CMMC level 4

Level 4: Proactive cyber

CMMC level 4 increases the number of security practices in scope by 26, 11 practices from NIST SP 800 – 171B and 15 from other sources. In addition to those practices identified at Level 1 (17), Level 2 (55) and Level 3 (58), a total of 156 practices at Level 4. Compliance will require an organisation to apply the compliance processes identified at Level 1, 2 and 3 (practised, documented and managed) to Level 4 practices. In addition the organisation will have to implement the necessary processes to review and measure practices to demonstrate their effectiveness, taking corrective action and informing senior management when practices fail to meet the required level of effectiveness.

By demonstrating that Level 4 practices are being performed, documented, managed, reviewed and measured the organisation will develop its cyber security maturity, for the protection of Controlled Unclassified Information (CUI).

Processes : Reviewed	Level 4 requires that an organisation review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organisations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Practices : Proactive	Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B [6] as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

CMMC Level 4 consist of 11 security domains addressing 16 capabilities with 26 security practices.

Domain	Capability	Practice reference	Practice decription
Access Control (AC)	C002 Control internal system access	AC.4.023	Control information flows between security domains on connected systems.
	C002 Control internal system access	AC.4.025	Periodically review and update CUI program access permissions.
	C003 Control remote system access	AC.4.032	Restrict remote network access based on organizational defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.
Asset Management (AM)	C006 Manage asset inventory	AM.4.226	Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
Audit & Accountability (AU)	C010 Review and manage audit logs	AU.4.053	Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity.
Audit & Accountability (AU)	C010 Review and manage audit logs	AU.4.054	Review audit information for broad activity in addition to per-machine activity.
Awareness & Training (AT)	C011 Conduct security awareness activities	AT.4.059	Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
Awareness & Training (AT)	C011 Conduct security awareness activities	AT.4.060	Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
Configuration Management (CM)	C014 Perform configuration and change management	CM.4.073	Employ application whitelisting and an application vetting process for systems identified by the organization.
Incident Response (IR)	C016 Plan incident response	IR.4.100	Use knowledge of attacker tactics, techniques and procedures in incident response planning and execution.
Incident Response (IR)	C018 Develop and implement a response to a declared incident	IR.4.101	Establish and maintain a Security Operations Center (SOC) capability that facilitates a 24/7 response capability.
Risk Management (RM)	C031 Identify and evaluate risk	RM.4.149	Catalog and periodically update threat profiles and adversary Tactics, Techniques & Procedures (TTPs).
		RM.4.150	Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting and response and recovery activities.
		RM.4.151	Perform scans for unauthorized ports available across perimeter network boundaries, over the organization’s Internet boundaries and other organization-defined boundaries.
	C033 Manage supply chain risk	RM.4.148	Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
Security Assessment (CA)	C034 Develop and manage a system security plan	CA.4.163	Create, maintain and leverage a security strategy and roadmap for organizational cybersecurity improvement.
	C035 Define and manage controls	CA.4.164	Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
	C035 Define and manage controls	CA.4.227	Periodically perform red teaming against organizational assets in order to validate defensive capabilities
Situational Awareness (SA)	C037 Implement threat monitoring	SA.4.171	Establish and maintain a cyber threat hunting capability to search for Indicators of Compromise (IoC) in organizational systems and detect, track and disrupt threats that evade existing controls.
Situational Awareness (SA)	C037 Implement threat monitoring	SA.4.173	Design network and system security capabilities to leverage, integrate and share Indicators of Compromise (IoC).
System & Communications Protection (SC)	C038 Define security requirements for systems and communications	SC.4.197	Employ physical and logical isolation techniques in the system and security architecture and/or and where deemed appropriate by the organization.
		SC.4.228	Isolate administratrion of organizationally-defined high-value critical network infrastructure components and servers.
	C039 Control communications at system boundaries	SC.4.199	Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.
		SC.4.202	Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally-defined boundaries.
		SC.4.229	Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
System & Information Integrity (SI)	C040 Identify and manage information system flaws	SI.4.221	Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

Table: CMMC Level 4 domains, capabilities and practices