CMMC level 5 is the final level of cyber security maturity. The number of security practices added at level 5 is 15, 4 practices from NIST SP 800 – 171B and 11 from other sources. In addition to those practices identified at Level 1(17), Level 2(55), Level 3(58) and Level 4(26), a total of 171 in scope practices at Level 5. Compliance will require an organisation to apply the compliance processes identified at Level 1, 2, 3 and 4 (performed, documented, managed, reviewed and measured) to Level 5 practices. In addition the organisation will have to implement the necessary processes to standardise and optimise practices to demonstrate their consistency, effectiveness and efficiency across the organisation.
By demonstrating that Level 5 practices are being performed, documented, managed, reviewed, measured standardised and optimised the organisation will demonstrate that it is taking a practice approach to the development and maintain its cybersecurity maturity, for the protection of Controlled Unclassified Information (CUI).