CMMC Practice SC.3.180: Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Familiarity with security engineering principles and their successful application to your infrastructure will increase the security of your environment. NIST SP 800-160 System Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems can serve as a source of security engineering and design principles.
Organizations need to decide which designs and principles to apply. Some will not be possible or appropriate for your organization as a whole. Some will not be possible, applicable, or appropriate for specific systems or components.
Once a decision is made on which designs and principles to apply, they should be applied to your organization’s policies and security standards. Starting with your baseline configuration, they should be extended through all layers of the technology stack (e.g., hardware, software, firmware) and throughout all the components of your infrastructure. The application of these chosen designs and principles should drive your organization towards a secure architecture with the required security capabilities and intrinsic behaviors present throughout the lifecycle of your technology.
As legacy components in your architecture age, it may become increasingly difficult for those components to meet security principles and requirements. This should factor into life-cycle decisions for those components (e.g., replacing legacy hardware, upgrading or re-writing software, upgrading run-time environments).