Achieving the CMMC’s Highest Levels: 41 Practices for a Stronger Cyberdefense

Ali Pabrai
Author: Uday Ali Pabrai, CISSP, CMMC PA, CMMC PI, CMMC RP, HITRUST CCSFP, Security+
Date Published: 23 August 2021

The achievement of higher levels of the US Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC), specifically Maturity Levels 4 and 5, enhances an organization’s ability to protect Controlled Unclassified Information (CUI) and reduces the risk of advanced persistent threats (APTs).1, 2 So, what exactly is an APT? An APT is an adversary that possesses sophisticated levels of expertise and significant resources which allow it to achieve its objectives by using multiple attack vectors such as cyberattacks, physical attacks and deception.

“Cyberattacks are conducted with silent weapons, and in some situations, those weapons are undetectable,” Ron Ross, a computer scientist and fellow of the US National Institute of Standards and Technology (NIST), said. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now…The adversaries are bringing their ‘A-game’ in these cyberattacks 24 hours a day, 7 days a week.”3

There are 26 specific additional practices required for Maturity Level 4 and 15 additional practices required for Maturity Level 5, which provide a valuable reference for every organization to evaluate and integrate within its security program to ensure a credible, advanced cyberdefense.

It is worth examining the enhanced capabilities that organizations must acquire to reduce the risk of being affected by APTs. There are 26 specific additional practices required for Maturity Level 4 and 15 additional practices required for Maturity Level 5, which provide a valuable reference for every organization to evaluate and integrate within its security program to ensure a credible, advanced cyberdefense.

CMMC Maturity Level 4: Measured Capabilities, Proactive Program

The CMMC’s maturity levels serve to measure an organization’s process maturity or process institutionalization. Maturity Level 3 requires 3 processes to be implemented. Process institutionalization provides additional assurance that the practices associated with each level are implemented effectively.

Maturity Level 4 requires that an organization review and measure practices for effectiveness. Organizations at this level are also able to inform senior management of the status of their security program on a recurring basis and take corrective action when necessary.

In addition, Maturity Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from NIST Special Publication (SP) 800-172 (which supersedes NIST SP 800-171B) and other cybersecurity best practices.4 These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.

The Practices Required for CMMC Maturity Level 4

Maturity Level 4 introduces 26 new practices in addition to the 130 practices required for Maturity Level 3. The following are the CMMC practices specific to Maturity Level 4:5

  1. Control information flows between security domains on connected systems (AC.4.023)
  2. Periodically review and update CUI program access permissions (AC.4.025)
  3. Restrict remote network access based on organizationally defined risk factors such as time of day, location of access, physical location, network connection state, and measured properties of the current user and role (AC.4.032)
  4. Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory (AM.4.226)
  5. Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity (AU.4.053)
  6. Review audit information for broad activity in addition to per-minute activity (AU.4.054)
  7. Provide awareness training focused on recognizing and responding to threats from social engineering, APT actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat (AT.4.059)
  8. Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training (AT.4.060)
  9. Employ application whitelisting and an application vetting process for systems identified by the organization (CM.4.073)
  10. Use knowledge of attacker tactics, techniques and procedures in incident response planning and execution (IR.4.100)
  11. Establish and maintain a security operations center capability that features a 24/7 response capability (IR.4.101)
  12. Catalog and periodically update threat profiles and adversary TTPs (RM.4.149)
  13. Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities (RM.4.150)
  14. Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries (RM.4.151)
  15. Develop and update as require, a plan for managing supply chain risks associated with the IT supply chain (RM.4.148)
  16. Create, maintain, and leverage a security strategy and roadmap for organizational cybersecurity improvement (CA.4.163)
  17. Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts (CA.4.164)
  18. Periodically perform red teaming against organizational assets in order to validate defensive capabilities (CA.4.227)
  19. Establish and maintain a cyber threat hunting capability to search for Indicators of Compromise (IoC) in organizational systems and detect, track, and disrupt threats that evade existing controls (SA.4.171)
  20. Design network and system security capabilities to leverage, integrate, and share IoC (SA.4.173)
  21. Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization (SC.4.197)
  22. Isolate administration of organizationally defined high-value critical network infrastructure components and servers (SC.4.228)
  23. Utilize threat intelligence to proactively block DNS requests from reaching malicious domains (SC.4.199)
  24. Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries (SC.4.202)
  25. Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization (SC.4.229)
  26. Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting (SI.4.221)

CMMC Maturity Level 5: Optimized Capabilities, Advanced Program

Maturity Level 5 requires an organization to standardize and optimize process implementation throughout the entire enterprise, across all applicable organization units. This level focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of an organization’s cybersecurity capabilities.

The Practices Required for CMMC Maturity Level 5

A total of 171 practices are required to be implemented to achieve Maturity Level 5. This level introduces 15 additional practices beyond the 156 practices required for Maturity Level 4:6

  1. Identify and mitigate risk associated with unidentified wireless access points connected to the network (AC.5.024)
  2. Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging (AU.5.055)
  3. Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures)
  4. In response to cyberincidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data (IR.5.106)
  5. Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns (IR.5.102)
  6. Establish and maintain a cyberincident response team that can investigate an issue physically or virtually at any location within 24 hours (IR.5.108)
  7. Perform unannounced operational exercises to demonstrate technical and procedural responses (IR.5.110)
  8. Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements (RE.5.140)
  9. Utilize an exception process for non-whitelisted software that includes mitigation techniques (RM.5.152)
  10. Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence (RM.5.155)
  11. Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizationally defined boundaries (SC.5.198)
  12. Enforce port and protocol compliance (SC.5.230)
  13. Employ organizationally defined and tailored boundary protections in addition to commercially available solutions (SC.5.208)
  14. Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions (SI.5.222)
  15. Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior (SI.5.223)

The Domains of the CMMC

The CMMC consists of 17 domains, most of which originate from the security-related sections of the US Federal Information Processing Standards (FIPS) Publication 200 and the related security families described in NIST SP 800-171.7 However, there are 3 remaining domains that are unique to the CMMC:8

  1. Asset Management (AM)
  2. Recovery (RE)
  3. Situational Awareness (SA)

These 3 domains introduce capabilities that include:

  1. Asset Management Domain
    • Identify and document assets
    • Manage asset inventory
  2. Recovery Domain
    • Manage backups
    • Manage information security continuity
  3. Situational Awareness Domain  
    • Implement threat monitoring

Conclusion

The CMMC’s maturity processes institutionalize cybersecurity activities to ensure that they are consistent, repeatable and of high quality, while its practices provide a range of mitigation across the 5 maturity levels, culminating with reducing the risk from APTs at Maturity Levels 4 and 5.

Every organization must study the CMMC’s Maturity Levels 4 and 5 and their associated processes and practices. Therein are the ingredients for, and the requirements of, a credible, advanced cyberdefense. 

Endnotes

1 Carnegie Mellon University, Pittsburgh, Pennsylvania, USA, and The Johns Hopkins University Applied Physics Laboratory LLC, Baltimore, Maryland, USA, Cybersecurity Maturity Model Certification (CMMC) Version 1.02, USA, 18 March 2020
2 US Department of Defense (DOD), DoD CUI Program
3 US National Institute of Standards and Technology (NIST), "NIST Offers Tools to Help Defend Against State-Sponsored Hackers," USA, 2 February 2021
4 Ross, R.; V. Pillitteri; G. Guissanie; R. Wagner; R. Graubart; D. Bodeau; Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, NIST, USA, February 2021
5 Ibid.
6Ibid
7 NIST and the US Department of Commerce, Federal Information Processing Standards Publication (FIPS) Publication 200: Minimum Security Requirements for Federal Information and Information Systems, USA, March 2006
8 Office of the Under Secretary of Defense for Acquisition and Sustainment—Cybersecurity Maturity Model Certification, CMMC Appendices Version 1.02, USA, 18 March 2020

Uday Ali Pabrai, CMMC PA, CMMC RP, CISSP, HITRUST CCSFP, MSEE, Security+

Is the chief executive of ecfirst, an Inc. 500 business. His career was launched with the US Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. He can be reached at Pabrai@ecfirst.com.