CMMC Level 4 Requirements

At CMMC Level 4, an organization has a substantial and proactive cybersecurity program.  This level focuses on the protection of CUI from APTs and encompasses a subset of enhanced security requirements from Draft NIST SP 800-171B [6] as well as other cybersecurity practices. This should enhance the detection and response capabilities of an organization to address and adapt to changing tactics, techniques, and procedures used by APTs.

Organizations are required to review and measure practices for effectiveness. In addition, organizations at this level are required to take corrective action when necessary and information higher-level management of status or issues on an ongoing basis.

The new CMMC is a complicated model that will require DoD contractors to review, assess, and make necessary changes to cybersecurity controls to bid on future DoD contracts. The best place to start is a CMMC readiness assessment which will review your current infrastructure and identify the changes which need to be made.


Neena Shukla, CPA, CFE, CGMA, FCPA, CTP

Partner, Government Contracting Team Leader