Skip to content

CMMC Control Traceability

Maps Turbo Launcher Policy capabilities to CMMC Level 2 practices and NIST 800-171 requirements.

What You'll Learn

  • Which policy features implement specific CMMC practices
  • Configuration paths for each control
  • Validation approaches for compliance evidence

Access Control (AC)

PracticeRequirementPolicy FeatureConfiguration PathValidation
AC-3 (3.1.1)Limit system access to authorized usersApp authorization (allowlist)apps[].action, apps[].authorizationVerify unauthorized apps cannot launch
AC-4 (3.1.3)Control information flowData motion rulesruntime.dataMotion.rules[]Test clipboard/drag-drop with classified content
AC-4CUI flow enforcementClassification-aware rulesruntime.dataMotion.rules[].match.classificationsVerify CUI cannot egress via blocked channels

Audit and Accountability (AU)

PracticeRequirementPolicy FeatureConfiguration PathValidation
AU-2 (3.3.1)Define auditable eventsAudit event taxonomyruntime.audit.settings.level, categoryOverridesReview audit logs for coverage
AU-3 (3.3.1)Audit record contentEvent envelopeDocumented envelope in audit-trails.mdVerify required fields present
AU-4 (3.3.4)Audit storage capacityLocal diagnosticsruntime.audit.settings.export.localDiagnosticsMonitor storage utilization
AU-5 (3.3.5)Audit failure responseFailure policyruntime.audit.settings.failurePolicyTest with unhealthy audit pipeline
AU-6 (3.3.5)Audit review/analysisSIEM forwardingruntime.audit.settings.export.modeVerify events reach SIEM
AU-9 (3.3.8)Audit protectionIntegrity controlsruntime.audit.settings.integrityVerify hash chain, timestamps

Configuration Management (CM)

PracticeRequirementPolicy FeatureConfiguration PathValidation
CM-2 (3.4.1)Baseline configurationPolicy version trackingpolicyVersion, policySignatureVerify version in telemetry
CM-3 (3.4.3)Configuration change controlSigned policy deliverypolicySignature, signatureCertificateThumbprintsTest with invalid signature
CM-7 (3.4.6)Least functionalityApp allowlistapps[].action: "allow"Verify only approved apps launch

Identification and Authentication (IA)

PracticeRequirementPolicy FeatureConfiguration PathValidation
IA-2 (3.5.1)User identificationIdentity integrationconfiguration.identityVerify SSO integration
IA-3 (3.5.2)Device identificationHost attestationconfiguration.security.hostAttestationTest with non-compliant device
IA-5 (3.5.10)Authenticator managementCertificate validationconfiguration.trust.revocationModeTest with revoked certificate

Media Protection (MP)

PracticeRequirementPolicy FeatureConfiguration PathValidation
MP-2 (3.8.1)Media accessDevice controlsruntime.devicesVerify removable media restrictions
MP-7 (3.8.7)Media useFile import/exportfiles[].operation: "import"/"export"Test file transfer restrictions

System and Communications Protection (SC)

PracticeRequirementPolicy FeatureConfiguration PathValidation
SC-7 (3.13.1)Boundary protectionNetwork egress controlconfiguration.network.capabilities, proxyRoutingTest blocked egress
SC-8 (3.13.8)Transmission confidentialityProxy TLS, mTLSconfiguration.network.proxies[].tlsVerify TLS in transit
SC-13 (3.13.11)Cryptographic protectionFIPS modeconfiguration.security.cryptography.fipsModeVerify FIPS modules used

System and Information Integrity (SI)

PracticeRequirementPolicy FeatureConfiguration PathValidation
SI-3 (3.14.2)Malicious code protectionFile type restrictionsfiles[].operation: "import", fileTypeRefTest executable import block
SI-4 (3.14.6)System monitoringAudit trailsruntime.auditReview audit coverage

Validation Checklist

Pre-Assessment

  • [ ] Policy signature verification enabled and tested
  • [ ] FIPS mode set to enforced
  • [ ] Host attestation mode set to enforce
  • [ ] Audit failure policy set to block with requireHealthyFor: ["all"]
  • [ ] Classification provider integrated and tested
  • [ ] Data motion rules deny CUI/ITAR on uncontrolled channels

Evidence Collection

  • [ ] Export audit logs showing denied launches
  • [ ] Export audit logs showing data motion denials
  • [ ] Screenshot of policy load with signature verification
  • [ ] Screenshot of FIPS module attestation
  • [ ] Network capture showing proxy routing

See Also