Understanding the Level 3 to Level 5 Practices in CMMC compliance

Compliance does not equal security, and other cybersecurity standards have already shown that. The present methodology with the DFARS compliance has demonstrated that businesses may adopt and construct a POA&M action plan for all other measures. There are vulnerabilities in the cybersecurity measures taken by the DoD supply chain, and they are exposed to attacks.

Practices are not always sufficient in keeping a network safe from cyber attackers and hackers. Organizations put an effort to embed security best practices into their work culture and operations. The CMMC gauges the degree of institutionalization of practices in the model for an organization. Practices that are documented, maintained, evaluated, and optimized are carried out more consistently and throughout time. 

CMMC Maturity Level 3 – Managed

A strategy for the exercise of the practice field activities is established and maintained at level 3 of Maturity. The strategy should include strategic targets informing top management on the status of domain activity. A CMMC cybersecurity domain plan can be an independent document that is part of a comprehensive document or distributed among many papers. It is the organization’s responsibility, including the CMMC processes, to decide how to plan and sustain domain operations.

CMMC plan will usually include a mission statement and/or a vision statement, strategic objectives/goals, the appropriate standards and processes, a project plan, training for domain activities, and the participation of essential players in the domain activities plan.

Level 3 also requires an organization to determine and supply sufficient resources for domain operations. For example, the assignment of resources to people, the definition of financial needs, the establishment of budgets, specialized domain activities are instruments, proper training of stakeholders, and the involvement of relevant parties in resource-based activity.

CMMC Maturity Level 4 – Reviewed

Maturity Level 4 measures and monitors actions, including CMMC processes, against the plan. Appropriate remedial action is done if problems are detected. The organization should define domain activity requirements.

Examples of actions that can be measured against the established plan include:

  • measuring overall performance in comparison to the process plan; 
  • assessing the results of the process against the defined procedure;
  • reviewing activities, status, and results with immediate management level, and identifying the outcome of the process;
  • Identify and analyze the implications of substantial deviations from the Process Plan identify flaws in the plan;
  • take corrective measures when requirements and objectives are not fulfilled

CMMC Maturity Level 5 – Optimizing

An organization optimizes its procedures continuously at level 5 of maturity. This company should have standard procedures which specify the specific practice domain activities, including the CMMC practices and recommendations for the customization of such processes to fit the demands of a certain business unit or division. The organization sets up and maintains a process description adapted to the set of standard procedures of the organization.

The purpose of standardizing domain activities is to ensure uniformity throughout the company and to exchange information on progress. A typical practice may contain

  • Description of practice
  • Activities of practice should be carried out
  • Diagram including process flow
  • inputs and outputs expected
  • Improvement performance measures
  • Process Improvement Procedures