Due to recent compromises of sensitive defense information on contractors’ information systems, the U.S. Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC). Defense contractors are responsible for the implementation of essential cybersecurity requirements; however, the CMMC requires a third-party assessment to prove compliance with mandatory procedures and practices.
There are five levels under the CMMC ranging from “basic cyber hygiene” to “advanced/progressive.” Each level up indicates an increased degree of protection for sensitive information. CMMC level 4 represents a proactive and substantial cybersecurity program that adds 26 new practices for a total of 156. Although level 4 contains fewer controls than previous levels, these practices are more in-depth. Of the 26 new practices found in CMMC level 4, 11 originate from SP 800-172.
Companies that achieve CMMC level 4 compliance have shown the ability to adapt effective and proactive activities and measures. These measures allow the company to respond to changing procedures and techniques used by Advanced Persistent Threats (APTs). SeaGlass Technology strives to provide defense contractors with a deeper understanding of what security threats they may now face and how to reach and maintain compliance with CMMC level 4 requirements.
Meeting CMMC Level 4 Requirements
CMMC level 4 consists of 8 procedural practices and 18 technical practices. To comply with level 4 requirements, a company must review and measure their practices for effectiveness and take corrective action if necessary. This level places a heavy focus on the protection of sensitive information from APTs and includes several advanced security requirements from NIST SP 800-172, as well as other cybersecurity best practices. The practices established in CMMC level 4 are designed to improve the detection and response capabilities of a business to adapt to new procedures and tactics used by APTs.
Level 4 certification consists of all 130 controls from level 3, in addition to the 26 controls from level 4. Businesses will discover that level 4 builds off level 3 with controls from a variety of frameworks, including NIST 800-53, NIST 800-171B, CERT RMM v1.2, CIS CSC 7.1, ISO 27002 and unattributed references not attributed to existing frameworks.
To meet CMMC level 4 compliance, a defense contractor will need to implement all 157 controls. This can be achieved through proper preparation which may involve assessing the current posture of the company’s cybersecurity program, updating the existing System Security Plan (SSP) in accordance with CMMC controls, and creating or updating a Plan of Action & Milestones (POA&M) that addresses issues or deficiencies that were revealed during the cybersecurity program assessment. Working with an experienced IT security compliance firm can help ensure that compliance is met.
Speak To Seaglass Technology About CMMC Level 4 Compliance
Although CMMC level 4 adds just a few new practices from what is seen in level 3, the more in-depth practices and procedures make meeting CMMC level 4 compliance more challenging. Reach out to the IT security compliance experts at SeaGlass Technology today to learn more about CMMC level 4 compliance or to schedule a consultation with one of our experienced IT security compliance professionals.