CMMC Compliance for Defense Software

CMMC Compliance for Defense Software

An Expanded Guide to Building Secure Cloud Solutions with NIST 800-171


For defense contractors and subcontractors developing custom software or APIs that handle Controlled Unclassified Information (CUI), achieving CMMC compliance for software is essential. Integrating your software into the CUI system’s NIST 800-171 compliance framework is key. This Expanded Guide to Building Secure Cloud Solutions with NIST 800-171 delves into deeper compliance aspects, focusing on API security enhancements, proactive maintenance, vulnerability management, container security, and managing open-source and third-party libraries for defense software.

Cloud Deployment and Security Considerations for CMMC Compliant Software

(requirements: 3.13.2, 3.1.x, 3.11.x, 3.7.x)

While deploying software on cloud platforms such as AWS or Azure provides a baseline of security features, it’s important to understand that this does not automatically ensure NIST 800-171 compliance. Think of it in layers: AWS and Azure provide a secure foundation, but NIST 800-171 outlines the specific practices you must implement within your software to protect CUI fully.

Developers must actively manage the security of their software within the cloud environment through:

  • Secure coding practices (e.g., input validation to prevent injection attacks) to prevent vulnerabilities at the source code level.
  • Vulnerability management: Detect and remediate potential issues before deployment, and ongoing vulnerability management for defense software.
  • Secure deployment strategies (e.g., using hardened virtual machine images) to safeguard the software in its operational environment.
  • Regular maintenance and patching to address emerging threats and vulnerabilities.
  • Secure access management ensuring only authorized individuals can access CUI, is crucial for CMMC compliance.

Crucially, security responsibilities extend beyond what cloud service providers (CSPs) offer. Developers must explicitly implement NIST 800-171 security requirements within their software.

Proactive Security Collaboration: Engaging Software Development Teams for CMMC Compliance

(Requirements: 3.13.2, 3.1.x, 3.11.x)

Achieving robust defense software security typically falls outside the usual responsibilities of compliance teams and IT staff, who often focus on infrastructure. To bridge this gap and ensure CMMC compliance, it’s essential that compliance and IT teams partner with software development teams in security discussions from the outset. This includes:

  • Reviewing the flow of CUI within the software and its data handling processes.
  • Analyzing software design specifications, architecture diagrams, and threat models to identify potential security weaknesses.
  • Understanding the software’s product management lifecycle, including how vulnerabilities and patches are managed over time for CMMC readiness.

Security-Focused Software Design: Specifications for NIST 800-171 Compliance in Cloud Solutions

(Requirements: 3.13.2, 3.1.x, 3.4.x, 3.5.x, 3.13.x)

To ensure comprehensive security and facilitate NIST 800-171 compliance, developers must thoroughly understand and document various aspects of the software, such as:

  • Functionalities: Detailed analysis of software capabilities, categorized by URLs and required access levels.
  • Access Privileges: Definition of access controls based on user roles, from internal staff to privileged users, aligned with CMMC requirements.
  • Data Encryption: Implementing robust encryption standards for data in transit and at rest to protect sensitive information.
  • Authentication and Authorization: Establishment of secure authentication mechanisms, including API key management and authorization processes for different user types, prioritizing defense software security.
  • Default Configurations and Roles: Specify secure default settings and clear roles and responsibilities for users and support staff.

Even with a secure cloud provider, the ultimate responsibility for many aspects of the software’s security rests with the defense contractor.

Robust API Security for CMMC Compliance

(Requirements: 3.13.2, 3.1.x, 3.4.x, 3.5.x)

APIs that process or transmit CUI within defense software require stringent security measures to achieve CMMC compliance. This includes:

  • Comprehensive API management: proper inventory, authorization, authentication, and revocation of API keys, minimizing risks for defense software.
  • Implementation of advanced security practices: encryption for data in transit, rate limiting, and thorough security audits to prevent common vulnerabilities like broken access control, safeguarding CUI.

Proactive Vulnerability Management for Defense Software

(Requirements: 3.13.2, 3.11.x, 3.14.x)

Adopting a proactive approach to maintenance and vulnerability management is crucial for defense software to achieve CMMC compliance. This involves:

  • Integration of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) within the development and deployment pipelines to identify and address vulnerabilities early.
  • Regular updates and patch management to mitigate risks associated with known software vulnerabilities and dependencies, critical for safeguarding CUI.

Managing Open-Source and Third-Party Libraries for CMMC Compliance: Focus on SBOM

(Requirements: 3.13.2, 3.4.x, 3.11.x, 3.14.x)

The use of open-source or third-party libraries can accelerate development but introduces potential security risks that must be managed for CMMC compliance in defense software. This includes:

  • Meticulous open-source license management to ensure compliance with license requirements, especially those affecting source code disclosure.
  • Software Component Analysis (SCA) to maintain an up-to-date Software Bill of Materials (SBOM), enabling quick identification and remediation of vulnerabilities in used components.

Executive Order 14028 highlights the importance of a detailed Software Bill of Materials (SBOM) to ensure the security of your software supply chain.

Securing Containerized Defense Software: Best Practices for CMMC Compliance

(Requirements: 3.13.2, 3.1.x, 3.4.x, 3.11.x, 3.14.x)

For defense software deployed in containers, ensuring the security of the container environment is paramount for CMMC compliance. This requires:

  • Regular vulnerability scanning of container images to detect and address security issues, protecting CUI.
  • Implementation of security best practices in container orchestration and runtime environments to prevent unauthorized access and ensure the integrity of the software.


In today’s rapidly evolving cybersecurity landscape, achieving CMMC compliance for software is paramount for safeguarding Controlled Unclassified Information (CUI). Rigorous assessment against NIST 800-171 standards lays the foundation for secure defense software development. A well-documented Plan of Action and Milestones (POA&M) with timely remediation strategies is critical for success. Defense contractors must remain vigilant of evolving NIST 800-171 requirements and upcoming CMMC changes to maintain a robust security posture.

Executive Order 14028 (May 2021) underscores the government’s heightened focus on software security. Vulnerabilities in software pose significant risks for data breaches. Expect increased emphasis on software security measures, including Software Bills of Materials (SBOMs) and rigorous supply chain protection. Proactive compliance with anticipated regulations is essential for defense software developers.

CMMC/NIST 800-171 Requirements Applied to Software Development

Source: CMMC 2.0 Level 2 Assessment Guide

CMMC / NIST 800-171 Requirement#CMMC Requirement
AC.L1-3.1.1 – AUTHORIZED ACCESS CONTROLLimit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.L1-3.1.2 – TRANSACTION & FUNCTION CONTROLLimit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.L1-3.1.20 – EXTERNAL CONNECTIONSVerify and control/limit connections to and use of external information systems.
AC.L2-3.1.10 – SESSION LOCKUse session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
AC.L2-3.1.11 – SESSION TERMINATIONTerminate (automatically) a user session after a defined condition.
AC.L2-3.1.3 – CONTROL CUI FLOWControl the flow of CUI in accordance with approved authorizations.
AC.L2-3.1.4 – SEPARATION OF DUTIESSeparate the duties of individuals to reduce the risk of malevolent activity without collusion.
AC.L2-3.1.7 – PRIVILEGED FUNCTIONSPrevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTSLimit unsuccessful logon attempts.
AC.L2-3.1.9 – PRIVACY & SECURITY NOTICESProvide privacy and security notices consistent with applicable CUI rules.
AT.L2-3.2.2 – ROLE-BASED TRAININGEnsure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
AU.L2-3.3.4 – AUDIT FAILURE ALERTINGAlert in the event of an audit logging process failure.
AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCEProvide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCEProtect audit information and audit logging tools from unauthorized access, modification, and deletion.
AU.L2-3.3.8 – AUDIT PROTECTIONProtect audit information and audit logging tools from unauthorized access, modification, and deletion.
AU.L2-3.3.9 – AUDIT MANAGEMENTLimit management of audit logging functionality to a subset of privileged users.
CM.L2-3.4.1 – SYSTEM BASELININGEstablish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENTEstablish and enforce security configuration settings for information technology products employed in organizational systems.
CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENTTrack, review, approve or disapprove, and log changes to organizational systems.
CM.L2-3.4.4 – SECURITY IMPACT ANALYSISAnalyze the security impact of changes prior to implementation.
CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGEDefine, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
CM.L2-3.4.6 – LEAST FUNCTIONALITYEmploy the principle of least functionality by configuring organizational systems to provide only essential capabilities.
CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITYRestrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
CM.L2-3.4.8 – APPLICATION EXECUTION POLICYApply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
IA.L1-3.5.1 – IDENTIFICATIONIdentify information system users, processes acting on behalf of users, or devices.
IA.L1-3.5.2 – AUTHENTICATIONAuthenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
IA.L2-3.5.11 – OBSCURE FEEDBACKObscure feedback of authentication information.
IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATIONEmploy replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
IA.L2-3.5.5 – IDENTIFIER REUSEPrevent reuse of identifiers for a defined period.
IA.L2-3.5.6 – IDENTIFIER HANDLINGDisable identifiers after a defined period of inactivity.
IA.L2-3.5.7 – PASSWORD COMPLEXITYEnforce a minimum password complexity and change of characters when new passwords are created.
IA.L2-3.5.8 – PASSWORD REUSEProhibit password reuse for a specified number of generations.
IA.L2-3.5.9 – TEMPORARY PASSWORDSAllow temporary password use for system logons with an immediate change to a permanent password.
IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDSStore and transmit only cryptographically-protected passwords.
IR.L2-3.6.1 – INCIDENT HANDLINGEstablish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
IR.L2-3.6.3 – INCIDENT RESPONSE TESTINGTest the organizational incident response capability.
MA.L2-3.7.1 – PERFORM MAINTENANCEPerform maintenance on organizational systems.
MA.L2-3.7.2 – System Maintenance ControlProvide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
PE.L1-3.10.1 – LIMIT PHYSICAL ACCESSLimit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
RA.L2-3.11.1 – RISK ASSESSMENTSPeriodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
RA.L2-3.11.2 – VULNERABILITY SCANScan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
RA.L2-3.11.3 – VULNERABILITY REMEDIATIONRemediate vulnerabilities in accordance with risk assessments.
CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENTPeriodically assess the security controls in organizational systems to determine if the controls are effective in their application.
CA.L2-3.12.2 – PLAN OF ACTIONDevelop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
CA.L2-3.12.3 – SECURITY CONTROL MONITORINGMonitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
CA.L2-3.12.4 – SYSTEM SECURITY PLANDevelop, document, and periodically update system security plans (SSP) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
SC.L1-3.13.1 – BOUNDARY PROTECTIONMonitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATIONImplement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SC.L2-3.13.11 – CUI ENCRYPTIONEmploy FIPS-validated cryptography when used to protect the confidentiality of CUI.
SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROLProhibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
SC.L2-3.13.16 – DATA AT RESTProtect the confidentiality of CUI at rest.
SC.L2-3.13.2 – SECURITY ENGINEERINGEmploy architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
SC.L2-3.13.3 – ROLE SEPARATIONSeparate user functionality from system management functionality.
SC.L2-3.13.4 – SHARED RESOURCE CONTROLPrevent unauthorized and unintended information transfer via shared system resources.
SC.L2-3.13.8 – DATA IN TRANSITImplement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
SC.L2-3.13.9 – CONNECTIONS TERMINATIONTerminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
SC.L2-3.13.13 – MOBILE CODEControl and monitor the use of mobile code.
SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITYProtect the authenticity of communications sessions.
SI.L1-3.14.1 – FLAW REMEDIATIONIdentify, report, and correct information and information system flaws in a timely manner.
SI.L1-3.14.2 – MALICIOUS CODE PROTECTIONProvide protection from malicious code at appropriate locations within organizational information systems.
SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTIONUpdate malicious code protection mechanisms when new releases are available.
SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKSMonitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

View our CMMC for Software Development Page

Check out our Cyber AB listing

Scroll to Top