CMMC Software Security Requirements Video

This 3m video features Kyle Lai discussing the Software Security Requirements of CMMC Level 3 and higher.

Software/application vulnerability assessment requirements for CMMC level 3

Do you develop API’s or applications that are within your CMMC or CUI scope? If so, you must perform a software or application vulnerability assessment to meet the requirements for CMMC level 3 or above. CMMC model version 1.02 practice CA.3.162 states that you must perform software security assessments such as static application security testing (SAST) code review, or DAST (dynamic application security testing). Many companies use Agile or develop methodologies to deploy the API or application quickly. Although it is not easy to integrate security into software development lifecycles or SDLC, or DevOps pipeline, you should ensure your software is developed securely to prevent attacks or data breaches. Therefore, you should not just perform software security for compliance purposes and you should train your developers to adhere to your software testing requirements.

If you are a small firm with limited internal software development, I would suggest you test with DAST first. It will give you fewer false positives and it is a bit faster for testing and the remediation. If you are a medium/large firm, you might want to do both SAST and DAST to make sure you establish a more comprehensive software security program. You can evaluate interactive application security testing (IAST) tools if you have an existing software quality assurance or QA program. Additionally, don’t forget to address the open source component security as well.

Why is this important?

According to the synopsis report, about 99 of the modern code have open source components. There are hundreds of open source vulnerabilities being identified and disclosed every day, so you need to make sure that they are kept up to date with the latest version and patch your software accordingly. If you are using containers to deploy your software or applications, make sure you continuously patch your containers with the latest base image and components. Software cannot be secure unless the hosting container is secure.

My name is Kyle Lai, president and Chief Information Security Officer at KLC Consulting. If you have any questions about software security, DevOps, or software security testing requirements for CMMC, please contact us at or visit our website at Thank you.

CMMC Level 3 and higher - Software Security Requirements

For more information about CMMC, please visit our blog post.

Please visit our YouTube channel for other free resources and cybersecurity discussion topics. LIKE and SUBSCRIBE!

And please visit us on LinkedIn.