What is the Cost?
Request a quote
Within the framework, there are 17 domains in which contractors must demonstrate that they are implementing the best practices and processes. The Security Assessment domain for the CMMC model clearly calls for security assessments of corporate applications used by Federal Systems Integrators obligated to achieve CMMC Level 3 (L3) certification by the DoD:
Perform code reviews; which requires –
Level 3 (L3) PRACTICE: CA.3.162
Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as posing a certain level of risk.
• CIS Controls v7.1 18.1, 18.2 *
* CIS v71. 18.1 Establish Secure Coding Practices –
Establish secure coding practices appropriate to the programming language and development environment being used; and
CIS v71. 18.2 Ensure That Explicit Error Checking Is Performed for All In-House Developed Software –
For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.
CMMC Third Party Assessors agree that manual code review, static code analysis (i.e. SAST), and/or Dynamic application testing (i.e. DAST) techniques meet the requirement. Manual code review is of course unadvised except for the most specialized and critical of source code. Realistically SAST and DAST techniques need to be evaluated as candidate approaches. For custom developed corporate applications where source code exists, a multi-language SAST tool, which can be applied across the whole corporate application portfolio, is advised. This would include not only scanning source code for web applications, but also for APIs, microservices, integration scripts, and non-web server applications, which DAST solutions cannot address.
CMMC is an excellent opportunity for corporate CISOs to make the business case to fund ongoing software security practices and remediation for their own corporate systems. Once CMMC forces a code assessment, and the vulnerabilities in an FSI’s corporate system are exposed, liability for the FSI is created unless critical issues are remediated…and then avoided in future through ongoing secure development practices. CMMC has turned out to provide a very powerful driver for Systems Integrators to invest in the software security of their own applications.
Due to our numerous partnerships, we can provide unbiased opinions on the best solution for your environment.
Our partnership levels give us the highest product discounts which we pass on as savings to our customers.
Finish your IT projects on-time and under budget with our nation-wide team of senior level engineers.
Rest assured knowing that our U.S. based IT support team is here for you on nights, weekends and when you need us most.