Level 5

CMMC Level 5 builds upon CMMC Levels 1 thru 4 by adding 15 practices and one additional process. Level 5 focuses on the protection of CUI and goes farther than Level 4 in reducing the risk of Advanced Persistent Threats.

The additional practices increase the depth and sophistication of a contractor’s cybersecurity capabilities.

The additional process is the optimization of your cybersecurity program. In other words, there is a standardized, documented approach to your cybersecurity program across the entire organization and each employee understands their role in the cybersecurity program and their responsibility for continuous improvement.


  1. Contractors that are required to be compliant with CMMC Level 5 will need to engage an expert cybersecurity consultant to assist with compliance.

Note:  An advanced persistent threat is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state sponsored groups conducting large-scale targeted intrusions for specific goals.