Appearance
CMMC/ITAR Deployment Profile
A complete, production-ready policy configuration for CMMC Level 2 and ITAR compliance. Use this as a starting point and customize for your environment.
What You'll Learn
- Complete policy structure for regulated environments
- All CMMC-relevant configuration sections working together
- Validation steps for each component
Complete Policy Example
json
{
"$schema": "https://schemas.turbo.net/launcher-policy.schema.json",
"policyVersion": 1,
"policySignature": "<<BASE64_CMS_SIGNATURE>>",
"signatureCertificateThumbprints": ["<<SIGNER_THUMBPRINT_SHA256>>"],
"configuration": {
"identity": {
"authenticationPolicy": {
"mfaPolicy": {
"mode": "enforced",
"allowedMethods": ["fido2", "certificate", "smartcard"]
},
"reauthFrequencyHours": 8
},
"claimsMapping": {
"usPersonStatus": "ext.usPersonVerified",
"clearanceLevel": "ext.securityClearance",
"exportControlTraining": "ext.exportTrainingCurrent"
},
"ssoAuditLevel": "verbose"
},
"security": {
"cryptography": {
"fipsMode": "enforced",
"keyManagement": {
"integrationMode": "externalKms",
"kmsProviderConfigRef": "aws-govcloud-kms"
}
},
"hostAttestation": {
"mode": "enforce",
"providerConfigRef": "crowdstrike-zta",
"requirements": {
"requireManagedDevice": true,
"minimumComplianceScore": 80,
"requireActiveThreatProtection": true
},
"onFailure": "denyAccess"
}
},
"dataClassification": {
"onClassificationFailure": "deny",
"onUnknownClassification": "deny",
"providers": [
{
"id": "purview-gcc-high",
"type": "purview",
"capabilities": ["document", "clipboard", "window"],
"confidenceThreshold": 0.85,
"cacheTtlSeconds": 30,
"connection": {
"tenantId": "{{CRED:PurviewGCC:tenantId}}",
"clientId": "{{CRED:PurviewGCC:clientId}}",
"clientSecret": "{{CRED:PurviewGCC:clientSecret}}",
"endpoint": "https://api.purview.azure.us"
}
}
],
"mappings": [
{ "providerId": "purview-gcc-high", "externalLabelId": "<<CUI_LABEL_GUID>>", "normalized": ["CUI"] },
{ "providerId": "purview-gcc-high", "externalLabelId": "<<CUI_CTI_LABEL_GUID>>", "normalized": ["CUI", "CUI//SP-CTI"] },
{ "providerId": "purview-gcc-high", "externalLabelId": "<<ITAR_LABEL_GUID>>", "normalized": ["ITAR"] }
],
"normalizedVocabulary": ["ITAR", "CUI", "CUI//SP-CTI", "CUI//SP-EXPT", "CUI//SP-PRVCY", "EAR", "EAR99"]
},
"trust": {
"revocationMode": "online",
"revocationFallback": "fail-closed",
"requireTimestamp": true,
"allowedSigners": ["<<ENTERPRISE_CODE_SIGNING_THUMBPRINT>>"]
},
"network": {
"capabilities": {
"outboundAllowed": true,
"inboundAllowed": false,
"dnsAllowed": true,
"protocols": ["tcp"],
"ports": { "allow": ["443", "80"], "deny": ["25"] },
"egressDefaultAction": "deny"
},
"proxies": [
{
"id": "corp-proxy-govcloud",
"type": "https",
"url": "https://proxy.govcloud.corp.local:8443",
"tls": { "verify": true, "caBundleRef": "govcloud-ca-bundle" }
}
],
"proxyRouting": [
{
"id": "internal-direct",
"enabled": true,
"priority": 900,
"match": { "cidrs": ["10.0.0.0/8", "172.16.0.0/12"] },
"action": { "type": "direct" }
},
{
"id": "all-via-proxy",
"enabled": true,
"priority": 100,
"match": { "hosts": [{ "pattern": "*", "patternType": "glob" }], "protocol": "tcp" },
"action": { "type": "proxy", "proxyRef": "corp-proxy-govcloud", "failover": "deny" }
}
]
},
"launch": {
"runtime": {
"isolation": { "remoteSandbox": true },
"dataMotion": {
"settings": {
"clipboard": { "enabled": true, "defaultAction": "deny" },
"dragDrop": { "enabled": true, "defaultAction": "deny" },
"screenCapture": {
"enabled": true,
"mode": "foreground-only",
"watermark": {
"text": "CUI//SP-CTI | {Organization}\n{User.UPN|hash(8)} | {Timestamp.UTC}",
"opacity": 0.25,
"persistent": true,
"style": "diagonalRepeating",
"variablesAllowlist": ["Organization", "User.UPN", "Timestamp.UTC"],
"redactionDefaults": { "pii": "hash", "hashAlgorithm": "sha256", "salt": "env:CUI_WATERMARK_SALT" }
},
"blurBackground": true
},
"screenShare": { "enabled": false, "mode": "disabled" },
"audit": { "logDecisions": true, "sampleRate": 1.0 }
},
"rules": [
{
"id": "deny-cui-itar-clipboard-out",
"enabled": true,
"priority": 1000,
"channel": "clipboard",
"direction": "out",
"match": { "classifications": { "normalized": ["CUI", "CUI//SP-CTI", "ITAR"] } },
"action": { "type": "deny" }
},
{
"id": "deny-cui-itar-dragdrop-out",
"enabled": true,
"priority": 1000,
"channel": "dragDrop",
"direction": "out",
"match": { "classifications": { "normalized": ["CUI", "CUI//SP-CTI", "ITAR"] } },
"action": { "type": "deny" }
},
{
"id": "allow-plaintext-small-clipboard",
"enabled": true,
"priority": 500,
"channel": "clipboard",
"direction": "out",
"match": {
"mimeTypes": [{ "pattern": "text/plain", "patternType": "exact" }],
"sizeBytes": { "max": 4096 },
"classifications": { "state": "known", "normalized": [] }
},
"action": { "type": "allow" }
}
]
},
"audit": {
"settings": {
"enabled": true,
"level": "standard",
"categoryOverrides": {
"dataMotion": "verbose",
"authz": "verbose"
},
"redaction": {
"pii": "hash",
"variablesAllowlist": ["Classification", "Organization"],
"hashAlgorithm": "sha256",
"salt": "env:AUDIT_PII_SALT"
},
"integrity": {
"hashChain": true,
"checkpoint": { "everyEvents": 500 },
"timestamping": { "mode": "rfc3161", "tsaUrl": "http://timestamp.digicert.com" }
},
"failurePolicy": {
"onFailure": "block",
"requireHealthyFor": ["all"]
},
"dataResidency": {
"enforceByMetadata": true,
"allowedCountries": ["US"],
"forbidInternationalTransfers": true
},
"export": {
"mode": "siemForwarding",
"deliveryGuarantee": "atLeastOnceConfirmed",
"complianceMetadata": { "retentionPolicyRef": "worm-7y-itar" }
}
}
}
}
}
},
"apps": [
{
"id": "itar-cad-suite",
"displayName": "ITAR CAD Suite",
"enabled": true,
"priority": 300,
"visibility": "visible",
"matchAll": [
{ "type": "targetPath", "pattern": "C:\\\\Program Files\\\\ITAR-CAD\\\\**\\\\*.exe", "patternType": "glob" },
{ "type": "publisherCertificate", "field": "subjectCN", "pattern": "ITAR Software Inc", "patternType": "exact" }
],
"identityRequirements": ["publisherCertificate"],
"action": "allow",
"authorization": {
"requirements": {
"userAttributes": [
{ "attribute": "usPersonStatus", "allowedValues": ["verified"] },
{ "attribute": "exportControlTraining", "allowedValues": ["current"] }
],
"contextConstraints": {
"allowedGeos": ["US"],
"requireCompliantHost": true
}
}
},
"modifications": {
"runtime": {
"devices": { "printers": "disabled" }
},
"network": {
"capabilities": { "egressDefaultAction": "deny" },
"proxyRouting": [
{
"id": "itar-vendor-api",
"enabled": true,
"priority": 950,
"match": { "hosts": [{ "pattern": "api.itar-vendor.com", "patternType": "exact" }], "ports": ["443"] },
"action": { "type": "proxy", "proxyRef": "corp-proxy-govcloud", "failover": "deny" }
}
]
}
}
}
],
"files": [
{
"id": "deny-executable-import",
"displayName": "Block executable imports",
"enabled": true,
"priority": 1000,
"operation": "import",
"fileTypeRef": "executable",
"action": "deny"
},
{
"id": "deny-export-all",
"displayName": "Block all exports by default",
"enabled": true,
"priority": 100,
"operation": "export",
"fileTypeRef": "all-files",
"action": "deny"
}
],
"fileTypes": [
{ "id": "executable", "displayName": "Executables", "match": { "extensions": ["exe", "dll", "msi", "bat", "cmd", "ps1", "vbs", "js"] } },
{ "id": "all-files", "displayName": "All Files", "match": { "extensions": ["*"] } }
]
}Configuration Sections Explained
Identity and Access Control (AC-3, IA-2)
The configuration.identity section enforces:
- MFA with hardware tokens (FIDO2) or certificates
- Claims mapping for US Person status and export control training verification
- Verbose SSO audit logging
Cryptography (SC-13)
The configuration.security.cryptography section enforces:
- FIPS 140-2 validated cryptographic modules
- External KMS integration for key management
Host Attestation (IA-3, AC-3)
The configuration.security.hostAttestation section enforces:
- Device must be enterprise-managed
- Minimum compliance score of 80
- Active endpoint protection required
- Deny access if attestation fails
Data Classification (AC-4, SC-7)
The configuration.dataClassification section enforces:
- Fail-closed on provider errors
- Deny unclassified content
- Integration with Microsoft Purview in GCC High
Network Controls (SC-7, SC-8)
The configuration.network section enforces:
- Deny-by-default egress
- All external traffic through enterprise proxy
- TLS verification with pinned CA bundle
Data Motion (AC-4)
The configuration.launch.runtime.dataMotion section enforces:
- Deny CUI/ITAR content on clipboard and drag-drop
- Dynamic watermarking with hashed PII
- Screen sharing disabled
Audit (AU-2 through AU-9)
The configuration.launch.runtime.audit section enforces:
- Verbose logging for data motion and authorization
- Hash chain integrity with RFC3161 timestamps
- Fail-closed when audit is unhealthy
- US-only data residency
- 7-year WORM retention
Validation Checklist
Pre-Deployment
- [ ] Replace all
<<PLACEHOLDER>>values with actual credentials/GUIDs - [ ] Configure CRED variables in Windows Credential Manager
- [ ] Verify Purview label GUIDs match your tenant
- [ ] Test policy signature with your code signing certificate
- [ ] Verify KMS and attestation provider references
Post-Deployment
- [ ] Verify MFA prompt on first launch
- [ ] Verify non-US-Person user cannot launch ITAR apps
- [ ] Verify non-compliant device cannot launch ITAR apps
- [ ] Test clipboard copy of CUI content is blocked
- [ ] Test drag-drop of ITAR file is blocked
- [ ] Verify watermark appears on screen capture
- [ ] Verify screen sharing is blocked
- [ ] Verify audit events reach SIEM
- [ ] Test audit pipeline failure blocks operations
- [ ] Verify FIPS mode in cryptographic operations
Customization Points
| Component | Customization | Considerations |
|---|---|---|
| Classification labels | Add organization-specific labels | Extend normalizedVocabulary; add mappings |
| Allowed geos | Multi-country operations | Update allowedGeos in ABAC and allowedCountries in audit |
| Compliance score | Adjust strictness | Lower minimumComplianceScore for less restrictive |
| Clipboard rules | Allow specific content | Add rules with higher priority for exceptions |
| Watermark text | Organization branding | Modify watermark.text template |
