CMMC Level 5 is the highest achievable Level and adds 15 additional practices to Level 4. This Level requires organizations to practice "advanced" cyber hygiene and optimize security processes and methods. As with Level 4, Level 5 is focused on reducing the risk of Advanced Persistent Threats (APT)s and increasing the protection of CUI. CMMC Level 5 compliance will be less common in Requests for Proposal (RFP)s as compared to Level 1 or Level 3, but DIB suppliers focused on critical technologies and more sensitive programs may see this Level requirement in the future. Achieving Level 5 will require a significant investment of time, energy, and resources for any organization.
CMMC Level 5 includes 171 Practices (all Levels in aggregate) and 85 Processes derived from multiple sources such as NIST 800-171, CERT Resilience, CMMC Working Groups, CIS Controls v7.1, and more. See the Practices and Processes below:
Only eight (8) Domains contain Level 5 requirements, and the below list contains a few of the most significant requirements to address:
According to acq.osd.mil "Each practice is specified using the convention of [DOMAIN].[LEVEL].[PRACTICE] where:
DOMAIN is the two letter domain abbreviation
LEVEL is the level number
PRACTICE NUMBER is the identifier assigned to that practice"
Access Control (AC):
NOTES: This requirement builds off of Level 3 and Level 4 requirements by using existing SIEM or similar technologies to alert a security professional when an endpoint stops sending signals. Similarly, scan the environment for devices on the network that are not reporting fully.
Audit and Accountability (AU):
Configuration Management (CM):
NOTES: Much of this requirement may be met by deploying only machines (laptops, desktops, servers, etc.) with TPM 2.0 chips and enabling FIPS mode and encryption on systems.
Incident Response (IR):
NOTES: This requires hiring or outsourcing, as many organizations in the DIB do not staff for this requirement without a customer need. A combination of a SOC and/or NOC may be a suitable option.
NOTES: This can be achieved through manual checks, drills, or through technology like Microsoft Attack Simulator (currently not available in GCC High).
NOTES: This can be achieved with Runbooks and Playbooks via Azure Security Center and Azure Sentinel for example, or other products such as Cylance and Carbon Black. Through a combination of policy, manual actions and automated actions, your organization will need to have a thorough process for responding to different types of attacks at varying levels of severity.
NOTES: This requirement introduces the need for memory forensic tools in addition to endpoint scanning/protection technology like Microsoft Defender ATP and Office 365 ATP on devices. Your SOC will need to be able to pull forensic data to analyze in aggregate with other SIEM and EDR data.
NOTES: Organizations will need to create a detailed Continuity of Operations Plan addressing each information system in their greater environment. This will include details on how cloud providers are meeting their requirements (i.e. FedRAMP) and SLAs for Disaster Recovery and more. If a company has on-prem or hybrid systems, then documented and technically implemented resilliency is key. See other referenced standards NIST 800-53 r4 CP-10, CERT RMM v1.2 RRM:SG1.SP2, and NIST CSF v1.1 PR.IP-9.
Risk Management (RM):
NOTES: Procedures need to be in place for approval as well as documenting exceptions in your environment.
NOTES: This also is a procedural requirement to annually (or more frequent) assess security tools and solutions. Check to see what events or anomalies your team has responded to and the results, review software for patching and updates, review new systems since the last assessment for gaps or new vulnerabilities, etc.
System and Communication Protection (SC):
NOTES: Need to implement a network traffic packet capture capability on-prem (using Solarwinds, Wireshark, etc.) or in the cloud via Azure Firewall configurations or CheckPoint. Microsoft and other cloud providers provide coverage for Microsoft 365 datacenters and core services.
NOTES: Companies can implement an Intrusion Prevention System (IPS) to work towards meeting this requirement. Palo Alto, Barracuda, Entrust, and Cisco have solutions, along with many other suppliers.
System and Information Integrity (SI):
NOTES: This requirement can be met with an Endpoint Detection and Response (EDR) solution like Microsoft Defender ATP.
NOTES: Microsoft Cloud App Security (MCAS) is one tool in a set of tools tapping into the Microsoft Graph to detect and act on anomalous user behavior.
Upon achieving CMMC Level 4 compliance, or the implementation of the appropriate 156 Technical Practices, you'll need to implement the additional 15 shown in the section above. The following discussion provides a few ways to meet some of the new practices and additional resourcing requirements (software, hardware, personnel, outsourcing).
Summit 7 has begun the conversation for a solution set to help organizations achieve CMMC Level 5 compliance that is developed for Microsoft 365 GCC High, Azure Government, and hybrid scenarios. To start the conversation with our team for achieving Level 5, click the form below.
These evaluations will lead to a Level certification of 1 to 5, 5 being the most secure. Levels are cumulative, meaning a Level 5 certified organization will need to meet the practices found in Levels 1, 2, 3, 4, and 5. Access a more detailed explanation and overview of CMMC, as well as history, schedule for rollout, and its background here.
OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.
If you still have questions about CMMC Level 5, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.
Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance: