In our previous blog, we discussed the purpose of Level 4 and the requirements that potential contractors will need to meet for Level 4. As we continue along the maturity model to the final level, we will provide *Readiness Notes* to point out potential roadblocks for achieving Cybersecurity Maturity Model Certification (CMMC) Level 5 readiness.
Defining Process and Practice for Level 5
Potential contractors’ cybersecurity maturity is measured with five distinct levels in the CMMC model. Each level is broken into two parts: processes and practices. Level 5 is the most mature level with the most stringent requirements. Level 5’s process is optimizing, and its practice is advanced/progressive. Each level and the corresponding sets of processes and practices across domains are cumulative. For contractors aiming for Level 5, all the requirements of Levels 1 through 4 as well as Level 5 will need to be met.
Purpose of Level 5
What is the purpose of Level 5? To protect Controlled Unclassified Information (CUI) and reduce the risk of Advanced Persistent Threats (APTs). This level requires the potential contractor to standardize and optimize process implementation across the organization. Level 5 focuses on the protection of CUI from APTs with additional practices to increase the depth and sophistication of cybersecurity capabilities.
Level 5 Requirements
Level 5 requires all 171 CMMC requirements and practices to be satisfied. The majority of the Level 5 specific requirements pertain to incident response and system and communications protection. Contractors must meet each requirement to be certified at Level 5 as the grading for the certification is pass/fail. No partial credit is given to contractors. CMMC Version 1.0 Appendices identifies the remaining additional requirements within Level 5 as follows:
1. ML.5.995: Standardize and optimize a documented approach across all applicable organizational units.
2. AC.5.024: Identify and mitigate risk associated with unidentified wireless access points connected to the network.
The potential contractor should perform a periodic risk assessment. The risk assessment should identify management’s risk tolerance, mitigating controls that are in place, and process owners that will ensure the controls are performed as it relates to the risk of data loss and data exfiltration of confidential information. The risk assessment should be updated periodically with any newly identified risks.
3. AU.5.055: Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
4. CM.5.074: Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).
The potential contractor may need to acquire tools to meet this requirement. Tools to accomplish this are parity checks, cyclical redundancy checks, cryptographic hashes. Moreover, procedures need to be in place to ensure that any unauthorized changes to software can be detected.
5. IR.5.106: In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.
As mentioned in our previous blog, it is important for the potential contractor to incorporate lessons learned into the incident response plan when it is tested throughout the year. Lessons learned include the forensic analysis that was performed and protections that will prevent exploitation. The incident response plan affects requirements 6, 7, 9, and 11 below.
6. IR.5.102: Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.
7. IR.5.108: Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.
8. IR.5.110: Perform unannounced operational exercises to demonstrate technical and procedural response.
9. RE.5.140: Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.
10. RM.5.152: Utilize an exception process for non-whitelisted software that includes mitigation techniques.
11. RM.5.155: Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
12. SC.5.198: Configure monitoring systems to record packets passing through the organization’s Internet network boundaries and other organizationally defined boundaries.
13. SC.5.230: Enforce port and protocol compliance.
14. SC.5.208: Employ organizationally defined and tailored boundary protections in addition to commercially available solutions.
15. SI.5.222: Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
16. SI.5.223: Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
The CMMC Accreditation Body is continuing to move forward with efforts and potential contractors should take steps to ensure they are ready. For more information regarding CMMC readiness, please contact Brad Fuller, at firstname.lastname@example.org.
Cybersecurity Maturity Model Certification v1.0 (CMMC v1.0)
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF v1.1)