The cybersecurity maturity model certification (CMMC) represents the federal government’s next step in the standardization of information security controls and processes throughout the entire DoD supply chain. It applies to the 300,000+ organizations that provide contracting services and products to the DoD.
There are five CMMC levels, each of which defines a set of practices and processes that must be adopted in order to achieve compliance. Third-party audits are also required, which is one of the most significant changes in the new legislation. Meeting all CMMC level 4 control standards will help organizations secure more lucrative contracts with the DoD.
Here’s a checklist of the CMMC level 4 requirements:
#1. Access control
Access control governs who has access to the systems which store or transmit controlled unclassified information (CUI), as well as which requirements are needed to operate them. It covers remote and internal access, and limitations on user roles.
CMMC level 4 controls govern the flow of information between connected systems, periodic review of access permissions, and restrictions on remote network access based on risk factors defined by the organization.
#2. Asset management
Asset management is about locating, identifying, and logging the inventory of all assets comprising your CUI environment, such as devices, operating systems, virtual machines and containers.
To reach CMMC level 4, you’ll need the automated capability to discover and identify systems based on specific attributes, such as firmware or operating system version.
#3. Auditing and accountability
Auditing and accountability covers the processes in place for tracking users who have access to your CUI systems and ensuring they can be held accountable for their actions.
CMMC level 4 requires organizations to automate the analysis of logs on a per-asset basis, and have a defined process for acting on indicators of suspicious activity.
#4. Awareness and training
Since most cyberthreats target people rather than technology, this domain is one of the most important and also the broadest. It requires organizations to establish formal training programs for all personnel who come into contact with CUI.
CMMC level 4 compliance requires awareness training for raising attention to threats like advanced persistent threats (APTs), social engineering, and suspicious behavior. Training should align with current risk factors and threat scenarios and be provided at least annually.
#5. Configuration and management
To conduct audits effectively and exhaustively, certain baselines need to be put in place. This will govern the efficiency of your security systems and thus the effectiveness of your audits.
CMMC Level 4 requires the addition of application whitelisting and a documented vetting process for any systems to be added to the CUI environment.
#6. Incident response
This domain requires an incident response plan and the ability to detect and report events and carry out appropriate remediation efforts.
CMMC level 4 compliance demands that organizations implement and maintain a security operations center (SOC) that’s capable 24/7 and powered by user knowledge of attacker techniques.
#7. Risk management
The risk management domain revolves around risk assessments which scan your organization for risks and evaluates the potential threats facing it, along with their possible consequences.
To reach CMMC level 4 compliance, you’ll need to catalog and update threat profiles, have a way to manage supply chain risks, employ threat intelligence, and perform regular scans for any unauthorized connections to your network.
#8. Security assessment
This domain revolves around a formal security plan, a documentation defining and managing controls and reviews across the organization.
You’ll need a cybersecurity roadmap for the continuous improvement of your environment. It’s also necessary to conduct periodic penetration testing using automated scanning tools and test and validate proactive defense capabilities.
#9. Situational awareness
Situational awareness serves as an extension to the other domains to enable a fully proactive and continuously improving cybersecurity environment. This is meant to keep the organization safe in the event of an incident.
To reach CMMC level 4, you’ll need a cyberthreat hunting capabilities and a system that leverages, integrates, and shares any indications of compromise.
#10. Systems and communication protection
To comply with CMMC, organizations need to provide evidence that they have full control over their communications at system boundaries. This means deploying physical and logical tactics to isolate systems, utilizing threat intelligence against potentially malicious DNS requests, and isolating network administration accordingly.
Organizations also need to implement a URL categorization system to enforce the filtering of websites and online services whose use hasn’t been approved.
#11. Systems and information integrity
Finally, you need a way to identify and manage flaws within your CUI environment. This should include ways to identify malicious code and network-wide monitoring.
CMMC level 4 requires organizations to participate in an Information Sharing and Analysis Center (ISAC) to share information about tactics, techniques, and procedures used in cyber-attacks to inform and educate.
With years of experience helping companies navigate the evolving regulatory landscape, we ensure your business is ready to meet all major industry standards. Talk to a member of our team today to schedule your GAP assessment.
