Back to Control Explorer



Control Acronym



Security Assessment

CMMC Level


800-171 Control #


CMMC Description

Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk.

CMMC Clarification

The purpose of the security assessment is to assure the organization that the code has undergone sufficient testing to identify and mitigate errors or vulnerabilities. The review can be performed using static and/or dynamic application security testing tools. Static analysis examines the source code before the program is run. Developers vet the code against a set of rules. By performing static analysis early in the development process the developer can identify specific errors and correct in a timely manner. Dynamic testing executes the code to identify potential execution, memory, and data issues in real-time. Manual code reviews use development teams to review the code against a set of secure development guidelines. Example You are in charge of IT operations for your organization. You have a group of developers who create internal software applications. Because you develop the software in house, you make sure the code is reviewed so that code mistakes do not result in vulnerabilities. You have another software engineer, who is not part of the development team, perform a manual code review to ensure the software meets standards set by the organization. You do this for each software update or iteration. You prohibit the software from being run on the organization’s network until the code review is complete.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Creating secure software implementations is difficult and requires extra steps to assess the code for security related vulnerabilities. Security assessment is a process of reviewing software source code in order to identify defects or vulnerabilities within an application. Security assessment may be done using manual or automated techniques.

CIS Control References

CIS Controls v7.1 18.1, 18.2

NIST 800-53 Control Ref.

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

CA.3.162.[a] the organization reviews internally developed software for risks;

Assessment Sub-Criteria 2

CA.3.162.[b] for the code that is defined as an area of risk, the organization has documented the security assessment process which may include one or more of the following: manual code review, static analysis, and/or dynamic analysis;

Assessment Sub-Criteria 3

CA.3.162.[c] the organization has the ability to demonstrate their security assessment process; and

Assessment Sub-Criteria 4

CA.3.162.[d] the security assessment process is integrated with the change management process.

Assessment Sub-Criteria 5

CA.3.162.[a] the contractor establishes and maintains a plan that provides oversight for implementing the policies required in CA.2.999;

Assessment Sub-Criteria 6

CA.3.162.[b] the plan includes a mission and/or vision statement;

Assessment Sub-Criteria 7

CA.3.162.[c] the plan includes strategic goals/objectives;

Assessment Sub-Criteria 8

CA.3.162.[d] the plan includes relevant standards and procedures;

Assessment Sub-Criteria 9

CA.3.162.[e] the plan documents the activities, due dates, and resources (e.g., funding, people, tools) assigned to implement and manage the policies required in CA.2.999;

Assessment Sub-Criteria 10

CA.3.162.[f] people resources are assigned to support implementing the policies required in CA.2.999 and staff members have the appropriate knowledge, skills, and abilities to carry out their duties;

Assessment Sub-Criteria 11

CA.3.162.[h] funding resources are defined and assigned to fully execute implementing the policies required in CA.2.999 to include proper oversight, execution, and maintenance;

Assessment Sub-Criteria 12

CA.3.162.[i] specific tools required to implement the policies required in CA.2.999 are provided and people resources are adequately trained to use these tools; and

Assessment Sub-Criteria 13

CA.3.162.[j] relevant stakeholders are involved in resourcing activities.

Assessment Sub-Criteria 14

CA.3.162.Establish, maintain, and resource a plan that includes Security Assessment.

Assessment Sub-Criteria 15