CISQ developed the Automated Source Code Data Protection Measure (ASCDPM) based on a collection of relevant software weaknesses from the Common Weakness Enumeration (CWE) repository. DevSecOps teams can use the ASCDPM in application security testing to reveal source vectors for data leakage or data corruption, as well as indicators for non-compliance with respective data protection/privacy guidelines. If organizations are using software running as part of a network-connected asset that contains one or more of these CWEs, then the organizational enterprise is at risk of not being conformant with data protection requirements. That’s why this complements the Cybersecurity Maturity Model Certification (CMMC), which is based primarily on the National Institute of Standards and Technology (NIST) special publication (SP), NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems.
Before the CMMC, contractors had to implement, monitor, and certify the security of their information technology (IT) systems and any sensitive information stored on or transmitted by those systems without a framework. Contractors must still implement critical cyber security requirements, but the CMMC third-party compliance framework includes mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats.
Although many DOD contracts require CMMC, it’s available to any company or agency with the need for data protection. It helps alleviate security-conscious data protection concerns associated with many sectors including healthcare, financial services, automotive, energy, and telecommunications, as well as in cross-sector-enabling technologies like data centers and the Internet of Things (IoT).