Technology Checklist for CMMC Level 5

Technology Checklist for CMMC Level 5

The Cybersecurity Maturity Model Certification (CMMC) is a unified security standard requiring contractors working for the US Department of Defense (DoD) to implement strong cybersecurity protocols to safeguard sensitive government information. The CMMC framework was developed with the help of federally funded research and development centers and university affiliated research centers. It takes compliance processes from NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, and AIA NAS9933, and combines them into a single framework. 

This new framework uses a maturity model that categorizes DoD contractors into five different levels based on the complexity of their cybersecurity defenses. This article will focus on CMMC Level 5 controls requirements.

What Is CMMC Level 5?

CMMC Level 5, also known as advanced or progressive cyber hygiene, is the highest level of the CMMC framework. At this level, contractors must be able to prevent or minimize the risk from advanced persistent threats (APTs). APTs are usually carried out by state-sponsored groups or nation-states that use various attack vectors to steal or expose private government data.

What Are the CMMC Level 5 Requirements?

To meet the CMMC Level 5 requirements, contractors must implement an additional 15 controls and 17 processes on top of those already implemented at the first four levels. Also, only 8 out of the 17 CMMC domains contain Level 5 requirements, and they are:

  1. Access Control

This domain requires contractors to identify and prevent all risks related to unidentified wireless access points connected to their network. Contractors may use a wireless intrusion detection system (WIDS), a network tool designed to scan the radio spectrum for any unauthorized access points. They can also turn off unused RJ45 network jacks to prevent illegal access. In addition, contractors can also create access controls that limit connections to authorized devices.

  1. Audit and Accountability

In this domain, contractors must identify assets that are not reporting audit logs. They should also ensure that all appropriate organizationally defined systems are logging properly. Audit logs are a critical component in a post-cyberattack investigation, as they help identify the potential signs of a cyberattack and protect against future attacks.

  1. Configuration Management

This domain requires contractors to verify the correctness and integrity of all essential and security-critical software used to generate and process controlled unclassified information (CUI).

  1. Incident Response

This domain states that DoD contractors must utilize a combination of automated and manual, real-time responses to suspicious activities related to past incident patterns. Contractors should implement predefined procedures outlining how to respond to various attacks with different levels of severity.

In the event of a cyber incident, an organization's security operations center (SOC) must be able to gather and analyze forensic data to create situational awareness across a contractor's infrastructure. All contractors should also have a cyber incident response team capable of responding to a cyberattack within 24 hours. 

Finally, contractors must conduct unannounced exercises to test the effectiveness of their incident response team. This will help identify any gaps or weaknesses in their incident response policy and allow them to make the appropriate changes.

  1. Recovery

This domain focuses on the need for contractors to have a contingency plan that will allow their cybersecurity processes to continue functioning even under stress or an attack. If one process fails, the remaining ones should fill the gap. A good way of doing this is by using redundant components. For example, if a firewall breaks down, there should be another one available to take its place.

  1. Risk Management

This domain requires all DoD contractors to conduct regular assessments of their cybersecurity defenses. These assessments are designed to identify vulnerabilities and misconfigurations in their cybersecurity protocols that hackers can exploit. 

  1. System and Communications Protection

In this domain, contractors are required to configure monitoring systems that record traffic passing through their internet network boundaries. Also, contractors must implement customized boundary protection on top of commercially available solutions to detect and prevent possible cyberattacks.

  1. System and Information Integrity

Lastly, this domain requires contractors to use endpoint detection and response (EDR) solutions to monitor and identify system commands and scripts operating outside of normal parameters, which show that an exploit is in progress. User activity should also be monitored for any suspicious behavior.


Once all CMMC Level 5 requirements are met, the next step is to partner with a trusted managed IT services provider like Charles IT for a gap assessment. We will identify gaps in your company's security posture and provide the appropriate solutions. If you want to pass your CMMC audit, start your gap assessment now.

New call-to-action