What does the CMMC mean for your program?

The National Convergence Technology Center’s (CTC) recently hosted a special webinar for faculty members of the Convergence College Network (CCN) community. Kyle Jones from Sinclair Community College and Rajiv Malkan from Lone Star College jointly delivered the presentation entitled “CMMC and Secure Software Development.” You can watch a recording of their talk here.

The presentation focused on the need to add secure software development concepts to curriculum in light of the Department of Defense’s new Cybersecurity Maturity Model Certification (CMMC). The CMMC will require governmental contractors to meet certain cybersecurity audit requirements by 2025, including secure software development processes.

Below are select highlights from the webinar:

• Legacy software has a number of existing vulnerabilities that need patching, but new software needs to be analyzed both statically and dynamically to ensure compliance with CMMC.
• The ongoing industry-wide merging of development, security, and operations departments – termed “DevSecOps” – is a critical response to the need to keep software and applications secure. Just as the industry is blurring the boundaries of these discipline, so, too, do the educational programs. The silos have to come down.
• The new CMMC process will impact over 300,000 federal contractors. These employers will need technicians familiar with creating secure software code.
• Kyle welcomed an employer to talk to his students and found the employer wouldn’t talk about anything other than the urgent need to meet the new CMMC standard. The deadline for compliance is 2025.
• Key to secure coding is the Agile process where development happens in shorter cycles. The teams include security technicians with the developers so that the code – which is growing more and more complex and lengthy – is made secure from the beginning.
• It’s this complexity that’s making it harder and harder to know which portions are secure and which portions are open.
• Rajiv cited some surveys of the IT industry. 40% of employers are having trouble finding employees with adequate security testing know-how. 70% of technicians reported that they didn’t take a single security class in college.
• Read Carnegie Mellon’s Top Ten Secure Coding Practices Top 10 Secure Coding Practices – CERT Secure Coding – Confluence (cmu.edu) and OWASP’s “Top Ten Web Application Security Risks OWASP Top Ten Web Application Security Risks | OWASP.
• Microsoft recently stated that if the application layer is not secure, the organization is at risk.
• Many current textbooks make no mention of Agile or secure coding concepts.

Learn more about the CMMC here.