CMMC level 5

Level 5: Advanced cyber

CMMC level 5 is the final level of cyber security maturity. The number of security practices added at level 5 is 15, 4 practices from NIST SP 800 – 171B and 11 from other sources. In addition to those practices identified at Level 1(17), Level 2(55), Level 3(58) and Level 4(26), a total of 171 in scope practices at Level 5. Compliance will require an organisation to apply the compliance processes identified at Level 1, 2, 3 and 4 (performed, documented, managed, reviewed and measured) to Level 5 practices. In addition the organisation will have to implement the necessary processes to standardise and optimise practices to demonstrate their consistency, effectiveness and efficiency across the organisation.

By demonstrating that Level 5 practices are being performed, documented, managed, reviewed, measured standardised and optimised the organisation will demonstrate that it is taking a practice approach to the development and maintain its cybersecurity maturity, for the protection of Controlled Unclassified Information (CUI).

Processes : Optimising	Level 5 requires an organisation to standardise and optimise process implementation across the organisation.
Practices : Advanced/ Proactive	Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

CMMC Level 1 consist of 8 security domains addressing 12 capabilities with 15 security practices.

Domain	Capability	Practice reference	Practice description
Access Control (AC)	C002 Control internal system access	AC.5.024	Identify and mitigate risk associated with unidentified wireless access points connected to the network.
Audit & Accountability (AU)	C008 Perform auditing	AU.5.055	Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
Configuration Management (CM)	C014 Perform configuration and change management	CM.5.074	Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification or cryptographic signatures).
Incident Response (IR)	C016 Plan incident response	IR.5.106	In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
	C018 Develop and implement a response to a declared incident	IR.5.102	Use a combination of manual and automated, real-time response to anomalous activities that match incident patterns.
		IR.5.108	Establish and maintain a Cyber Incident Response Team (CIRT) that can investigate an issue physically or virtually at any location within 24 hours.
	C020 Test incident response	IR.5.110	Perform unannounced operational exercises to demonstrate technical and procedural responses.
Recovery (RE)	C030 Manage information security continuity	RE.5.140	Ensure information processing facilities meet organizationally-defined information security continuity, redundancy and availability requirements.
Risk Management (RM)	C032 Manage risk	RM.5.152	Utilize an exception process for non-whitelisted software that includes mitigation techniques.
Risk Management (RM)	C032 Manage risk	RM.5.155	Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
System & Communications Protection (SC)	C038 Define security requirements for systems and communications	SC.5.198	Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizational-defined boundaries.
		SC.5.230	Enforce port and protocol compliance.
	C039 Control communications at system boundaries	SC.5.208	Employ organizationally-defined and tailored boundary protections in addition to commercially-available solutions.
System & Information Integrity (SI)	C041 Identify malicious content	SI.5.222	Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
System & Information Integrity (SI)	C042 Perform network and system monitoring	SI.5.223	Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.

Table: CMMC Level 5 domains, capabilities and practices