CMMC Level 4 Requirements

The Foundation and Levels

What is CMMC?

The Cybersecurity Maturity Model Certification, or CMMC, is the next stage in the Department of Defense's (DoD) efforts to properly secure the Defense Industrial Base (DIB) and its supply chain. The DoD announced in the middle of 2019 that it is creating a cybersecurity assessment model and certification program. Several versions of CMMC were publicly released since that time: 0.4. 0.6, 0.7, and CMMC 1.0 and 1.02.

As the image below details, Level 4 requires organizations to practice "Proactive Cyber Hygiene", while having "reviewed" security processes and methods for "reducing risk of Advanced Persistent Threats (APT)s and increasing protection of CUI". For contractors in the DoD, Level 4 compliance may be more uncommon than Level 3, as it will be contractually required far less in RFPs and is seen as more of a transitional step to Level 5. It is also an increase in responsibility and likely cost.

In prior years, contracting authorities and prime contractors would request a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) as self attestation for DFARS 252.204-7012 compliance. This request from contracting authorities was post award, and several companies received severe penalties through False Claims Act (FCA) settlements for misrepresenting their cybersecurity efforts. Defense Contract Management Agency (DCMA) has recently increased its efforts to audit companies as well.

CMMC contrasts DFARS 7012 by forcing the requirement before award, or at 'award-time'. Contractors will be evaluated based upon the implementation of actual technical controls in addition to their documentation and policies. These evaluations will lead to a Level certification of 1 to 5, 5 being the most secure. Levels are cumulative, meaning a Level 4 certified organization will need to meet the practices found in Levels 1, 2, 3, and 4.

FAQ: How far down the supply chain are the 3rd party audits required? Is this only for prime contractors or does it filter to lower level suppliers such as subcontracted machine shop work?

According to The Office of the Under Secretary of Defense (OUSD), the CMMC level requirement will flow down to all subcontractors regardless of size or function. It is likely that CMMC requirements will be broken apart by tier - i.e for RFP A1B2C3D44 Prime Contractors are required to be CMMC Level 5 upon proposal and all listed Subcontractors must meet CMMC Level 2. They also state all future RFPs will require a CMMC level regardless of handling Controlled Unclassified Information (CUI).

Access a more detailed explanation and overview of CMMC, as well as history and background here.

Level 4 Requirements

What's it going to take to achieve Level 4 compliance?

Practices found in CMMC Levels 1-3 called out an aggregated 130 Practices and 51 Processes that lead to Level 3 compliance. Level 4 specifically includes 26 additional technical practices derived from multiple sources such as NIST 800-171, CERT Resilience, CIS Controls v7.1, and more. See the Practices and Processes below:

Some of the most significant areas to consider in CMMC Level 4 are:

Building or having the infrastructure to support the enhanced CUI protections - Domain Reference: Access Control (AC)
Whitelisting and app vetting processes for systems identified in/by your organization - Domain Reference: Configuration Management (CM)
Logging, monitoring, incident response, and reporting capabilities with a SIEM or similar technical solution(s) - Domain Reference: Incident Response (IR) and Audit and Accountability (AU)
Establish and maintain a Security Operations Center (SOC) and a 24/7 response capability - Domain Reference: Incident Response (IR)

Scott Edwards, President of Summit 7 and national security/compliance speaker, spoke on the importance of the Incident Response (IR) Domain and stated "Incident Response is something that I almost want to call the core of CMMC Level 4".

Processes and Practices

What are the Level 4 Processes and Practices?

CMMC Level 4 is broken up into a total of 18 Technical Practices and 8 Procedural / Policy Practices. According to acq.osd.mil "Each practice is specified using the convention of [DOMAIN].[LEVEL].[PRACTICE] where:

DOMAIN is the two letter domain abbreviation
LEVEL is the level number
PRACTICE NUMBER is the identifier assigned to that practice"

Access Control (AC)

AC.4.023: Control Information Flows between security domains on connected systems

AC.4.025: Periodically review and update CUI program access permissions

AC.4.032: Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.

Asset Management (AM)

AM.4.226: Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.

Audit and Accountability (AA)

AU.4.053: Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity

AU.4.054: Review audit information for broad activity in addition to per machine activity.

Awareness and Training (AT)

AT.4.059: Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

AT.4.060: Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.

Configuration Management (CM)

CM.4.073: Employ application whitelisting and an application vetting process for systems identified by the organization.

Incident Response (IR)

IR.4.100: Use knowledge of attacker tactics, techniques and procedures in incident response planning and execution

IR.4.101: Establish and maintain a security operations center capability that facilitates a 24/7 response capability

Risk Management (RM)

RM.4.149: Catalog and periodically update threat profiles and adversary TTPs.

RM.4.148: Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.

RM.4.150: Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

RM.4.151: Perform scans for unauthorized ports available across perimeter network boundaries over the organization's Internet network boundaries and other organizationally defined boundaries.

Security Assessment (CA)

CA.4.163: Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement.

CA.4.164: Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc using human experts

CA.4.227: Periodically perform red teaming against organizational assets in order to validate defensive capabilities

Situational Awareness (SA)

SA.4.171: Establish and maintain a cyber-threat hunting capability to search for indicators of compromise in organizational systems and detect, track and disrupt threats controls.

SA.4.173: Design network and system security capabilities to leverage, integrate, and share indicators of compromise.

System and Communication Protection (SC)

SC.4.197: Employ physical and logical isolation techniques in the system and security architecture and / or where deemed appropriate by the organization.

SC.4.199: Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.

SC.4.228: Isolate administration of organizationally defined high-value critical network components and servers.

SC.4.202: Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.

SC.4.229: Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.

System and Information Integrity (SI)

SI.4.221: Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting

Next Steps

What technical and procedural practices do you need to implement?

Upon CMMC Level 3 compliance, or the implementation of the appropriate 130 Practices, you'll need to implement the additional 26 shown in the accordion section above.

A few ways to meet new practices and additional resourcing requirements (software, hardware, personnel, outsourcing) are:

Leverage a SIEM and/or a Cloud Access Security Broker (CASB) solution for multiple requirements
Staff or contract individuals/organizations capable of monitoring, scanning, and running forensics via a SOC
Find a Managed Security Services Provider (MSSP) for ongoing policy and procedure support
Hire employees or outsource for the whitelisting and app vetting processes to meet specific CM practices
Build new networks or collaborative solutions using existing products to manage CUI

For more information on recommendations for remedying these technical practices, watch this clip from the CMMC Level 4 webinar from the Summit 7 Team.

Potential Technical Solutions

What solution sets can get you to Level 4 CMMC compliance?

SIEM solutions to meet Incident Response requirements:

LogRhythm
LogVaul
AlienVault
Splunk
Fireeye

Summit 7 Preferred: Microsoft Azure Government Sentinel

Solutions for meeting Incident Response requirements specific to a SOC:

In House service
Managed Service (MSSP)

Summit 7 Preferred: Microsoft Azure Sentinel for alerting and Microsoft Cloud Access Security (MCAS) broker for the CASB

Risk Management port scanning solutions:

Nmap
Unicornscan
Netcat
Solarwinds

Summit 7 Preferred: Qualys Vulnerability Management System

Threat indicator and threat hunting subscriptions to meet System and Information Integrity requirements:

Anomali ThreatStream
Palo Alto Minefield
ThreatConnect Platform

Summit 7 Preferred: Microsoft's Azure Sentinel supports input from MISP Project

Summit 7 has architected a solution set to help organizations achieve CMMC Level 4 compliance that is developed for Office 365 GCC High and Azure Government. To discuss with our team and develop your roadmap for Level 4, complete the form below.

Related Pages:

CMMC Level 3 Requirements Overview
CMMC Level 5 Requirements Overview

CMMC LEVEL 4 REQUIREMENTS