Measuring up to CMMC Compliance with AppSec
This blog was originally published by Checkmarx here.
Written by Rebecca Spiegel, Checkmarx.
Any organization with aspirations to do business with the U.S. Department of Defense will rapidly familiarize itself with the recently introduced Cybersecurity Maturity Model Certification (CMMC).
What is CMMC and how does it affect organizations?
CMMC was designed to protect DoD intellectual property and sensitive information held by an estimated 300,000 prime and sub-contractors in the Defense Industrial Base, against exposure due to cybersecurity breaches. By stipulating those third-party contractors evaluate all companies competing for DoD contracts on specific CMMC certification requirements, the DoD aims to improve the resilience and security of its software supply chain and improve its posture against cyber threats. CMMC helps apportion compliance and responsibility throughout complex ecosystems that support a variety of functions.
The CMMC framework consists of maturity process assessment and cybersecurity best practices from multiple cybersecurity standards, including DFARS and NIST SP 800-171, which many organizations will already know. Methods are measured in five levels, ranging from “Basic Cybersecurity Hygiene” (Level 1) to “Advanced/Progressive” (Level 5), while assessments of process score from “Performed” at Level 1 to “Optimized” at Level 5. The DoD expects contractors to continuously improve and reach the required standard in practices and processes to be certified compliant with a level.
Within the framework, there are 17 domains in which contractors must demonstrate that they are implementing the best practices and processes.
CMMC is currently amid a lengthy implementation process, with the full roll-out planned for 2026. This imminent timeline requires organizations to prepare now.
For most organizations in today’s software-centric environment, this will entail evaluating their application security in the context of the relevant domains in the framework – including Security Assessment, Awareness and Training, and Risk Management – and putting in place a progression plan.
Here are five strategic and tactical suggestions to help organizations elevate their approach to secure software development, so it supports CMMC compliance:
1. CMMC compliance is a marathon, not a sprint
CMMC compliance is not achievable overnight. Organizations need to look at application security issues from a technical and management perspective and adopt a strategic approach to investing in resources to implement the necessary changes. Organizations will need to initiate the transition from DevOps to DevSecOps or continue to optimize if they’ve already embedded application security within their DevOps program.
2. Get board-level buy-in to security culture change
The implementation of this program is the DoD is signaling its desire for a culture change that makes software vendors security-first. Prospective DoD suppliers will need to embrace the opportunity to make cybersecurity a strategic, fully integrated business objective, requiring board-level champions to foster a top-down security culture. Leadership must communicate and demonstrate that software security is more than a risk and compliance issue; it is a quality issue fundamental to your authorization to operate (ATO).
3. Assess your current AppSec maturity and threat exposure using Open SAMM & OWASP Top Ten
Before you can build a program of activities to support CMMC compliance, you need to benchmark your current position. For example, NIST SP 800-171 Rev. 2 compliance is comparable to CMMC Level 3. However, earning high certification levels won’t be as simple as mapping one compliance program to CMMS.
The Open Software Assurance Maturity Model (SAMM) is an excellent place to start in terms of self-assessing your software security assurance. This model splits an AppSec program into five vertical sectors and in each detail the specific practices you need to adopt to be operating at levels 1, 2, 3, or 3+. There are helpful online assessment tools available to help you determine where you sit on the AppSec spectrum and guide how to progress. By mapping these to the relevant domains of the CMMC framework, organizations can create an AppSec-specific plan related to CMMC.
In conjunction with assessing program maturity, the OWASP Top Ten is the best place to identify application security threats. Organizations need to evaluate risks, accounting for the potential impact of a breach, in the context of their specific industry and business. This assessment informs a prioritized risk mitigation plan, remediating vulnerabilities that matter most, rather than overwhelming the AppSec and developer teams by trying to remediate it all.
4. Leverage partner power to meet CMMC requirements
Organizations should find that their service providers and strategic partners are proactive about supporting CMMC compliance, and they can leverage this as a shortcut. For example, AWS is close to earning its certification, which, in turn, provides AWS customers with those exact compliance requirements.
To reach the higher maturity levels, organizations also need to implement secure coding standards, train developers regularly, share commonly found vulnerabilities across the organization, and provide evidence that this is complete.
5. Break down the security silo
When planning for CMMC compliance, it is essential to step outside of the security function and engage with developers to find out how they are using the security tools. If compliance teams make assumptions about how developers use tools and write policies accordingly, their attestations may not match reality, which will cause problems during third-party certification.
Is your organization set up for success in winning deals with the Public Sector?
About the Author
Rebecca brings nearly 10 years of experience to her role as Product Marketing Manager at Checkmarx. She spearheads strategy for North America Channel and Global Strategic Alliances, and between marketing and product, she lives and breathes acronyms from GTM and KPI, to IaC and SCA. Her approach to writing is no different from her approach to the rest of her role: always informed by the audience’s objectives, highly researched, and backed by validation.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.