While generally overlooked, NIST SP 800-171 and CMMC do contain “secure coding” requirements. Specifically, 3.13.2 [SC.L2-3.13.2] requires organizations that store, process and/or transmit Controlled Unclassified Information (CUI) to “Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.” From an application development perspective, this can be thought of as Secure Software Development Practices (SSDP).
In practical terms, for NIST SP 800-171 and CMMC, this means the software developers and architects responsible for your organization’s SSDP need to be prepared to have appropriate evidence of due diligence and due care to demonstrate it. Demonstrating SSDP starts with the competency of the developer and/or architect:
Software developers (practitioners) are expected to use Secure Development Lifecycle (SDL) processes for new systems, system upgrades, or systems that are being repurposed. These processes can be employed at any stage of the system lifecycle and can take advantage of any system or software development methodology, including agile, spiral, or waterfall.
Software architects are expected to employ cyber resiliency constructs (e.g., goals, objectives, techniques, approaches and design principles), as well as the analytic and lifecycle processes, to tailor them to the technical, operational, and threat environments for which the architect’s systems need to be engineered.
The Secure Code Alliance (SCA) was formed to address the need that organizations have to ensure its developers are aware of and implement SSDP in order to minimize the threat posed by malicious actors against the organization’s applications, services, and processes. The SCA supports the strategic cyber resiliency design principles that are established by NIST SP 800-160, Vol 2, Rev 1:
Focus on common critical assets;
Support agility and architect for adaptability;
Reduce attack surfaces;
Assume compromised resources; and
Expect adversaries to evolve.
Application developers (developers) are vital to the success of any organization, regardless of the industry. Developers create the tools that we all use, from operating systems to mobile apps, backend programming, firmware, front-end interface design, and other forms of applications. Based on the new realities of the interconnected world that we live in, developers need to implement SSDP in order to protect their code from malicious attacks. By following SSDP, developers serve a crucial role in helping ensure security and safety, not just within an organization, but across the supply chain and society, as a whole.