Implement Software Security as an Element of the Cybersecurity Architecture

MIL2 requirements
a. Software developed in-house for deployment on higher priority assets is developed using secure software development practices
b. The selection of procured software for deployment on higher priority assets includes consideration of the vendor’s secure software development practices
c. Secure software configurations are required as part of the software deployment process for both procured software and software developed in-house

MIL3 requirements
d. All software developed in-house is developed using secure software development practices
e. The selection of all procured software includes consideration of the vendor’s secure software development practices
f. The architecture review process evaluates the security of new and revised applications prior to deployment
g. The authenticity of all software and firmware is validated prior to deployment
h. Security testing (for example, static testing, dynamic testing, fuzz testing, penetration testing) is performed for in-house-developed and in-house-tailored applications periodically and according to defined triggers, such as system changes and external events