top of page

What Is CMMC Level 4?

CMMC Level 4 represents a substantial and proactive cybersecurity program. Organizations achieving Level 4 certification have shown the ability to adapt their protective measures and activities. Allowing them to respond to changing techniques, tactics and procedures used by Advanced Persistent Threats (APTs).

How Does A Level 4 Certification Compare With Level 3?

Level 4 requires that an organization review and measure practices for effectiveness. In addition, organizations at this level must be able to take corrective action when necessary and inform higher-level management of status or issues on a recurring basis.


Level 4 focuses on the protection of Controlled Unclassified Information (CUI) from Advanced Persistent Threats (APTs) and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures (TTPs) used by APTs.

What Are The Audit Requirements Of Level 4?

Level 4 certification includes all 130 controls from Level 3, plus an additional 26 controls for a total of 156. Obviously, these numbers exceed the 110 CUI controls found in NIST 800-171. CMMC Levels 4 builds off CMMC Level 3 with controls from a range of frameworks:

  • CERT RMM v1.2

  • NIST 800-53

  • NIST 800-171B

  • ISO 27002

  • CIS CSC 7.1

  • Unattributed “CMMC” references that are not attributed to existing frameworks.

How Do I Start Preparing For A Level 4 Audit & Certification

The primary goal of Level 4 is to protect CUI and reduce the risk of advanced persistent threats (APTs).


To pass a Level 4 audit, DoD contractors will need to implement 157 controls (including all controls in Level 3). Here are steps your organization can take to prepare for a Level 4 audit:

  • Assess the current posture of your cybersecurity program

  • Map the relationship of your current cybersecurity program to NIST SP 800-171 and the appropriate CMMC controls needed for Level 4 certification

  • Update your System Security Plan (SSP) in accordance with the required CMMC controls and NIST SP 800-171

  • Create and update a Plan of Action & Milestones (POA&M) based on deficiencies or issues revealed during the program assessment

  • Engage with an experienced managed security services provider who can not only perform the items above but can also set up the specific security elements (e.g., vulnerability scanning, incident response, endpoint protection) that will address the Level 4 controls

Let's talk

Please fill out the email form, submit and we will get back to you soon.

bottom of page