Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: RE

Level Introduced: 5

Ensure information processing facilities meet organizationally defined information security continuity, redundancy, and availability requirements.

CMMC Clarification:
This practice requires an organization to do what is needed in order for their cybersecurity solutions to continue to function under stress or attack. This means that even if a solution that helps protect the environment has a failure, then other mechanisms will fill in the gap in order for the functionality to continue. Redundant components can help with this as well as proper planning and implementation. If a firewall fails, make sure another firewall can take its place, or the environment should fail closed preventing traffic from passing until the problem can be fixed. By having redundancy in place, an organization may continue operations with confidence knowing their cyber security mission is functioning properly, and the components will continue to operate properly even when failures may be taking place.

Example 1
An environment has a log collection server in place for collecting end-point logs from across the enterprise. Knowing this could be a catastrophic problem if the log collection system goes down, the organization plans and creates a clone of the primary log server and has setup the environment to perform automated switch over in case the primary server goes down. This will allow the organization to continue to collect logs, perform analysis, and act on incidents that happen during the time the primary server is down.

Example 2
A proxy server that is used to protect an organization against malicious websites by utilization of website categorization is setup by the IT department. If this solution goes down, the company will need to shutoff communication to the Internet or allow people to browse websites without use of the categorization for protection. Loss of this protection mechanism could lead to malicious content being downloaded to user systems. The organization plans for secondary and tertiary proxies to be put in place and setup the solution so transfer of processing will occur in near real time if there is ever a problem with the primary. This not only allows continuity of operation for accessing Internet resources, but it also provides continuity of operations with respect to the protection provided by the proxy server’s categorization capability.

This practice is about information system resilience, and requires that the organization take the actions necessary to ensure that the information security components continue to operate as needed to achieve business success and to ensure that the system’s part in protection of CUI is maintained. It should be noted that “as needed” and “the system’s part” may change if, as a result of stress, contingency business operations are conducted; e.g., as part of the organization’s continuity of operations (COOP) planning. Note that redundancy is typically an aspect of resilience, yet is seldom sufficient as the means for achieving needed resilience.

Source: CMMC v1.02



The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.

Supplemental Guidance:
Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02