Level 5: Advanced cyber

CMMC level 5 is the final level of cyber security maturity.  The number of security practices added at level 5 is 15, 4 practices from NIST SP 800 – 171B and 11 from other sources.   In addition to those practices identified at Level 1(17), Level 2(55), Level 3(58) and Level 4(26), a total of 171 in scope practices at Level 5.  Compliance will require an organisation to apply the compliance processes identified at Level 1, 2, 3 and 4 (performed, documented, managed, reviewed and measured) to Level 5 practices.  In addition the organisation will have to implement the necessary processes to standardise and optimise practices to demonstrate their consistency, effectiveness and efficiency across the organisation. 

By demonstrating that Level 5 practices are being performed, documented, managed, reviewed, measured standardised and optimised the organisation will demonstrate that it is taking a practice approach to the development and maintain its cybersecurity maturity, for the protection of Controlled Unclassified Information (CUI).

Processes : OptimisingLevel 5 requires an organisation to standardise and optimise process implementation across the organisation.
Practices : Advanced/ ProactiveLevel 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

CMMC Level 1 consist of 8 security domains addressing 12 capabilities with 15 security practices.

DomainCapabilityPractice referencePractice description
Access Control (AC)C002 Control internal system accessAC.5.024Identify and mitigate risk associated with unidentified wireless access points connected to the network.
Audit & Accountability (AU)C008 Perform auditingAU.5.055Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
Configuration Management (CM)C014 Perform configuration and change managementCM.5.074Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification or cryptographic signatures).
Incident Response (IR)C016 Plan incident responseIR.5.106In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
C018 Develop and implement a response to a declared incidentIR.5.102Use a combination of manual and automated, real-time response to anomalous activities that match incident patterns.
IR.5.108Establish and maintain a Cyber Incident Response Team (CIRT) that can investigate an issue physically or virtually at any location within 24 hours.
C020 Test incident responseIR.5.110Perform unannounced operational exercises to demonstrate technical and procedural responses.
Recovery (RE)C030 Manage information security continuityRE.5.140Ensure information processing facilities meet organizationally-defined information security continuity, redundancy and availability requirements.
Risk Management (RM)C032 Manage riskRM.5.152Utilize an exception process for non-whitelisted software that includes mitigation techniques.
RM.5.155Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
System & Communications Protection (SC)C038 Define security requirements for systems and communicationsSC.5.198Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizational-defined boundaries.
SC.5.230Enforce port and protocol compliance.
C039 Control communications at system boundariesSC.5.208Employ organizationally-defined and tailored boundary protections in addition to commercially-available solutions.
System & Information Integrity (SI)C041 Identify malicious contentSI.5.222Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
C042 Perform network and system monitoringSI.5.223Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.

Table:  CMMC Level 5 domains, capabilities and practices

Chartered Security Professional (CSyP)Security Institute (MSyI)Worshipful Company of Security ProfessionalsAcademy of Experts