Level 4 Requirements

What's it going to take to achieve Level 4 compliance?

Practices found in CMMC Levels 1-3 called out an aggregated 130 Practices and 51 Processes that lead to Level 3 compliance. Level 4 specifically includes 26 additional technical practices derived from multiple sources such as NIST 800-171, CERT Resilience, CIS Controls v7.1, and more. See the Practices and Processes below:


Some of the most significant areas to consider in CMMC Level 4 are:

  • Building or having the infrastructure to support the enhanced CUI protections - Domain Reference: Access Control (AC)
  • Whitelisting and app vetting processes for systems identified in/by your organization - Domain Reference: Configuration Management (CM)
  • Logging, monitoring, incident response, and reporting capabilities with a SIEM or similar technical solution(s) - Domain Reference: Incident Response (IR) and Audit and Accountability (AU)
  • Establish and maintain a Security Operations Center (SOC) and a 24/7 response capability - Domain Reference: Incident Response (IR)

Scott Edwards, President of Summit 7 and national security/compliance speaker, spoke on the importance of the Incident Response (IR) Domain and stated "Incident Response is something that I almost want to call the core of CMMC Level 4".

Processes and Practices

What are the Level 4 Processes and Practices?

CMMC Level 4 is broken up into a total of 18 Technical Practices and 8 Procedural / Policy Practices. According to acq.osd.mil "Each practice is specified using the convention of [DOMAIN].[LEVEL].[PRACTICE] where:

  • DOMAIN is the two letter domain abbreviation
  • LEVEL is the level number
  • PRACTICE NUMBER is the identifier assigned to that practice"

Next Steps

What technical and procedural practices do you need to implement?

Upon CMMC Level 3 compliance, or the implementation of the appropriate 130 Practices, you'll need to implement the additional 26 shown in the accordion section above.

A few ways to meet new practices and additional resourcing requirements (software, hardware, personnel, outsourcing) are:

  • Leverage a SIEM and/or a Cloud Access Security Broker (CASB) solution for multiple requirements
  • Staff or contract individuals/organizations capable of monitoring, scanning, and running forensics via a SOC
  • Find a Managed Security Services Provider (MSSP) for ongoing policy and procedure support
  • Hire employees or outsource for the whitelisting and app vetting processes to meet specific CM practices
  • Build new networks or collaborative solutions using existing products to manage CUI

For more information on recommendations for remedying these technical practices, watch this clip from the CMMC Level 4 webinar from the Summit 7 Team.




Potential Technical Solutions

What solution sets can get you to Level 4 CMMC compliance?

SIEM solutions to meet Incident Response requirements:

  • LogRhythm
  • LogVaul
  • AlienVault
  • Splunk
  • Fireeye

Summit 7 Preferred: Microsoft Azure Government Sentinel

Solutions for meeting Incident Response requirements specific to a SOC:

  • In House service
  • Managed Service (MSSP)

Summit 7 Preferred: Microsoft Azure Sentinel for alerting and Microsoft Cloud Access Security (MCAS) broker for the CASB

Risk Management port scanning solutions:

  • Nmap
  • Unicornscan
  • Netcat
  • Solarwinds

Summit 7 Preferred: Qualys Vulnerability Management System

Threat indicator and threat hunting subscriptions to meet System and Information Integrity requirements:

  • Anomali ThreatStream
  • Palo Alto Minefield
  • ThreatConnect Platform

Summit 7 Preferred: Microsoft's Azure Sentinel supports input from MISP Project

Summit 7 has architected a solution set to help organizations achieve CMMC Level 4 compliance that is developed for Office 365 GCC High and Azure Government. To discuss with our team and develop your roadmap for Level 4, complete the form below.

Related Pages:


The Foundation and Levels

As the image below details, Level 4 requires organizations to practice "Proactive Cyber Hygiene", while having "reviewed" security processes and methods for "reducing risk of Advanced Persistent Threats (APT)s and increasing protection of CUI". For contractors in the DoD, Level 4 compliance may be more uncommon than Level 3, as it will be contractually required far less in RFPs and is seen as more of a transitional step to Level 5. It is also an increase in responsibility and likely cost. Levels are cumulative, meaning a Level 4 certified organization will need to meet the practices found in Levels 1, 2, 3, and 4. Access a more detailed explanation and overview of CMMC, as well as history and background here.

OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.

CMMC Level Model

Still Have Other Questions?

If you still have questions about CMMC Level 4, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.

Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance:

Start The Conversation