Level 4

CMMC Level 4 builds on CMMC Levels 1 thru 3 by adding 26 additional practices and one additional process.

CMMC Level 4 provides measures to safeguard CUI and reduce the risk of Advanced Persistent Threats. The additional 26 practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques and procedures used by our adversaries.

The process requires that contractors measure their effectiveness against the cybersecurity plan (collect and analyze metrics) and share the information with upper-level management.

It is estimated that less than 1% of the Defense Industrial Base will be required to be compliant with CMMC Level 4 requirements.


  1. Contractors that are required to be compliant with CMMC Level 4 will need to engage an expert cybersecurity consultant to assist with compliance.

Note:  An advanced persistent threat is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.