CMMC Practice SC.3.180

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.


CMMC Version 1.02, pg. 251

Bold Coast Security Guidance

For Level 3 compliance an organization must have a plan to address the requirement for adoption of secure architecture implementation, software development, and system configuration, to meet it's policy requirements. Regularly review this documentation, and referring to it during change management discussions to achieve or Maturity Level 4.

Discussion From Source

DRAFT NIST SP 800-171 R2 Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions.