CMMC Compliance for Defense Software

An Expanded Guide to Building Secure Software with NIST 800-171

Introduction

For defense contractors and subcontractors developing custom software or APIs that handle Controlled Unclassified Information (CUI), achieving CMMC compliance for software is essential. Integrating your software into the CUI system’s NIST 800-171 compliance framework is key. This Expanded Guide to Building Secure Cloud Solutions with NIST 800-171 delves into deeper compliance aspects, focusing on API security enhancements, proactive maintenance, vulnerability management, container security, and managing open-source and third-party libraries for defense software.

Cloud Deployment and Security Considerations for CMMC Compliant Software

(requirements: 3.13.2, 3.1.x, 3.11.x, 3.7.x)

While deploying software on cloud platforms such as AWS or Azure provides a baseline of security features, it’s important to understand that this does not automatically ensure NIST 800-171 compliance. Think of it in layers: AWS and Azure provide a secure foundation, but NIST 800-171 outlines the specific practices you must implement within your software to protect CUI fully.

Developers must actively manage the security of their software within the cloud environment through:

• Secure coding practices (e.g., input validation to prevent injection attacks) to prevent vulnerabilities at the source code level.
• Vulnerability management: Detect and remediate potential issues before deployment, and ongoing vulnerability management for defense software.
• Secure deployment strategies (e.g., using hardened virtual machine images) to safeguard the software in its operational environment.
• Regular maintenance and patching to address emerging threats and vulnerabilities.
• Secure access management ensuring only authorized individuals can access CUI, is crucial for CMMC compliance.

Crucially, security responsibilities extend beyond what cloud service providers (CSPs) offer. Developers must explicitly implement NIST 800-171 security requirements within their software.

Proactive Security Collaboration: Engaging Software Development Teams for CMMC Compliance

(Requirements: 3.13.2, 3.1.x, 3.11.x)

Achieving robust defense software security typically falls outside the usual responsibilities of compliance teams and IT staff, who often focus on infrastructure. To bridge this gap and ensure CMMC compliance, it’s essential that compliance and IT teams partner with software development teams in security discussions from the outset. This includes:

• Reviewing the flow of CUI within the software and its data handling processes.
• Analyzing software design specifications, architecture diagrams, and threat models to identify potential security weaknesses.
• Understanding the software’s product management lifecycle, including how vulnerabilities and patches are managed over time for CMMC readiness.

Security-Focused Software Design: Specifications for NIST 800-171 Compliance in Cloud Solutions

(Requirements: 3.13.2, 3.1.x, 3.4.x, 3.5.x, 3.13.x)

To ensure comprehensive security and facilitate NIST 800-171 compliance, developers must thoroughly understand and document various aspects of the software, such as:

• Functionalities: Detailed analysis of software capabilities, categorized by URLs and required access levels.
• Access Privileges: Definition of access controls based on user roles, from internal staff to privileged users, aligned with CMMC requirements.
• Data Encryption: Implementing robust encryption standards for data in transit and at rest to protect sensitive information.
• Authentication and Authorization: Establishment of secure authentication mechanisms, including API key management and authorization processes for different user types, prioritizing defense software security.
• Default Configurations and Roles: Specify secure default settings and clear roles and responsibilities for users and support staff.

Even with a secure cloud provider, the ultimate responsibility for many aspects of the software’s security rests with the defense contractor.

Robust API Security for CMMC Compliance

(Requirements: 3.13.2, 3.1.x, 3.4.x, 3.5.x)

APIs that process or transmit CUI within defense software require stringent security measures to achieve CMMC compliance. This includes:

• Comprehensive API management: proper inventory, authorization, authentication, and revocation of API keys, minimizing risks for defense software.
• Implementation of advanced security practices: encryption for data in transit, rate limiting, and thorough security audits to prevent common vulnerabilities like broken access control, safeguarding CUI.

Proactive Vulnerability Management for Defense Software

(Requirements: 3.13.2, 3.11.x, 3.14.x)

Adopting a proactive approach to maintenance and vulnerability management is crucial for defense software to achieve CMMC compliance. This involves:

• Integration of Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) within the development and deployment pipelines to identify and address vulnerabilities early.
• Regular updates and patch management to mitigate risks associated with known software vulnerabilities and dependencies, critical for safeguarding CUI.

Managing Open-Source and Third-Party Libraries for CMMC Compliance: Focus on SBOM

(Requirements: 3.13.2, 3.4.x, 3.11.x, 3.14.x)

The use of open-source or third-party libraries can accelerate development but introduces potential security risks that must be managed for CMMC compliance in defense software. This includes:

• Meticulous open-source license management to ensure compliance with license requirements, especially those affecting source code disclosure.
• Software Component Analysis (SCA) to maintain an up-to-date Software Bill of Materials (SBOM), enabling quick identification and remediation of vulnerabilities in used components.

Executive Order 14028 highlights the importance of a detailed Software Bill of Materials (SBOM) to ensure the security of your software supply chain.

Securing Containerized Defense Software: Best Practices for CMMC Compliance

(Requirements: 3.13.2, 3.1.x, 3.4.x, 3.11.x, 3.14.x)

For defense software deployed in containers, ensuring the security of the container environment is paramount for CMMC compliance. This requires:

• Regular vulnerability scanning of container images to detect and address security issues, protecting CUI.
• Implementation of security best practices in container orchestration and runtime environments to prevent unauthorized access and ensure the integrity of the software.

Conclusion

In today’s rapidly evolving cybersecurity landscape, achieving CMMC compliance for software is paramount for safeguarding Controlled Unclassified Information (CUI). Rigorous assessment against NIST 800-171 standards lays the foundation for secure defense software development. A well-documented Plan of Action and Milestones (POA&M) with timely remediation strategies is critical for success. Defense contractors must remain vigilant of evolving NIST 800-171 requirements and upcoming CMMC changes to maintain a robust security posture.

Executive Order 14028 (May 2021) underscores the government’s heightened focus on software security. Vulnerabilities in software pose significant risks for data breaches. Expect increased emphasis on software security measures, including Software Bills of Materials (SBOMs) and rigorous supply chain protection. Proactive compliance with anticipated regulations is essential for defense software developers.

CMMC/NIST 800-171 Requirements Applied to Software Development

Source: CMMC 2.0 Level 2 Assessment Guide

CMMC / NIST 800-171 Requirement#	CMMC Requirement
AC.L1-3.1.1 – AUTHORIZED ACCESS CONTROL	Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.L1-3.1.2 – TRANSACTION & FUNCTION CONTROL	Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.L1-3.1.20 – EXTERNAL CONNECTIONS	Verify and control/limit connections to and use of external information systems.
AC.L2-3.1.10 – SESSION LOCK	Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
AC.L2-3.1.11 – SESSION TERMINATION	Terminate (automatically) a user session after a defined condition.
AC.L2-3.1.3 – CONTROL CUI FLOW	Control the flow of CUI in accordance with approved authorizations.
AC.L2-3.1.4 – SEPARATION OF DUTIES	Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
AC.L2-3.1.7 – PRIVILEGED FUNCTIONS	Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
AC.L2-3.1.8 – UNSUCCESSFUL LOGON ATTEMPTS	Limit unsuccessful logon attempts.
AC.L2-3.1.9 – PRIVACY & SECURITY NOTICES	Provide privacy and security notices consistent with applicable CUI rules.
AT.L2-3.2.2 – ROLE-BASED TRAINING	Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
AU.L2-3.3.4 – AUDIT FAILURE ALERTING	Alert in the event of an audit logging process failure.
AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE	Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
AU.L2-3.3.7 – AUTHORITATIVE TIME SOURCE	Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
AU.L2-3.3.8 – AUDIT PROTECTION	Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
AU.L2-3.3.9 – AUDIT MANAGEMENT	Limit management of audit logging functionality to a subset of privileged users.
CM.L2-3.4.1 – SYSTEM BASELINING	Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
CM.L2-3.4.2 – SECURITY CONFIGURATION ENFORCEMENT	Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.L2-3.4.3 – SYSTEM CHANGE MANAGEMENT	Track, review, approve or disapprove, and log changes to organizational systems.
CM.L2-3.4.4 – SECURITY IMPACT ANALYSIS	Analyze the security impact of changes prior to implementation.
CM.L2-3.4.5 – ACCESS RESTRICTIONS FOR CHANGE	Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
CM.L2-3.4.6 – LEAST FUNCTIONALITY	Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
CM.L2-3.4.7 – NONESSENTIAL FUNCTIONALITY	Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
CM.L2-3.4.8 – APPLICATION EXECUTION POLICY	Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
IA.L1-3.5.1 – IDENTIFICATION	Identify information system users, processes acting on behalf of users, or devices.
IA.L1-3.5.2 – AUTHENTICATION	Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
IA.L2-3.5.11 – OBSCURE FEEDBACK	Obscure feedback of authentication information.
IA.L2-3.5.4 – REPLAY-RESISTANT AUTHENTICATION	Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
IA.L2-3.5.5 – IDENTIFIER REUSE	Prevent reuse of identifiers for a defined period.
IA.L2-3.5.6 – IDENTIFIER HANDLING	Disable identifiers after a defined period of inactivity.
IA.L2-3.5.7 – PASSWORD COMPLEXITY	Enforce a minimum password complexity and change of characters when new passwords are created.
IA.L2-3.5.8 – PASSWORD REUSE	Prohibit password reuse for a specified number of generations.
IA.L2-3.5.9 – TEMPORARY PASSWORDS	Allow temporary password use for system logons with an immediate change to a permanent password.
IA.L2-3.5.10 – CRYPTOGRAPHICALLY-PROTECTED PASSWORDS	Store and transmit only cryptographically-protected passwords.
IR.L2-3.6.1 – INCIDENT HANDLING	Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
IR.L2-3.6.3 – INCIDENT RESPONSE TESTING	Test the organizational incident response capability.
MA.L2-3.7.1 – PERFORM MAINTENANCE	Perform maintenance on organizational systems.
MA.L2-3.7.2 – System Maintenance Control	Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
PE.L1-3.10.1 – LIMIT PHYSICAL ACCESS	Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
RA.L2-3.11.1 – RISK ASSESSMENTS	Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
RA.L2-3.11.2 – VULNERABILITY SCAN	Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
RA.L2-3.11.3 – VULNERABILITY REMEDIATION	Remediate vulnerabilities in accordance with risk assessments.
CA.L2-3.12.1 – SECURITY CONTROL ASSESSMENT	Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
CA.L2-3.12.2 – PLAN OF ACTION	Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
CA.L2-3.12.3 – SECURITY CONTROL MONITORING	Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
CA.L2-3.12.4 – SYSTEM SECURITY PLAN	Develop, document, and periodically update system security plans (SSP) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
SC.L1-3.13.1 – BOUNDARY PROTECTION	Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION	Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SC.L2-3.13.11 – CUI ENCRYPTION	Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL	Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
SC.L2-3.13.16 – DATA AT REST	Protect the confidentiality of CUI at rest.
SC.L2-3.13.2 – SECURITY ENGINEERING	Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
SC.L2-3.13.3 – ROLE SEPARATION	Separate user functionality from system management functionality.
SC.L2-3.13.4 – SHARED RESOURCE CONTROL	Prevent unauthorized and unintended information transfer via shared system resources.
SC.L2-3.13.8 – DATA IN TRANSIT	Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
SC.L2-3.13.9 – CONNECTIONS TERMINATION	Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
SC.L2-3.13.13 – MOBILE CODE	Control and monitor the use of mobile code.
SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY	Protect the authenticity of communications sessions.
SI.L1-3.14.1 – FLAW REMEDIATION	Identify, report, and correct information and information system flaws in a timely manner.
SI.L1-3.14.2 – MALICIOUS CODE PROTECTION	Provide protection from malicious code at appropriate locations within organizational information systems.
SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION	Update malicious code protection mechanisms when new releases are available.
SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS	Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

View our CMMC for Software Development Page