CMMC Level 4

CMMC Level 4

Processes: Reviewed
Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher level management of status or issues on a recurring basis.

Level 4 Required Process:
ML.4.996: Review and measure [DOMAIN NAME] activities for effectiveness.
o Reference: CERT RMM v1.2 GG2.GP8
o Publicly Available Resources (Templates/Guides/Examples/etc.)

Practices: Proactive
Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B [6] as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

Achieving CMMC Level 4 requires the implementation of the practices listed below plus CMMC Level 1 Practices, CMMC Level 2 Practices, and CMMC Level 3 Practices.