Level 4: Proactive cyber

CMMC level 4 increases the number of security practices in scope by 26, 11 practices from NIST SP 800 – 171B and 15 from other sources.  In addition to those practices identified at Level 1 (17), Level 2 (55) and Level 3 (58), a total of 156 practices at Level 4.  Compliance will require an organisation to apply the compliance processes identified at Level 1, 2 and 3 (practised, documented and managed) to Level 4 practices.  In addition the organisation will have to implement the necessary processes to review and measure practices to demonstrate their effectiveness, taking corrective action and informing senior management when practices fail to meet the required level of effectiveness.

By demonstrating that Level 4 practices are being performed, documented, managed, reviewed and measured the organisation will develop its cyber security maturity, for the protection of Controlled Unclassified Information (CUI).

Processes : ReviewedLevel 4 requires that an organisation review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organisations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Practices : ProactiveLevel 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B [6] as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

CMMC Level 4 consist of 11 security domains addressing 16 capabilities with 26 security practices.

DomainCapabilityPractice referencePractice decription
Access Control (AC)C002 Control internal system accessAC.4.023Control information flows between security domains on connected systems.
AC.4.025Periodically review and update CUI program access permissions.
C003 Control remote system accessAC.4.032Restrict remote network access based on organizational defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.
Asset Management (AM)C006 Manage asset inventoryAM.4.226Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
Audit & Accountability (AU)C010 Review and manage audit logsAU.4.053Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity.
AU.4.054Review audit information for broad activity in addition to per-machine activity.
Awareness & Training (AT)C011 Conduct security awareness activitiesAT.4.059Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
AT.4.060Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
Configuration Management (CM)C014 Perform configuration and change managementCM.4.073Employ application whitelisting and an application vetting process for systems identified by the organization.
Incident Response (IR)C016 Plan incident responseIR.4.100Use knowledge of attacker tactics, techniques and procedures in incident response planning and execution.
C018 Develop and implement a response to a declared incidentIR.4.101Establish and maintain a Security Operations Center (SOC) capability that facilitates a 24/7 response capability.
Risk Management (RM)C031 Identify and evaluate riskRM.4.149Catalog and periodically update threat profiles and adversary Tactics, Techniques & Procedures (TTPs).
RM.4.150Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting and response and recovery activities.
RM.4.151Perform scans for unauthorized ports available across perimeter network boundaries, over the organization’s Internet boundaries and other organization-defined boundaries.
C033 Manage supply chain riskRM.4.148Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
Security Assessment (CA)C034 Develop and manage a system security planCA.4.163Create, maintain and leverage a security strategy and roadmap for organizational cybersecurity improvement.
C035 Define and manage controlsCA.4.164Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
CA.4.227Periodically perform red teaming against organizational assets in order to validate defensive capabilities
Situational Awareness (SA)C037 Implement threat monitoringSA.4.171Establish and maintain a cyber threat hunting capability to search for Indicators of Compromise (IoC) in organizational systems and detect, track and disrupt threats that evade existing controls.
SA.4.173Design network and system security capabilities to leverage, integrate and share Indicators of Compromise (IoC).
System & Communications Protection (SC)C038 Define security requirements for systems and communicationsSC.4.197Employ physical and logical isolation techniques in the system and security architecture and/or and where deemed appropriate by the organization.
SC.4.228Isolate administratrion of organizationally-defined high-value critical network infrastructure components and servers.
C039 Control communications at system boundariesSC.4.199Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.
SC.4.202Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally-defined boundaries.
SC.4.229Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
System & Information Integrity (SI)C040 Identify and manage information system flawsSI.4.221Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

Table:  CMMC Level 4 domains, capabilities and practices