Appearance
CMMC Control Traceability
Maps Turbo Launcher Policy capabilities to CMMC Level 2 practices and NIST 800-171 requirements.
What You'll Learn
- Which policy features implement specific CMMC practices
- Configuration paths for each control
- Validation approaches for compliance evidence
Access Control (AC)
| Practice | Requirement | Policy Feature | Configuration Path | Validation |
|---|---|---|---|---|
| AC-3 (3.1.1) | Limit system access to authorized users | App authorization (allowlist) | apps[].action, apps[].authorization | Verify unauthorized apps cannot launch |
| AC-4 (3.1.3) | Control information flow | Data motion rules | runtime.dataMotion.rules[] | Test clipboard/drag-drop with classified content |
| AC-4 | CUI flow enforcement | Classification-aware rules | runtime.dataMotion.rules[].match.classifications | Verify CUI cannot egress via blocked channels |
Audit and Accountability (AU)
| Practice | Requirement | Policy Feature | Configuration Path | Validation |
|---|---|---|---|---|
| AU-2 (3.3.1) | Define auditable events | Audit event taxonomy | runtime.audit.settings.level, categoryOverrides | Review audit logs for coverage |
| AU-3 (3.3.1) | Audit record content | Event envelope | Documented envelope in audit-trails.md | Verify required fields present |
| AU-4 (3.3.4) | Audit storage capacity | Local diagnostics | runtime.audit.settings.export.localDiagnostics | Monitor storage utilization |
| AU-5 (3.3.5) | Audit failure response | Failure policy | runtime.audit.settings.failurePolicy | Test with unhealthy audit pipeline |
| AU-6 (3.3.5) | Audit review/analysis | SIEM forwarding | runtime.audit.settings.export.mode | Verify events reach SIEM |
| AU-9 (3.3.8) | Audit protection | Integrity controls | runtime.audit.settings.integrity | Verify hash chain, timestamps |
Configuration Management (CM)
| Practice | Requirement | Policy Feature | Configuration Path | Validation |
|---|---|---|---|---|
| CM-2 (3.4.1) | Baseline configuration | Policy version tracking | policyVersion, policySignature | Verify version in telemetry |
| CM-3 (3.4.3) | Configuration change control | Signed policy delivery | policySignature, signatureCertificateThumbprints | Test with invalid signature |
| CM-7 (3.4.6) | Least functionality | App allowlist | apps[].action: "allow" | Verify only approved apps launch |
Identification and Authentication (IA)
| Practice | Requirement | Policy Feature | Configuration Path | Validation |
|---|---|---|---|---|
| IA-2 (3.5.1) | User identification | Identity integration | configuration.identity | Verify SSO integration |
| IA-3 (3.5.2) | Device identification | Host attestation | configuration.security.hostAttestation | Test with non-compliant device |
| IA-5 (3.5.10) | Authenticator management | Certificate validation | configuration.trust.revocationMode | Test with revoked certificate |
Media Protection (MP)
| Practice | Requirement | Policy Feature | Configuration Path | Validation |
|---|---|---|---|---|
| MP-2 (3.8.1) | Media access | Device controls | runtime.devices | Verify removable media restrictions |
| MP-7 (3.8.7) | Media use | File import/export | files[].operation: "import"/"export" | Test file transfer restrictions |
System and Communications Protection (SC)
| Practice | Requirement | Policy Feature | Configuration Path | Validation |
|---|---|---|---|---|
| SC-7 (3.13.1) | Boundary protection | Network egress control | configuration.network.capabilities, proxyRouting | Test blocked egress |
| SC-8 (3.13.8) | Transmission confidentiality | Proxy TLS, mTLS | configuration.network.proxies[].tls | Verify TLS in transit |
| SC-13 (3.13.11) | Cryptographic protection | FIPS mode | configuration.security.cryptography.fipsMode | Verify FIPS modules used |
System and Information Integrity (SI)
| Practice | Requirement | Policy Feature | Configuration Path | Validation |
|---|---|---|---|---|
| SI-3 (3.14.2) | Malicious code protection | File type restrictions | files[].operation: "import", fileTypeRef | Test executable import block |
| SI-4 (3.14.6) | System monitoring | Audit trails | runtime.audit | Review audit coverage |
Validation Checklist
Pre-Assessment
- [ ] Policy signature verification enabled and tested
- [ ] FIPS mode set to
enforced - [ ] Host attestation mode set to
enforce - [ ] Audit failure policy set to
blockwithrequireHealthyFor: ["all"] - [ ] Classification provider integrated and tested
- [ ] Data motion rules deny CUI/ITAR on uncontrolled channels
Evidence Collection
- [ ] Export audit logs showing denied launches
- [ ] Export audit logs showing data motion denials
- [ ] Screenshot of policy load with signature verification
- [ ] Screenshot of FIPS module attestation
- [ ] Network capture showing proxy routing
