Level 5 CMMC - CMMC Practices

CA.3.162  

Reference: CMMC 1.02

Family: CA

Level Introduced: 3

Practice:
Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.

CMMC Clarification:
The purpose of the security assessment is to assure the organization that the code has undergone sufficient testing to identify and mitigate errors or vulnerabilities. The review can be performed using static and/or dynamic application security testing tools. Static analysis examines the source code before the program is run. Developers vet the code against a set of rules. By performing static analysis early in the development process the developer can identify specific errors and correct in a timely manner. Dynamic testing executes the code to identify potential execution, memory, and data issues in real-time. Manual code reviews use development teams to review the code against a set of secure development guidelines.

Example
You are in charge of IT operations for your organization. You have a group of developers who create internal software applications. Because you develop the software in house, you make sure the code is reviewed so that code mistakes do not result in vulnerabilities. You have another software engineer, who is not part of the development team, perform a manual code review to ensure the software meets standards set by the organization. You do this for each software update or iteration. You prohibit the software from being run on the organization’s network until the code review is complete.

Creating secure software implementations is difficult and requires extra steps to assess the code for security related vulnerabilities. Security assessment is a process of reviewing software source code in order to identify defects or vulnerabilities within an application.
Security assessment may be done using manual or automated techniques.

Source: CMMC v1.02

Source: CMMC v1.02