – Identify any and all assets with a lapse in reporting of audit logs; act immediately to resolve non-reporting and assure all systems are always reporting.
Level 5 Configuration Management Practice
There is just 1 final CM control introduced at Level 5:
- CM.5.074 – Verify the accuracy and integrity of software critical to security or essential business practices, as determined by the organization by way of:
- Direct or indirect verification via “roots of trust”
- Formal verification via organization-defined procedures
- Authenticating measures, such as cryptographic signatures
Level 5 Incident Response Practices
There are 5 final IR controls introduced at Level 5:
- IR.5.102 – Utilize both manual and automated responses, in real-time, to any and all suspicious activities, especially those that match relevant incident patterns.
- IR.5.106 – Utilize forensic analysis data gathering methods to maximize understanding of attacks’ impact(s) on systems; secure transfer and protection of forensic data.
- IR.5.108 – Establish and maintain a dedicated incident response team capable of investigating any incident, physically and/or digitally, within 24 hours of the incident.
- IR.5.110 – Perform regular operational exercises, unannounced, to test and demonstrate technical and procedural responses to incidents related to existing and potential threats.
Level 5 Recovery Practice
There is just 1 final RE control introduced at Level 5:
- RE.5.140 – Ensure that any and all external information processing facilities used for recovery meet internally defined requirements for continuity, redundancy, availability, etc.
Level 5 Risk Management Practices
There are 2 final RM controls introduced at Level 5:
- RM.5.152 – Utilize exception processes for software not “whitelisted” (software that fails permit by exception screening) if it includes applicable mitigation techniques.
- RM.5.155 – Analyze the efficacy of risk management solutions at least once per year to address anticipated risks based on both current and cumulative threat intelligence.
Level 5 System and Communications Protection Practices
There are 3 final SC controls introduced at Level 5:
- SC.5.198 – Establish configurations so as to monitor and record any and all “packets” that “pass-through” the organizationally defined boundaries, internet, and otherwise.
- SC.5.208 – Deploy boundary protections defined by and tailored to the organization’s specific needs, in conjunction with other publicly or commercially available solutions.
- SC.5.230 – Enforce compliance with security controls and protocols related to ports.
Level 5 System and Information Integrity Practices
There are 2 final SI controls introduced at Level 5:
- SI.5.222 – Analyze behavior across systems to detect and address any system commands indicative of existing or potential threats, such as malicious actions.
- SI.5.223 – Regularly monitor, document, and address any irregular or suspicious behavior, including authorized but anomalous actions, across all personnel and systems.
How to Meet CMMC Level 5 Requirements
Level 5 is the final stage of complete CMMC certification. But it’s less a plateau than a new beginning; the process goal of “optimizing” involves and requires an ongoing commitment to evolving maturity in cyberdefense. That means constantly building on your systems and incorporating new controls to combat new threats as (or before) they arise.
As we’ve touched on in previous installments, CMMC certification is granted by a Certified Third Party Assessment Organization (C3PAO), which itself must be certified by the CMMC Accreditation Body. And the absolute best way to ensure certification is to contract with a C3PAO who will not only grant certification, but also walk you through what it takes to get there.
That’s where RSI Security comes in. We aren’t just a C3PAO; our dedicated suite of CMMC services is both robust and flexible, meeting you where you are and guiding you to certification.
Achieve Total Cybersecurity Maturity
RSI Security isn’t just here for your CMMC certification. Our talented team of experts has over a decade of experience helping DoD contractors and other firms keep their stakeholders safe. Whether you need help completing CMMC level 5 certification, achieving compliance with other regulatory guidelines, or with any other element of managed IT, contact RSI Security today!