CMMC Level 5 Requirements

What is CMMC Level 5? What is required to reach Level 5?

CMMC Level 5 is the highest achievable Level and adds 15 additional practices to Level 4. This Level requires organizations to practice "advanced" cyber hygiene and optimize security processes and methods. As with Level 4, Level 5 is focused on reducing the risk of Advanced Persistent Threats (APT)s and increasing the protection of CUI. CMMC Level 5 compliance will be less common in Requests for Proposal (RFP)s as compared to Level 1 or Level 3, but DIB suppliers focused on critical technologies and more sensitive programs may see this Level requirement in the future. Achieving Level 5 will require a significant investment of time, energy, and resources for any organization.

CMMC Level 5 includes 171 Practices (all Levels in aggregate) and 85 Processes derived from multiple sources such as NIST 800-171, CERT Resilience, CMMC Working Groups, CIS Controls v7.1, and more. See the Practices and Processes below:



Only eight (8) Domains contain Level 5 requirements, and the below list contains a few of the most significant requirements to address:

  • Establishing and maintaining a cyber incident response team that can investigate an issue at any location physically or virtually within 24 hours of the occurring incident
  • Leveraging a SIEM and/or a Cloud Access Security Broker (CASB) solution for multiple requirements 
  • Staff or contract individuals/organizations capable of monitoring, scanning, and running data forensics
  • Implementing a Wireless Intrusion Detection Systems (WIDS) / Wireless Intrusion Prevention Systems (WIPS)
  • Analysis of your network traffic by implementing a Network Packet Capture solution to record organizationally defined network boundaries


Practices and Technical Starting Points

What are the Level 5 Practices? How do I address them?

According to "Each practice is specified using the convention of [DOMAIN].[LEVEL].[PRACTICE] where:

DOMAIN is the two letter domain abbreviation
LEVEL is the level number
PRACTICE NUMBER is the identifier assigned to that practice"

Access Control (AC):

  • AU.5.055: Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging

NOTES: This requirement builds off of Level 3 and Level 4 requirements by using existing SIEM or similar technologies to alert a security professional when an endpoint stops sending signals. Similarly, scan the environment for devices on the network that are not reporting fully.

Audit and Accountability (AU):

  • AM.4.226: Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.

Configuration Management (CM):

  • CM.5.074: Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g. roots of trust, formal verification or cryptographic signatures)

NOTES: Much of this requirement may be met by deploying only machines (laptops, desktops, servers, etc.) with TPM 2.0 chips and enabling FIPS mode and encryption on systems.

Incident Response (IR):

  • IR.5.108: Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours

NOTES: This requires hiring or outsourcing, as many organizations in the DIB do not staff for this requirement without a customer need. A combination of a SOC and/or NOC may be a suitable option.

  • IR.5.110: Perform unannounced operational exercises to demonstrate technical and procedural responses

NOTES: This can be achieved through manual checks, drills, or through technology like Microsoft Attack Simulator (currently not available in GCC High).

  • IR.5.102: Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns 

NOTES: This can be achieved with Runbooks and Playbooks via Azure Security Center and Azure Sentinel for example, or other products such as Cylance and Carbon Black. Through a combination of policy, manual actions and automated actions, your organization will need to have a thorough process for responding to different types of attacks at varying levels of severity.

  • IR.5.106: In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data

NOTES: This requirement introduces the need for memory forensic tools in addition to endpoint scanning/protection technology like Microsoft Defender ATP and Office 365 ATP on devices. Your SOC will need to be able to pull forensic data to analyze in aggregate with other SIEM and EDR data.

Recovery (RE):

  • RE.5.140: Ensure information processing facilities meet organizationally defined information security, continuity, redundancy and availability requirements

NOTES: Organizations will need to create a detailed Continuity of Operations Plan addressing each information system in their greater environment. This will include details on how cloud providers are meeting their requirements (i.e. FedRAMP) and SLAs for Disaster Recovery and more. If a company has on-prem or hybrid systems, then documented and technically implemented resilliency is key. See other referenced standards NIST 800-53 r4 CP-10, CERT RMM v1.2 RRM:SG1.SP2, and NIST CSF v1.1 PR.IP-9.

Risk Management (RM):

  • RM.5.152: Utilize an exception process for non-allowlisted software that includes mitigation techniques

NOTES: Procedures need to be in place for approval as well as documenting exceptions in your environment.

  • RM.5.155: Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence

NOTES: This also is a procedural requirement to annually (or more frequent) assess security tools and solutions. Check to see what events or anomalies your team has responded to and the results, review software for patching and updates, review new systems since the last assessment for gaps or new vulnerabilities, etc.

System and Communication Protection (SC):

  • SC.5.198: Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizational-defined boundaries.

NOTES: Need to implement a network traffic packet capture capability on-prem (using Solarwinds, Wireshark, etc.) or in the cloud via Azure Firewall configurations or CheckPoint. Microsoft and other cloud providers provide coverage for Microsoft 365 datacenters and core services.

  • SC.5.230: Enforce port and protocol compliance

NOTES: Companies can implement an Intrusion Prevention System (IPS) to work towards meeting this requirement. Palo Alto, Barracuda, Entrust, and Cisco have solutions, along with many other suppliers.

  • SC.5.208: Employ organizationally defined and tailored boundary protections in addition to commercially available solutions

System and Information Integrity (SI):

  • SI.5.222: Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.

NOTES: This requirement can be met with an Endpoint Detection and Response (EDR) solution like Microsoft Defender ATP.

  • SI.5.223: Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.

NOTES: Microsoft Cloud App Security (MCAS) is one tool in a set of tools tapping into the Microsoft Graph to detect and act on anomalous user behavior.


Next Steps

What technical and procedural practices do you need to implement?

Upon achieving CMMC Level 4 compliance, or the implementation of the appropriate 156 Technical Practices, you'll need to implement the additional 15 shown in the section above. The following discussion provides a few ways to meet some of the new practices and additional resourcing requirements (software, hardware, personnel, outsourcing).



What solution sets can get you to Level 5 CMMC compliance?

Summit 7 has begun the conversation for a solution set to help organizations achieve CMMC Level 5 compliance that is developed for Microsoft 365 GCC High, Azure Government, and hybrid scenarios. To start the conversation with our team for achieving Level 5, click the form below.
CMMC Level 5 Solution
Related Pages:

The Foundation and Levels


CMMC Level Model

These evaluations will lead to a Level certification of 1 to 5, 5 being the most secure. Levels are cumulative, meaning a Level 5 certified organization will need to meet the practices found in Levels 1, 2, 3, 4, and 5. Access a more detailed explanation and overview of CMMC, as well as history, schedule for rollout, and its background here.

OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.

Still Have Other Questions?

If you still have questions about CMMC Level 5, or anything around understanding the Cybersecurity Maturity Model Certification as a whole please do not hesitate to reach out to us.

Here are some ways you can stay connect to the Summit 7 team and hear the latest and greatest on all things security and compliance:

Start The Conversation