In our previous blog, we discussed the purpose of Level 3 and the requirements that potential contractors will need to meet to achieve Level 3 readiness. As we continue along the maturity model to Level 4, we will provide *Readiness Notes* to point out potential roadblocks for achieving Cybersecurity Maturity Model Certification (CMMC) Level 4 readiness.
Purpose of Level 4
Potential contractors’ cybersecurity maturity is measured with five levels in the CMMC model. Level 4’s purpose is to protect Controlled Unclassified Information (CUI) and reduce risk of Advanced Persistent Threats (APTs).
What classifies as an APT? The CMMC describes an APT as an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).
Level 4 requires the potential contractor to review and measure practices for effectiveness, as well as taking corrective action when necessary and regularly inform higher levels of management regarding issues. Level 4 focuses on the protection of CUI from APTs with an additional subset of the enhanced security requirement from Draft NIST SP 800-171B  and other cybersecurity best practices. The practices should enhance the detection and response capabilities of the potential contractor to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.
Defining Process and Practice for Level 4
Each level is broken into two parts: processes and practices. Level 4’s process is reviewed and its practice is proactive. Each level and the corresponding sets of processes and practices across domains are cumulative. For potential contractors, that means encompassing all the requirements of Levels 1 through 3 as well as Level 4 before reaching Level 4 readiness.
Level 4 Requirements
Level 4 includes 156 total practices including the 130 practices from the preceding three levels. Obtaining Level 4 will require buy-in from senior management in order to ensure the requirements are met as the grading for the certification is pass/fail with no partial credit. Potential contractors should also be prepared to implement additional resources as many of the requirements within Level 4 require the use of tools.
Below, we have selected Level 4 requirements where we anticipate pitfalls potential contractors may face, as well as requirements that may bring about the need to acquire additional tools and services.
1. AC.4.025: Periodically review and update CUI program access permissions.
a. (Level 2) AC.2.008: Use non-privileged accounts or roles when accessing nonsecurity functions.
b. (Level 3) AC.3.018: Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
We see many organizations that fail to review access permissions properly. Potential contractors will need to ensure access permissions are reviewed routinely throughout the audit period. This requirement builds on the two preceding requirements from Levels 1 & 2 for preventing non-privileged users from executing privileged functions and ensuring that audit logs are enabled and reviewed.
2. AM.4.226: Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
Potential contractors should document the risk tolerance for systems that include CUI and data classification policy. Potential contractors should ensure inventory is periodically performed based on documented risk tolerance. Documentation of this process should include corrections, updates, and exceptions for devices included within the inventory.
3. AU.4.053: Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
Potential contractors should ensure that event data is collected in the aggregate. SIEMS and event log systems can be used to accomplish this. The potential contractor should ensure these tools provide adequate monitoring coverage.
4.IR.4.101: Establish and maintain a security operations center capability that facilitates a 24/7 response capability.
5. RM.4.150: Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Regarding 4 & 5 above, CSOC capabilities and managed threat hunting can be obtained in a variety of ways. Many organizations employ third-party organizations to provide such capability. The potential contractor should ensure there is enough time to obtain qualified experts to perform this function properly.
To get the most value, a comprehensive picture, and peace of mind, potential contractors should find a qualified expert that can perform all of these services since it affects multiple requirements. This would best be packaged through cyber consultation services where the experts are held on a retainer to perform security operations center capabilities (requirement 4), perform threat intelligence services (requirement 5), conduct penetration testing (requirement 6), and perform red teaming (requirement 7).
6. CA.4.164: Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
We see many organizations that try to solely rely on vulnerability scans to accomplish the same goal as penetration testing. It is important that potential contractors include threat emulation to reduce the risk of unauthorized access. Understanding and documenting the business impact and remediation steps will play a part in this requirement.
Additionally, the term “periodically” will be determined by the potential contractor. The frequency of penetration tests (as well as any other periodic control) is based on the size of the potential contractor, the sophistication of the information system infrastructure, and the target contract the potential contractor wants to obtain.
We see many companies that believe they are getting a full penetration test, when really, they are just getting vulnerability scans. Potential contractors should ask additional questions and be aware of what all is included within the penetration test to make sure they meet this requirement fully.
7. CA.4.227: Periodically perform red teaming against organizational assets in order to validate defensive capabilities.
Potential contractors can meet requirements 6 & 7 above through a third-party provider. The best value a potential contractor can get is obtaining a partner that can perform both of these functions.
In this blog series, we will continue discussing each of the two remaining CMMC levels and suggested steps for achieving CMMC readiness.
For more information regarding CMMC readiness, please contact Brad Fuller, at firstname.lastname@example.org.
Cybersecurity Maturity Model Certification v1.0 (CMMC v1.0)
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF v1.1)