Navigating CMMC 2.0 with DevSecOps: A Comprehensive Guide for the Intelligence Community, DoD, and Federal Government

Before we plunge into the labyrinth of cybersecurity frameworks and software development methodologies, let's acknowledge a simple truth: combining compliance requirements with modern development practices is a bit like trying to dance the tango while filing tax returns-technically possible, but requiring exceptional coordination and a touch of creative problem-solving.

Understanding the CMMC 2.0 Framework: A Foundation for Security

CMMC 2.0, released in 2021, represents a significant evolution in how the Department of Defense approaches cybersecurity requirements for its contractors. The framework streamlines the previous five-level model into three distinct levels:

• Level 1 (Foundational): Encompasses the basic safeguarding requirements for Federal Contract Information (FCI) specified in FAR Clause 52.204-21.
• Level 2 (Advanced): Encompasses the security requirements for Controlled Unclassified Information (CUI) specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012.
• Level 3 (Expert): Will contain a subset of the security requirements specified in NIST SP 800-172, though detailed information will be released at a later date.

The CMMC framework organizes practices into domains that map directly to the NIST SP 800-171 Rev 2 families. These domains cover essential cybersecurity areas from Access Control to System and Information Integrity.

CMMC Timeline: The Clock is Ticking (But Not Like MacGyver's Bomb Timer)

For contractors wondering when to get their cybersecurity house in order (preferably before the roof caves in), the CMMC implementation timeline provides critical guideposts:

• December 16, 2024: The CMMC Program Final Rule (32 CFR Part 170) becomes effective.
• Q1 2025 (Expected): Phased implementation begins with the DoD starting to include CMMC Level 1 or Level 2 self-assessment requirements in select new contracts.
• Q1 2026 (Expected): Phase 2 begins with DoD including CMMC Level 2 Certification Assessment requirements in select new contracts.
• Q1 2028 (Expected): Full implementation begins with CMMC requirements included in all applicable new DoD contracts involving FCI or CUI.

If these dates seem like distant concerns, remember: preparing for CMMC certification isn't a weekend project. Most organizations need 12-24 months for Level 2 certification and potentially 18-36+ months for Level 3. Think of CMMC preparation like planting a tree-the best time was yesterday, the second-best time is now.

DevSecOps: More Than Just Another Government Acronym

While CMMC establishes what security controls must be in place, DevSecOps provides a methodology for how to implement and maintain them effectively. DevSecOps is a software engineering culture and practice that aims at unifying software development (Dev), security (Sec), and operations (Ops).

The DoD defines DevSecOps as integrating security tools and practices into the development pipeline, emphasizing automation of processes, and fostering a culture of shared responsibility for performance, security, and operational integrity throughout the entire software lifecycle. In other words, it's about making security everyone's problem-a democratization of anxiety, if you will.

The DevSecOps Lifecycle: A Continuous Journey (Not a Destination)

The DevSecOps lifecycle consists of ten phases that proceed in a cyclical manner, with each cycle resulting in a software product release. This approach replaces the "big bang" style delivery of the waterfall process with small, frequent deliveries that make it easier to adapt as necessary.

The concepts build upon modern technology trends of the past two decades:

• The shift from waterfall to Agile
• The transition from tightly coupled monolithic systems to loosely coupled modular services
• Integration of security across the lifecycle of technology
• Incorporation of testing throughout the software lifecycle
• Evolution from traditional data centers to cloud

Key components of implementing DevSecOps include:

1. Software supply chain: Provides the full context for software delivery
2. Software factories: Encompasses the entire set of software capabilities
3. DevSecOps platforms: Standardized and secure foundation for development
4. CI/CD pipelines: Tools, workflows, scripts, and environments that produce deployable artifacts
5. Infrastructure as Code (IaC): Code baselines that automatically establish infrastructure

DoD Software Factories: Where the Magic Happens (And Where Deadlines Go to Die)

A DoD Software Factory is a structured and repeatable approach to software development that enables organizations to streamline their processes. It embodies the principles and tools of DevSecOps with modifications that conform to the extremely high threat profile of the DoD and Defense Industrial Base (DIB).

Platform One: The Gold Standard

Platform One, run by the US Air Force, is the canonical example of a DoD software factory. It offers a comprehensive portfolio of software development tools and services, including Repo One for source code hosting, Big Bang for end-to-end DevSecOps CI/CD platform, and Iron Bank for centralized container storage.

These services demonstrate that DevSecOps principles can be integrated into mission-critical systems while preserving the highest levels of security-proving that you can indeed have your cake and keep it in a SCIF too.

The Kessel Run Success Story: Making the Jump to Hyperspace

Success stories like Kessel Run demonstrate the transformative power of software factories. Before Kessel Run was established in 2017, the Air Force was "perpetually stuck" in the development process, with mission operators abandoning mission software for whiteboards and Microsoft Office products.

"The functionality of the legacy software was so bad that we had mission operators abandoning the mission software and using whiteboards, Microsoft Office products, chat boards, hand paper calculations for doing things like figuring out where we're going to drop bombs," explained Jeremiah Sanders, who oversaw the planning, execution, and assessment of air campaigns at the Air Force Air Operations Center.

Within three months of partnering with Pivotal Labs, the team delivered its first software product to airmen, achieving continuous capability delivery for the first time. Now, Kessel Run delivers capability 4,000 times a year, making code deployment into production "almost trivial". That's the software development equivalent of the Kessel Run in less than twelve parsecs.

Implementing DevSecOps to Meet CMMC Requirements

DevSecOps practices can directly support CMMC compliance by integrating security throughout the software development lifecycle. Let's examine how this works across different phases:

Pre-development Phase: Looking Before You Leap

Before a single line of code is written, DevSecOps principles demand thorough risk assessment, including identifying potential vulnerabilities and assessing risks associated with various components and flows. This aligns with CMMC Level 2 requirements for Risk Assessment (RA.L2-3.11.1).

Activities include:

• Performing thorough risk assessments
• Identifying potential vulnerabilities
• Prioritizing risks that are exploitable in your business context
• Channeling mitigation efforts where they are needed most

Development and Build Phase: Writing Code That Won't Keep You Up at Night

During development, DevSecOps calls for enforcing secure coding standards, integrating Static Application Security Testing (SAST) into the IDE, and incorporating Software Composition Analysis (SCA) to scan open-source components for vulnerabilities.

Key practices include:

• Enforcing secure coding standards
• Offering personalized training to developers
• Integrating SAST into the IDE
• Performing static code analysis to find vulnerabilities early
• Scanning open-source components for malicious content
• Incorporating automated security tests into CI/CD pipelines
• Scanning and updating dependencies as necessary

These practices help satisfy CMMC Level 2 requirements such as Vulnerability Scanning (RA.L2-3.11.2) and Vulnerability Remediation (RA.L2-3.11.3).

Testing Phase: Finding Problems Before They Find You

Dynamic Application Security Testing (DAST) can identify vulnerabilities in running applications by simulating attacks such as cross-site scripting, SQL injection, or authentication issues. This supports CMMC Level 2 requirements for Security Control Assessment (CA.L2-3.12.1).

Testing should include:

• Dynamic Application Security Testing (DAST)
• Simulation of attacks such as cross-site scripting and SQL injection
• Tools that uncover AI-related risks
• Cloud support for IaC testing
• Container security verification

Deployment Phase: Shipping Without Sinking

Prior to deployment, DevSecOps ensures the entire application and infrastructure is scanned for vulnerabilities and performs environment hardening by disabling unnecessary services or ports. This helps meet CMMC Level 2 requirements for System Security Plans (CA.L2-3.12.4) and Security Control Monitoring (CA.L2-3.12.3).

Key deployment practices include:

• Scanning the whole application and infrastructure for vulnerabilities
• Performing environment hardening
• Implementing runtime protections
• Continuous monitoring and logging
• Establishing incident response plans
• Creating feedback loops between Development, Operations, and Security teams

The Plan of Action and Milestones (POA&M): Your Road to Redemption (or at Least Certification)

For organizations working toward CMMC Level 2 certification, a well-crafted Plan of Action and Milestones (POA&M) is essential. A POA&M is a structured document that identifies and tracks the resolution of cybersecurity weaknesses within an information system.

POA&M: More Than Just a Fancy To-Do List

A strategic POA&M serves multiple functions:

• A comprehensive inventory of security weaknesses that require remediation
• A detailed roadmap outlining specific corrective actions and timeframes
• A management tool for tracking remediation progress and resource allocation
• A risk management framework that prioritizes vulnerabilities based on potential impact

Organizations must establish formal POA&M processes for Level 2 and 3 certification to track and manage security deficiencies. The POA&M should demonstrate risk-based prioritization, showing that remediation timelines are based on comprehensive risk analysis rather than convenience.

Key POA&M Best Practices for CMMC Success

1. Risk-based prioritization demonstrates security maturity: Your POA&M should clearly show that remediation timelines are based on comprehensive risk analysis rather than convenience, with higher-risk vulnerabilities receiving appropriately aggressive timelines.

2. Interim risk mitigation measures are necessary: For vulnerabilities with extended remediation timelines, implementing and documenting temporary controls shows assessors your commitment to risk management even when immediate fixes aren't feasible.

3. Clear ownership and accountability drive completion: Assigning specific individuals rather than departments as responsible for POA&M items, with appropriate authority and resources, significantly increases the likelihood of successful remediation.

4. Evidence of remediation is as important as the fix itself: Comprehensive documentation of implementation, testing, and verification for completed POA&M items builds assessor confidence and demonstrates the effectiveness of your security program.

Achieving Continuous Authorization (cATO): The Holy Grail of Federal DevSecOps

For defense agencies to deliver new features rapidly, they need an authorization process that keeps pace with continuous change-a continuous Authorization to Operate (cATO). Many defense agencies have identified obtaining an "authorization to operate" as the longest step in developing and deploying software.

The Three Pillars of cATO

To achieve cATO, authorizing officials must demonstrate three competencies:

1. Continuous monitoring of risk management framework controls
2. Active cyber defense
3. Use of an approved DevSecOps reference design for a software factory with a secure software supply chain

Additionally, systems seeking a cATO must have already achieved authorization and have entered the Risk Management Framework monitor stage.

Continuous Monitoring: The Heartbeat of cATO

Continuous monitoring practices include:

• Establishing event triggers based on findings, risk tolerances, changes in threats, and mitigation effectiveness
• Providing availability of findings, plans of action, security posture, and residual risk through DevSecOps dashboards
• Monitoring for changes in the threat landscape and secure configurations
• Monitoring control compliance and continued effectiveness against changing threats
• Establishing metrics for identification, collection, and trend analysis

Continuous Risk Management: The Brain of cATO

Continuous risk management practices include:

• Establishing or assigning a group for managing risks
• Creating a method for aggregating findings into a risk posture on cybersecurity, cyber resiliency, and cyber survivability
• Identifying vulnerabilities and performing impact analysis for risk prioritization
• Establishing dashboard visualization of risk information for continuous review

The CMMC Assessment Process: What to Expect (Besides Anxiety)

For organizations pursuing CMMC Level 2 certification, understanding the assessment process is crucial. The assessment is conducted by a Certified Third-Party Assessment Organization (C3PAO) and involves a review of the organization's implementation of all 110 required practices.

Phase 2 – Conduct the Assessment: The Moment of Truth

Phase 2 of the assessment process involves examining evidence, interviewing personnel, and conducting testing to ensure practices have been implemented. Each practice will be scored as MET, NOT MET, or Not Applicable (NA), and the organization will need a finding of "MET" or "Not Applicable" for each of the 110 practices to achieve certification.

During the assessment, limited practice deficiencies may be noted for 52 of the 110 CMMC level 2 practices, allowing for corrections to be made to achieve a "MET" score. Remediation must be verified by a date no later than 5 calendar days prior to the submission of the final findings report. (So, no last-minute cramming sessions, unlike your college days.)

Assessment Readiness: Be Prepared or Be Prepared to Fail

Key items to have ready for assessment include:

• System Security Plan (SSP): Must be up-to-date and reflect implemented security controls
• Plan of Action & Milestones (POA&M): If applicable, must document corrective actions for outstanding gaps
• CUI Data Flow Diagram: Clearly outlines where CUI is received, stored, processed, and transmitted
• Network Diagrams: Must show CUI segmentation and access control mechanisms
• Policies & Procedures: These should align with NIST 800-171 requirements and be properly documented

The C3PAO assessment team will spend several days reviewing documentation, conducting interviews, and verifying technical implementations. All evidence should follow the C3PAO's submission guidelines, ensuring files are named correctly and placed in the appropriate assessment folders before submission.

Best Practices for Securing Your Software Supply Chain

A secure software supply chain is crucial for both CMMC compliance and effective DevSecOps implementation. The DoD and Intelligence Community are increasingly focusing on this area, with initiatives like the Intelligence Community's emphasis on gaining trust in vendors' design, build, and delivery processes.

Key Practices for a Fort Knox-Level Software Supply Chain

1. Continuous vulnerability scanning across all stages of the CI/CD pipeline: Use a cloud-native vulnerability scanner that can be directly integrated into your CI/CD pipeline and called automatically during each phase of the SDLC.

2. Automated policy checks to enforce requirements and achieve ATO: Use a cloud-native policy engine in tandem with your vulnerability scanner to automate the reporting and blocking of software that is a security threat and a compliance risk.

3. Remediation feedback: Provide automated remediation feedback to developers to maintain a high velocity of software development.

4. Compliance (Trust but Verify): Use a reporting system that can be directly integrated with your CI/CD pipeline to create and collect compliance artifacts that prove compliance with DoD frameworks.

5. Air-gapped system capabilities: Utilize a cloud-native software supply chain security platform that can be deployed into an air-gapped environment to maintain the most strict security for classified missions.

The IC's Vision for Software Supply Chain Security

The IC has set target milestones for software supply chain security:

• FY25: Self-certify compliance with the IC's published DevSecOps best practices and software assurance practices
• FY26: Develop IC-endorsed guidance and approval process for enterprise DevSecOps platforms
• FY30: Use an approved enterprise DevSecOps platform in accordance with IC-endorsed guidance

Navigating the CMMC 2.0 Domains and Controls: A Map Through the Wilderness

CMMC 2.0 Level 2 compliance requires implementing 110 controls grouped under 15 domains:

Access Control: The Bouncer at the Club Door

Access Control, the largest domain with 22 controls, focuses on monitoring access events and limiting access to systems and data through practices like:

• Implementing the least-privilege principle
• Protecting wireless access with encryption and authentication
• Separating duties to prevent irregular activities
• Monitoring and controlling remote access
• Controlling and restricting mobile device use
• Controlling CUI flow and encrypting it on mobile devices

Audit and Accountability: The Digital Paper Trail

With 9 controls, this domain ensures that activities within your systems are recorded and can be traced back to specific users. Key practices include:

• Defining audit requirements
• Performing auditing
• Identifying and protecting audit information
• Reviewing and managing audit logs

Risk Assessment: Knowing Where the Dragons Are

Risk Assessment practices at CMMC Level 2 include:

• Periodically assessing risk to organizational operations, assets, and individuals resulting from system operations and CUI processing
• Scanning for vulnerabilities in systems and applications
• Remediating vulnerabilities in accordance with risk assessments

The Human Element: Building a DevSecOps Culture (While Avoiding Mutiny)

While tools and technologies are crucial, the success of DevSecOps in meeting CMMC requirements depends heavily on organizational culture. As Lt. Col. Max Reele of Kessel Run noted, digital transformation starts with processes and then moves to skills and technology.

"The real importance around process reengineering is because your stakeholders must be involved, policy must be rewritten to allow you to run continuous processes in what used to be a waterfall stochastic model," Reele explained. "So if you can automate the processes and do the process reengineering as necessary to then upskill your people and then you can overlay the tech on processes that have already been optimized."

From Waterfall to Agile: A Cultural Revolution

The shift from waterfall to DevSecOps represents more than just a change in development methodology-it's a fundamental shift in how organizations think about security, development, and operations. The DoD Enterprise DevSecOps Fundamentals acknowledges that software is never done and replaces the "big bang" delivery style with small, frequent deliveries.

Breaking Down Silos: United We Stand, Divided We Fall (or at Least Miss Deadlines)

One of the core principles of DevSecOps is breaking down organizational silos. This means integrating software development, test, deployment, security, and operations into a single culture within the organization.

This isn't just about having joint meetings-it's about creating shared responsibility and accountability for security outcomes. When developers understand security requirements from the beginning and security teams understand development constraints, the result is more secure software delivered more quickly.

Looking Forward: The Evolution of CMMC and DevSecOps in Federal Space

As we look toward the full implementation of CMMC requirements by 2028, several trends are emerging:

1. Greater Integration Between Compliance and Development

The days of treating compliance as a separate, after-the-fact activity are numbered. CMMC 2.0 aims to create a more collaborative and less punitive approach, focusing on the implementation of sound cybersecurity practices rather than solely on compliance.

2. Automation as the Great Enabler

Automation of security tests in the CI/CD pipeline can reduce manual effort and add efficiencies to the way development, security, and operations teams work. As tools become more sophisticated, we can expect greater automation of compliance verification, threat detection, and even remediation.

3. Continuous Everything

The concept of "continuous" is extending beyond just integration and deployment. We're seeing continuous authorization, continuous monitoring, continuous assessment, and continuous improvement become the norm rather than the exception.

4. Multi-Fabric Security for Complex Environments

The Intelligence Community is a multi-fabric enterprise, operating missions and enterprise functions (e.g., DevSecOps, AI model sharing) on TS/SCI, Secret, and Unclassified levels. This complexity requires sophisticated approaches to security that can span different classification levels while maintaining appropriate boundaries.

The DevSecOps and CMMC Journey: Worth Every Step

Implementing DevSecOps to achieve CMMC compliance is not a simple task-it requires significant investment in people, processes, and technology. However, the benefits extend far beyond just checking a compliance box. Organizations that successfully integrate security into their development and operations processes see:

• Faster delivery of secure software capabilities
• Reduced costs from finding and fixing issues earlier
• Improved collaboration across traditionally siloed teams
• Enhanced ability to respond to security threats
• Greater confidence in the security of the software supply chain

Whether you're part of the DoD, the Intelligence Community, or the broader federal government ecosystem, the journey toward DevSecOps and CMMC compliance represents an investment in the future of your organization's security posture. And while the path may sometimes resemble an obstacle course designed by someone with a twisted sense of humor, the destination-a more secure, more agile, more capable organization-is well worth the journey.

Remember: in the world of federal cybersecurity, the only constant is change-except for paperwork. There will always be paperwork.

More Details about CMMC here: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverview.pdf