Cybersecurity Maturity Model Certification Level 4
The Cybersecurity Maturity Model Certification Level 4 is designed to help organizations establish the framework for cybersecurity maturity. This certification level requires that an organization have a documented risk management plan with defined roles and responsibilities, along with written policies on data classification and protection. The goal of this certification is not only to protect against cyber threats but also maintain compliance standards set by legislation such as HIPAA, PCI DSS, or GDPR.
The Cybersecurity Maturity Model Certification levels are based on a system increasing from level one (least) to five (most).
The CMMC is designed to certify and measure the levels of maturity in an organization’s Cybersecurity Program.
The ultimate goal of the Cybersecurity Maturity Model Certification is to provide protection for two types of information:
- Confidential digital information such as private emails, financial records, and data collected through work.
- Non-digital assets that are physically present at your site or elsewhere (e.g., research files).
The CMMC provides a systematic evaluation of the organization’s cybersecurity program based on best practices and current standards.
You can use this certification to measure progress toward your goals, identify gaps in defense posture, make informed decisions about investments or outsourcing relationships for security services.
The Cybersecurity Maturity Model Certification is centered around ascending levels of preparedness from level 1, level 2, level 3, level 4 and level 5.
The goal of CMMC is to protect two types of data from unauthorized access.
- Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
- Federal Contract Information (FCI): Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public.
CMMC Level 4 Processes and Practices
Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.
Level 4 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171 as well as additional practices from other standards and references to mitigate threats. It is noted that DFARS clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.
Achieving CMMC Level 4 requires the implementation of the practices listed below plus CMMC Level 1 Practices, CMMC Level 2 Practices, and CMMC Level 3 Practices.
CMMC Level 4 Access Control Practices
- AC.4.023 – Control information flows between security domains on connected systems.
- AC.4.025 – Periodically review and update CUI program access permissions.
- AC.4.032 – Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role.
CMMC Level 4 Assessment Management Practices
Practices are presented in the order in which they appear in the CMMC Model Matrix from top to bottom, not numerical order
- AM.4.226 – Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
CMMC Level 4 Awareness and Training Practices
- AT.4.059 – Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
- AT.4.060 – Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
CMMC Level 4 Audit and Accountability Practices
- AU.4.053 – Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
- AU.4.054 – Review audit information for broad activity in addition to per-machine activity.
CMMC Level 4 Security Assessment Practices
- CA.4.163 – Create, maintain, and leverage a security roadmap for improvement.
- CA.4.164 – Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
- CA.4.227 – Periodically perform red teaming against organizational assets in order to validate defensive capabilities.
CMMC Level 4 Configuration Management (CM) Practices
- CM.4.073 -Employ application whitelisting and an application vetting process for systems identified by the organization.
CMMC Level 4 Incident Response Practices
- IR.4.100 – Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution.
- IR.4.101 – Establish and maintain a security operations center capability that facilitates a 24/7 response capability.
CMMC Level 4 Risk Management Practices
- RM.4.148 – Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.
- RM.4.149 – Catalog and periodically update threat profiles and adversary TTPs.
- RM.4.150 – Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
- RM.4.151 – Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries.
CMMC Level 4 Situation Assessment Practices
- SA.4.171 – Establish and maintain a cyber-threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
- SA.4.173 – Design network and system security capabilities to leverage, integrate, and share indicators of compromise.
CMMC Certification Level 4 System and Communication Protection Practices
- SC.4.197 – Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization.
- SC.4.199 – Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.
- SC.4.202 – Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.
- SC.4.228 – Isolate administration of organizationally defined high-value critical network infrastructure components and servers.
- SC.4.229 – Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
- SI.4.221 – Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
Are you worried that your company is vulnerable to cybercriminals?
The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture.
Cybersecurity Maturity Model Certification (CMMC) Free Resources:
- Understanding CMMC Level 1 Requirements
- Understanding CMMC Level 2 Requirements
- Understanding CMMC Level 3 Requirements
- Understanding CMMC Level 4 Requirements
- Understanding CMMC Level 5 Requirements
Implement CMMC Faster and Easier?
Who is ChatFortress
ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.