With the release of DoD’s Cybersecurity Maturity Model Certification (CMMC) v0.6 draft version on November 7, 2019, it has become apparent that a strong DevSecOps implementation will aid in achieving a CMMC Maturity Level rating. V0.6 contains the practices required for the Maturity level’s one through three (Maturity levels four and five will be published in a later draft). Many of the practices documented map directly to DevSecOps practices. Example practices include; two-factor authentication, password complexity, user activity logging and baseline control.
While there are many practices within the CMMC that do not map directly to DevSecOps, having a strong DevSecOps implementation will help prepare you for what is to come and through their implementation get your organization closer to achieving a CMMC Maturity level rating. There are many additional practices in the CMMC Maturity levels that will need to be implemented if your organization does not have them in place already. So, while your strong DevSecOps implementation will help, there may be other practices that will need to be implemented to achieve the desired, or required Maturity level for your organization. Examples of these practices include: how visitors are monitored, the use of cryptographic keys, email sandboxing and testing of the organizational incident response capability.
Since the CMMC is not finalized, we caution against implementing any of the documented practices only for certification sake. As you can see from the previous drafts of the CMMC and as we have learned from the transition from draft to final of other process improvement models, things will change. This not to say you should not implement the practices, the practices documented even in the draft are industry best practices that have been proven over time and will help improve your organization’s cybersecurity stance. But, if you are doing something for certification purposes only, you might want to hold off. We also do not recommend implementing anything for certification purposes only, you should make sure it makes business sense for your organization before implementation.