Cybersecurity Maturity Model Certification (CMMC) was designed to protect DoD intellectual property and sensitive information held by an estimated 300,000 prime and sub-contractors in the Defense Industrial Base, against exposure due to cybersecurity breaches. By stipulating those third-party contractors evaluate all companies competing for DoD contracts on specific CMMC certification requirements, the DoD aims to improve the resilience and security of its software supply chain and improve its posture against cyber threats. CMMC helps apportion compliance and responsibility throughout complex ecosystems that support a variety of functions.
The CMMC framework consists of maturity process assessment and cybersecurity best practices from multiple cybersecurity standards, including DFARS and NIST SP 800-171, which many organizations will already know. Methods are measured in five levels, ranging from “Basic Cybersecurity Hygiene” (Level 1) to “Advanced/Progressive” (Level 5), while assessments of process score from “Performed” at Level 1 to “Optimized” at Level 5. The DoD expects contractors to continuously improve and reach the required standard in practices and processes to be certified compliant with a level.
Within the framework, there are 17 domains in which contractors must demonstrate that they are implementing the best practices and processes. The Security Assessment domain for the CMMC model clearly calls for security assessments of corporate applications used by Federal Systems Integrators obligated to achieve CMMC Level 3 (L3) certification by the DoD:
Perform code reviews; which requires –
Level 3 (L3) PRACTICE: CA.3.162
Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as posing a certain level of risk.
• CIS Controls v7.1 18.1, 18.2 *
* CIS v71. 18.1 Establish Secure Coding Practices –
Establish secure coding practices appropriate to the programming language and development environment being used; and
CIS v71. 18.2 Ensure That Explicit Error Checking Is Performed for All In-House Developed Software –
For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.
CMMC Third Party Assessors agree that manual code review, static code analysis (i.e. SAST), and/or Dynamic application testing (i.e. DAST) techniques meet the requirement. Manual code review is of course unadvised except for the most specialized and critical of source code. Realistically SAST and DAST techniques need to be evaluated as candidate approaches. For custom developed corporate applications where source code exists, a multi-language SAST tool, which can be applied across the whole corporate application portfolio, is advised. This would include not only scanning source code for web applications, but also for APIs, microservices, integration scripts, and non-web server applications, which DAST solutions cannot address.
CMMC is an excellent opportunity for corporate CISOs to make the business case to fund ongoing software security practices and remediation for their own corporate systems. Once CMMC forces a code assessment, and the vulnerabilities in an FSI’s corporate system are exposed, liability for the FSI is created unless critical issues are remediated…and then avoided in future through ongoing secure development practices. CMMC has turned out to provide a very powerful driver for Systems Integrators to invest in the software security of their own applications.
If you would like more information on Checkmarx, contact us today!