Skip to content

CMMC/ITAR Deployment Profile

A complete, production-ready policy configuration for CMMC Level 2 and ITAR compliance. Use this as a starting point and customize for your environment.

What You'll Learn

  • Complete policy structure for regulated environments
  • All CMMC-relevant configuration sections working together
  • Validation steps for each component

Complete Policy Example

json
{
  "$schema": "https://schemas.turbo.net/launcher-policy.schema.json",
  "policyVersion": 1,
  "policySignature": "<<BASE64_CMS_SIGNATURE>>",
  "signatureCertificateThumbprints": ["<<SIGNER_THUMBPRINT_SHA256>>"],

  "configuration": {
    "identity": {
      "authenticationPolicy": {
        "mfaPolicy": {
          "mode": "enforced",
          "allowedMethods": ["fido2", "certificate", "smartcard"]
        },
        "reauthFrequencyHours": 8
      },
      "claimsMapping": {
        "usPersonStatus": "ext.usPersonVerified",
        "clearanceLevel": "ext.securityClearance",
        "exportControlTraining": "ext.exportTrainingCurrent"
      },
      "ssoAuditLevel": "verbose"
    },

    "security": {
      "cryptography": {
        "fipsMode": "enforced",
        "keyManagement": {
          "integrationMode": "externalKms",
          "kmsProviderConfigRef": "aws-govcloud-kms"
        }
      },
      "hostAttestation": {
        "mode": "enforce",
        "providerConfigRef": "crowdstrike-zta",
        "requirements": {
          "requireManagedDevice": true,
          "minimumComplianceScore": 80,
          "requireActiveThreatProtection": true
        },
        "onFailure": "denyAccess"
      }
    },

    "dataClassification": {
      "onClassificationFailure": "deny",
      "onUnknownClassification": "deny",
      "providers": [
        {
          "id": "purview-gcc-high",
          "type": "purview",
          "capabilities": ["document", "clipboard", "window"],
          "confidenceThreshold": 0.85,
          "cacheTtlSeconds": 30,
          "connection": {
            "tenantId": "{{CRED:PurviewGCC:tenantId}}",
            "clientId": "{{CRED:PurviewGCC:clientId}}",
            "clientSecret": "{{CRED:PurviewGCC:clientSecret}}",
            "endpoint": "https://api.purview.azure.us"
          }
        }
      ],
      "mappings": [
        { "providerId": "purview-gcc-high", "externalLabelId": "<<CUI_LABEL_GUID>>", "normalized": ["CUI"] },
        { "providerId": "purview-gcc-high", "externalLabelId": "<<CUI_CTI_LABEL_GUID>>", "normalized": ["CUI", "CUI//SP-CTI"] },
        { "providerId": "purview-gcc-high", "externalLabelId": "<<ITAR_LABEL_GUID>>", "normalized": ["ITAR"] }
      ],
      "normalizedVocabulary": ["ITAR", "CUI", "CUI//SP-CTI", "CUI//SP-EXPT", "CUI//SP-PRVCY", "EAR", "EAR99"]
    },

    "trust": {
      "revocationMode": "online",
      "revocationFallback": "fail-closed",
      "requireTimestamp": true,
      "allowedSigners": ["<<ENTERPRISE_CODE_SIGNING_THUMBPRINT>>"]
    },

    "network": {
      "capabilities": {
        "outboundAllowed": true,
        "inboundAllowed": false,
        "dnsAllowed": true,
        "protocols": ["tcp"],
        "ports": { "allow": ["443", "80"], "deny": ["25"] },
        "egressDefaultAction": "deny"
      },
      "proxies": [
        {
          "id": "corp-proxy-govcloud",
          "type": "https",
          "url": "https://proxy.govcloud.corp.local:8443",
          "tls": { "verify": true, "caBundleRef": "govcloud-ca-bundle" }
        }
      ],
      "proxyRouting": [
        {
          "id": "internal-direct",
          "enabled": true,
          "priority": 900,
          "match": { "cidrs": ["10.0.0.0/8", "172.16.0.0/12"] },
          "action": { "type": "direct" }
        },
        {
          "id": "all-via-proxy",
          "enabled": true,
          "priority": 100,
          "match": { "hosts": [{ "pattern": "*", "patternType": "glob" }], "protocol": "tcp" },
          "action": { "type": "proxy", "proxyRef": "corp-proxy-govcloud", "failover": "deny" }
        }
      ]
    },

    "launch": {
      "runtime": {
        "isolation": { "remoteSandbox": true },

        "dataMotion": {
          "settings": {
            "clipboard": { "enabled": true, "defaultAction": "deny" },
            "dragDrop": { "enabled": true, "defaultAction": "deny" },
            "screenCapture": {
              "enabled": true,
              "mode": "foreground-only",
              "watermark": {
                "text": "CUI//SP-CTI | {Organization}\n{User.UPN|hash(8)} | {Timestamp.UTC}",
                "opacity": 0.25,
                "persistent": true,
                "style": "diagonalRepeating",
                "variablesAllowlist": ["Organization", "User.UPN", "Timestamp.UTC"],
                "redactionDefaults": { "pii": "hash", "hashAlgorithm": "sha256", "salt": "env:CUI_WATERMARK_SALT" }
              },
              "blurBackground": true
            },
            "screenShare": { "enabled": false, "mode": "disabled" },
            "audit": { "logDecisions": true, "sampleRate": 1.0 }
          },
          "rules": [
            {
              "id": "deny-cui-itar-clipboard-out",
              "enabled": true,
              "priority": 1000,
              "channel": "clipboard",
              "direction": "out",
              "match": { "classifications": { "normalized": ["CUI", "CUI//SP-CTI", "ITAR"] } },
              "action": { "type": "deny" }
            },
            {
              "id": "deny-cui-itar-dragdrop-out",
              "enabled": true,
              "priority": 1000,
              "channel": "dragDrop",
              "direction": "out",
              "match": { "classifications": { "normalized": ["CUI", "CUI//SP-CTI", "ITAR"] } },
              "action": { "type": "deny" }
            },
            {
              "id": "allow-plaintext-small-clipboard",
              "enabled": true,
              "priority": 500,
              "channel": "clipboard",
              "direction": "out",
              "match": {
                "mimeTypes": [{ "pattern": "text/plain", "patternType": "exact" }],
                "sizeBytes": { "max": 4096 },
                "classifications": { "state": "known", "normalized": [] }
              },
              "action": { "type": "allow" }
            }
          ]
        },

        "audit": {
          "settings": {
            "enabled": true,
            "level": "standard",
            "categoryOverrides": {
              "dataMotion": "verbose",
              "authz": "verbose"
            },
            "redaction": {
              "pii": "hash",
              "variablesAllowlist": ["Classification", "Organization"],
              "hashAlgorithm": "sha256",
              "salt": "env:AUDIT_PII_SALT"
            },
            "integrity": {
              "hashChain": true,
              "checkpoint": { "everyEvents": 500 },
              "timestamping": { "mode": "rfc3161", "tsaUrl": "http://timestamp.digicert.com" }
            },
            "failurePolicy": {
              "onFailure": "block",
              "requireHealthyFor": ["all"]
            },
            "dataResidency": {
              "enforceByMetadata": true,
              "allowedCountries": ["US"],
              "forbidInternationalTransfers": true
            },
            "export": {
              "mode": "siemForwarding",
              "deliveryGuarantee": "atLeastOnceConfirmed",
              "complianceMetadata": { "retentionPolicyRef": "worm-7y-itar" }
            }
          }
        }
      }
    }
  },

  "apps": [
    {
      "id": "itar-cad-suite",
      "displayName": "ITAR CAD Suite",
      "enabled": true,
      "priority": 300,
      "visibility": "visible",
      "matchAll": [
        { "type": "targetPath", "pattern": "C:\\\\Program Files\\\\ITAR-CAD\\\\**\\\\*.exe", "patternType": "glob" },
        { "type": "publisherCertificate", "field": "subjectCN", "pattern": "ITAR Software Inc", "patternType": "exact" }
      ],
      "identityRequirements": ["publisherCertificate"],
      "action": "allow",
      "authorization": {
        "requirements": {
          "userAttributes": [
            { "attribute": "usPersonStatus", "allowedValues": ["verified"] },
            { "attribute": "exportControlTraining", "allowedValues": ["current"] }
          ],
          "contextConstraints": {
            "allowedGeos": ["US"],
            "requireCompliantHost": true
          }
        }
      },
      "modifications": {
        "runtime": {
          "devices": { "printers": "disabled" }
        },
        "network": {
          "capabilities": { "egressDefaultAction": "deny" },
          "proxyRouting": [
            {
              "id": "itar-vendor-api",
              "enabled": true,
              "priority": 950,
              "match": { "hosts": [{ "pattern": "api.itar-vendor.com", "patternType": "exact" }], "ports": ["443"] },
              "action": { "type": "proxy", "proxyRef": "corp-proxy-govcloud", "failover": "deny" }
            }
          ]
        }
      }
    }
  ],

  "files": [
    {
      "id": "deny-executable-import",
      "displayName": "Block executable imports",
      "enabled": true,
      "priority": 1000,
      "operation": "import",
      "fileTypeRef": "executable",
      "action": "deny"
    },
    {
      "id": "deny-export-all",
      "displayName": "Block all exports by default",
      "enabled": true,
      "priority": 100,
      "operation": "export",
      "fileTypeRef": "all-files",
      "action": "deny"
    }
  ],

  "fileTypes": [
    { "id": "executable", "displayName": "Executables", "match": { "extensions": ["exe", "dll", "msi", "bat", "cmd", "ps1", "vbs", "js"] } },
    { "id": "all-files", "displayName": "All Files", "match": { "extensions": ["*"] } }
  ]
}

Configuration Sections Explained

Identity and Access Control (AC-3, IA-2)

The configuration.identity section enforces:

  • MFA with hardware tokens (FIDO2) or certificates
  • Claims mapping for US Person status and export control training verification
  • Verbose SSO audit logging

Cryptography (SC-13)

The configuration.security.cryptography section enforces:

  • FIPS 140-2 validated cryptographic modules
  • External KMS integration for key management

Host Attestation (IA-3, AC-3)

The configuration.security.hostAttestation section enforces:

  • Device must be enterprise-managed
  • Minimum compliance score of 80
  • Active endpoint protection required
  • Deny access if attestation fails

Data Classification (AC-4, SC-7)

The configuration.dataClassification section enforces:

  • Fail-closed on provider errors
  • Deny unclassified content
  • Integration with Microsoft Purview in GCC High

Network Controls (SC-7, SC-8)

The configuration.network section enforces:

  • Deny-by-default egress
  • All external traffic through enterprise proxy
  • TLS verification with pinned CA bundle

Data Motion (AC-4)

The configuration.launch.runtime.dataMotion section enforces:

  • Deny CUI/ITAR content on clipboard and drag-drop
  • Dynamic watermarking with hashed PII
  • Screen sharing disabled

Audit (AU-2 through AU-9)

The configuration.launch.runtime.audit section enforces:

  • Verbose logging for data motion and authorization
  • Hash chain integrity with RFC3161 timestamps
  • Fail-closed when audit is unhealthy
  • US-only data residency
  • 7-year WORM retention

Validation Checklist

Pre-Deployment

  • [ ] Replace all <<PLACEHOLDER>> values with actual credentials/GUIDs
  • [ ] Configure CRED variables in Windows Credential Manager
  • [ ] Verify Purview label GUIDs match your tenant
  • [ ] Test policy signature with your code signing certificate
  • [ ] Verify KMS and attestation provider references

Post-Deployment

  • [ ] Verify MFA prompt on first launch
  • [ ] Verify non-US-Person user cannot launch ITAR apps
  • [ ] Verify non-compliant device cannot launch ITAR apps
  • [ ] Test clipboard copy of CUI content is blocked
  • [ ] Test drag-drop of ITAR file is blocked
  • [ ] Verify watermark appears on screen capture
  • [ ] Verify screen sharing is blocked
  • [ ] Verify audit events reach SIEM
  • [ ] Test audit pipeline failure blocks operations
  • [ ] Verify FIPS mode in cryptographic operations

Customization Points

ComponentCustomizationConsiderations
Classification labelsAdd organization-specific labelsExtend normalizedVocabulary; add mappings
Allowed geosMulti-country operationsUpdate allowedGeos in ABAC and allowedCountries in audit
Compliance scoreAdjust strictnessLower minimumComplianceScore for less restrictive
Clipboard rulesAllow specific contentAdd rules with higher priority for exceptions
Watermark textOrganization brandingModify watermark.text template

See Also