The Cybersecurity Maturity Model Certification (CMMC) is a revolutionary framework developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment, also known as the OUSD (A&S). Unlike some other frameworks, the CMMC allows for the gradual adoption of its controls across five levels. As you progress toward full certification, there are differences between certain levels, such as between CMMC level 3 and CMMC level 4.
What’s the Difference Between CMMC Level 4 and Level 3?
The main differences between these CMMC levels have to do with how each level’s focus, practices, and processes impact the protection of federal contract information (FCI), per Federal Acquisition Regulation (FAR) Clause 52.203-21, and controlled unclassified information (CUI), per Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.
These particular types of information are critical to the Defense Industrial Base (DIB) sector, and a supply chain made up of all companies contracting with the DoD, as yours might be one day.
In the sections that follow, we’ll break down the differences between CMMC level 3 and CMMC level 4 controls and requirements across three major categories:
- Differences in focus at each level
- Differences in practices at each level
- Differences in process maturity at each level
Then, we’ll discuss what it takes to get certified at CMMC level 4 — and how we can help.
Different Focuses: CMMC Level 4 Aims vs. Level 3
The first and most immediate difference between CMMC levels 3 and 4 is in their respective focuses. At each stage in a company’s gradual climb toward full cybersecurity maturity, the CMMC model has a particular goal or aim for the given level. The first two levels build a foundation for what is achieved at CMMC level 3, a culmination (see below). Then, CMMC level 4’s focus is grouped with the final stage, CMMC level 5.
Let’s take a closer look at the specific focus of each level.
CMMC Level 3 Focus: Controlled Unclassified Information
The basic function of CMMC level 3 in terms of focus is to achieve the protection of CUI. But to fully understand this focus, it’s essential to understand the context of its prior levels:
- CMMC level 1 focus – Basic safeguarding of FCI.
- CMMC level 2 focus – Transitional step into CUI protection.
- CMMC level 3 focus – Full protection of CUI, as well as FCI.
As you can see, the first two levels function as preparation for CMMC level 3, which is arguably the first significant threshold of maturity. This reflects the name given to the practice goal for each level, scaling from “basic” to “intermediate” to “good cyber hygiene” (see below).
At CMMC level 3, a company has implemented the entirety of NIST SP 800-171, a previous cybersecurity framework that lends much of its structure to CMMC. The level 4 and 5 controls introduced, move beyond NIST SP 800-171 into more advanced safeguards.
CMMC Level 4 Focus: Advanced Persistent Threats
The focus of CMMC level 4 is to move beyond the scope of basic FCI protections, emphasizing CUI and, significantly, the new category of “advanced persistent threats” (APT). It shares this focus with level 5, and there is no distinction between the two final levels in terms of purpose.
The CMMC defines APTs as adversaries with abundant resources and technological abilities. These most complex and capable hackers will leverage a wide variety of attack vectors to compromise your company’s resources, from physical to digital and virtual attacks, along with social engineering scams. Importantly, they will launch multi-pronged attacks simultaneously.
To best combat these foes, the practices introduced at CMMC level 4 (and 5) are significantly more advanced than those at any previous level. As we’ll touch on below, there are far fewer practices introduced at level 4, but the practice and process goals still provide challenges.
Advanced Practices: CMMC Level 4 Controls vs. Level 3
Perhaps the most significant difference between CMMC levels 3 and 4 has to do with the sheer number, depth, and complexity of new cybersecurity controls added at each respective level. CMMC level 3 is arguably the most challenging single step in the entire maturity process, as it adds the most practices of any level. CMMC level 4 adds comparatively few practices (less than half of level 3), but the practices compound, including all prior levels’ controls.
Let’s take a closer look at both levels’ practice requirements.
CMMC Level 3 Practices: Good Cyber Hygiene
More controls are added at CMMC level 3 than at any other level, with 58 new practices added across 16 of 17 domains, excluding personnel security (PS). These break down as follows:
- Level 3 Access Control – 8 new AC practices added, for a total of 22.
- Level 3 Asset Management – The first AM practice is introduced at level 3.
- Level 3 Audit and Accountability – 7 new AU practices added, for a total of 11.
- Level 3 Awareness and Training – 1 new AT practice added, for a total of 3.
- Level 3 Configuration Management – 3 new CM practices added, for a total of 9.
- Level 3 Identification and Authentication – 4 final IA practices added, for a total of 11.
- Level 3 Incident Response – 2 new IR practices added, for a total of 7.
- Level 3 Maintenance – 2 final MA practices added, for a total of 6.
- Level 3 Media Protection – 4 final MP practices added, for a total of 8.
- Level 3 Physical Protection – 1 final PE practice added, for a total of 6.
- Level 3 Recovery – 1 new RE practice added, for a total of 3.
- Level 3 Risk Management – 3 new RM practices added, for a total of 6.
- Level 3 Security Assessment – 2 new CA practices added, for a total of 5.
- Level 3 Situational Awareness – The first SA practice is introduced at level 3.
- Level 3 Systems Communications Protection – A whopping 15 new SC practices are added at level 3, the most practices added in any domain at any level, for a total of 19.
- Level 3 System and Information Integrity – 3 new SI practices added, for a total of 10.
Combined with all practices from the prior levels, level 3 includes 130 practices in total.
CMMC Level 4 Practices: Proactive Protections
In contrast, CMMC level 4 adds far fewer controls than level 3 — just 26, across only 11 of the 17 domains (excluding IA, MA, MP, PS, PE, and RE). These break down as follows:
- Level 4 AC – 3 new AC practices are added, for a running total of 25.
- Level 4 AM – The second and final AM practice is added at level 4.
- Level 4 AU – 2 new AU practices are added, for a running total of 13.
- Level 4 AT – 2 final AT practices are added, for a total of 5.
- Level 4 CM – 1 new CM practice is added, for a running total of 10.
- Level 4 IR – 2 new IR control practices are added, for a running total of 9.
- Level 4 RM – 4 new RM practices are added, for a running total of 10.
- Level 4 CA – 3 final CA practices are added, for a running total of 8.
- Level 4 SA – 2 final SA practices are added, for a total of 3.
- Level 4 SC – 5 new SC practices are added, for a running total of 24.
- Level 4 SI – 1 new SI protection is added, for a running total of 11.
While fewer practices are added than at level 3, CMMC level 4 includes 156 practices. Plus, another significant challenge to implementing all of them is the step-up in process maturity.
Deeper Processes: CMMC Level 4 Requirements vs. Level 3
Finally, the last significant difference between CMMC levels 3 and 4 involves the specific process maturity requirements at each respective level. As noted above, the CMMC framework scales upward in process maturity at every level, gradually developing the institutionalization, or depth and breadth of company-wide integration, of all practices. This ranges from practices being simply “performed” at CMMC level 1 to their progressive “optimizing” level 5.
Let’s take a closer look at what process maturity looks like at each level.
CMMC Level 3 Process Maturity: Managed
CMMC level 3 is a significant threshold in terms of practices and focus, as it culminates much of what began in the first two levels on those fronts. This is true to an extent for process maturity, but an arguably bigger threshold exists at level 2. As with focus, it’s essential to understand the process maturity goal for level 3 in the context of the prior levels’:
- Level 1 processes: implemented – Process maturity is not measured or assessed at this level; practices must simply be implemented, even if ad hoc or partially.
- Level 2 processes: documented – At this level, practices must be carefully documented, setting the stage for assessment, analysis, and long-term replicability.
- Level 3 processes: managed – Processes must be formally and thoroughly managed with a plan and allocated resources for long-term stability.
Level 2 is a significant step up from level 1’s simplicity; level 3’s management is an incremental increase in level 2’s documentation. Moving from simple implementation to documentation already lends itself to management, which leads to the goal at level 4.
CMMC Level 4 Process Maturity: Reviewed
Like at level 3, CMMC level 4’s process maturity is less a radical departure than a stepwise progression:
- Level 4 processes: reviewed – Adding to the management process detailed above, review requires regular self assessment and corrective action, when necessary.
- Level 5 processes: optimizing – Finally, this level requires full standardization and optimization across the company, including an open-ended commitment to perpetual work perfecting practice implementation, documentation, management, and review.
Rather than taking management in an entirely different direction or adding a new level of magnitude to institutionalization, level 4 simply requires an additional management element: regular review. This looks forward to the final stage, which drops the past tense in favor of the progressive. This is because, at level 5, the goal is to optimize continuously.
How to Ensure Certification at CMMC Level 4
The first step to compliance at CMMC level 4 is implementing all 156 practices to the extent of institution-wide “managed” status, as detailed above, to protect FCI and CUI and combat APTs.
To achieve certification at any CMMC level, it’s not enough to simply implement the practices to the process maturity requirements. You also need to contract the services of a qualified assessor, namely a Certified Third-Party Assessment Organization (C3PAO).
A C3PAO is certified by the CMMC Accreditation Body (CMMC-AB) to evaluate a company’s compliance at each level. And the best ones can also help companies move upward, building out the safeguards needed to eventually reach full certification at CMMC level 5.
RSI Security is just such a C3PAO. Our dedicated CMMC advisory services include certification, as well as custom-tailored support from the very beginning of your compliance process. If you’re at CMMC level 3 and trying to make the jump into level 4 and 5, or if you’re just beginning on your journey, contact RSI Security today to see how simple CMMC level 4 can be!