Advanced persistent threats (APTs) require that organizations respond with active and credible cyberdefenses. This is the focus of Maturity Level 5 of the US Department of Defense (DoD) cybersecurity standard, the Cybersecurity Maturity Model Certification (CMMC). Maturity Level 5 focuses on the protection of Controlled Unclassified Information (CUI) and is the highest level of cybersecurity defined in the CMMC standard.1 Maturity Level 5 requires an enterprise to standardize and optimize process implementation across the organization.
The CMMC standard is all about establishing cyberresilience in the supply chain. CMMC Maturity Levels 4 and 5 include practices to enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.
APTs are extremely dangerous to the national and economic security interests of the United States because organizations are dependent on systems of all types, including traditional IT, operational technology (OT), Internet of Things (IoT) and Industrial IoT systems.
The convergence of these systems has brought forth a new class known as cyberphysical systems. Processed, stored or transmitted CUI that is related to a critical program or High Value Asset (HVA) requires additional protection from APTs. It is for this reason that the requirements associated with CMMC Maturity Level 5 are designed to ensure a credible, proactive cyberdefense program.
Organization of the CMMC Maturity Level 5
CMMC Maturity Level 5 includes the following core components:2
- 17 domains
- 5 processes
- 171 practices
Maturity Level 5 includes 5 processes that apply to all domains. For comparison, Maturity Level 1 includes 6 domains, 0 processes and 17 practices, while Maturity Level 3 includes 17 domains, 3 processes and 130 practices. The CMMC model measures not only process maturity or institutionalization, but also implementation of practices.
Process Optimization at Maturity Level 5
The term “institutionalization” characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. In the context of the CMMC model, process institutionalization provides additional assurances that the practices associated with each level are implemented effectively. Maturity Level 5 is about optimizing processes and requires the organization to standardize and optimize a documented approach for each domain across all applicable organization units. The more deeply ingrained an activity—including under times of stress—the greater the confidence that cyberdefense will be consistent, repeatable and of high quality.
Advanced Cyberdefense Practices at Maturity Level 5
Threats from nation-state actors based in China, Iran, North Korea and Russia are sophisticated, persistent and advanced. It is for this reason that organizations required to achieve Maturity Level 5 must demonstrate implementation of CMMC practices such as:
- In response to cyberincidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data3
- Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns4
- Establish and maintain a cyberincident response team that can investigate an issue physically or virtually at any location within 24 hours5
- Perform unannounced operational exercises to demonstrate technical and procedural responses6
All 171 practices are required to be appropriately implemented for Maturity Level 5. Maturity Level 5 includes 41 additional practices beyond Maturity Level 3 and 15 additional practices beyond Maturity Level 4.
Summary
Every cybersecurity professional should be knowledgeable of the requirements associated with the CMMC Maturity Level 5. By learning about the requirements associated with Maturity Level 5, cybersecurity professionals can apply similar capabilities within the organizations at which they work. This will ensure an elevation of cyberdefense capabilities and mitigation of associated business risk. Maturity Level 5 is what is required for DoD Defense Industrial Base (DIB) suppliers that process CUI and face APTs from global adversaries. Note that there are more than 300,000 organizations in the DIB—and all DIB organizations will be required to address CMMC requirements. Some will need to be certified at Maturity Level 1, while others may be at Maturity Level 5. APTs require organizations to develop a defense-in-depth (DiD) strategy inclusive of cyberresilience survivability.
Maturity Level 5 provides insight into the areas that require additional capabilities to ensure cyberresilience. Enterprises across all industries will find significant value in integrating CMMC Maturity Level 5 processes and practices in their cyberdefense programs.
Endnotes
1 Office of the Under Secretary of Defense for Acquisition and Sustainment—Cybersecurity Maturity Model Certification; CMMC Model, USA, 2020
2 Ibid.
3 National Defense ISAC, “CMMC Practice IR.5.106: In response to cyber incidents, utilize forensic data gathering across impacted systems, ensuring the secure transfer and protection of forensic data.”
4 National Defense ISAC, “CMMC Practice IR.5.102: Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.”
5 National Defense ISAC, “CMMC Practice IR.5.108: Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.”
6 National Defense ISAC, “CMMC Practice IR.5.110: Perform unannounced operational exercises to demonstrate technical and procedural responses.
Uday Ali Pabrai, CMMC RP, CISSP, HITRUST CCSFP, MSEE, Security+
Is the chief executive of ecfirst, an Inc. 500 business. His career was launched with the US Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory, in Chicago, Illinois, USA. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. Pabrai can be reached at Pabrai@ecfirst.com.