Skip to content

Compliance Traceability

This page provides traceability matrices that link Turbo validation suites to NIST 800‑171 (CMMC Level 2) controls. The content documents control coverage and points to canonical tests and policy references that produce audit evidence.


CMMC Level 2 (NIST 800-171 Rev. 3.x) Traceability Matrix

Control IDFamilyRequirement DescriptionMapped Test / Evidence
AC.L2-3.1.2Access ControlLimit information system access to authorized users; limit access to types of transactions/functions.- HARD-POLICY-01, HARD-POLICY-08/09/10 — Policy Integrity & Authorization: Policy Integrity and Authorization Tests
- Enforces strong identity (publisher certificate/hash), visibility controls, priority and OR semantics
AC.L2-3.1.3Access Control (Information Flow)Control the flow of CUI in accordance with approved authorizations.- Clipboard: DM-CLIP-01..14 — Clipboard Egress Tests (includes image-size-gated egress: DM-CLIP-09..14)
- Clipboard evasion: DM-CLIPBYPASS-01..15 — Clipboard Bypass Tests (includes image format/dimension evasion: DM-CLIPBYPASS-12..15)
- Drag & Drop: DM-DRAG-01..03 — Drag-and-Drop Egress Tests
- Screen: DM-SCREEN-04/07 — Screen Capture and Share Egress Tests
- Browser uploads: DM-WEB-01..10 — Browser Uploads Egress Tests
- Files/Storage: HARD-FILES-* — Files Tab and Storage Contexts Tests
AU.L2-3.3.1Audit & AccountabilityCreate and retain audit records for defined events.- Policy: Audit Trails
- Procedures: Evidence Capture
AU.L2-3.3.4Audit & AccountabilityAlert when audit processing fails; address capacity and rollover.- Policy capacity/rollover: Audit Trails
- Procedures: Evidence Capture
AU.L2-3.3.5Audit & AccountabilityResponse to audit processing failures (fail closed when required).- HARD-POLICY-03 — Fail-closed posture: Policy Integrity and Authorization Tests
- Failure policy and gating: Audit Trails
AU.L2-3.3.6Audit & AccountabilityReview and analyze audit records.- Review/reporting guidance and envelope fields: Audit Trails
- SIEM queries (Splunk/KQL): Evidence Capture
AU.L2-3.3.7Audit & AccountabilityProvide audit reduction and report generation.- SIEM queries and artifacts packaging: Evidence Capture
CM.L2-3.4.3Configuration ManagementTrack, review, approve/disapprove, and log changes.- Template and validation controls: HARD-POLICY-CFG-01/02/03 — Policy Integrity and Authorization Tests
- Policy change requests and auditability: Audit Trails
MP.L2-3.8.7Media ProtectionRestrict the use of removable media and output devices.- USB mass storage: DM-DEVICE-02/05/06 — Devices Egress Tests
- Printing enumeration/denial: DM-DEVICE-PRINT-01/02 — Devices Egress Tests
SC.L2-3.13.1System & Communications ProtectionMonitor and control communications at system boundaries; enforce boundary protections.- Network isolation: NET-ISOLATE-01..04 — Network Isolation Validation
- Egress boundary: NET-EGRESS-01..13 — Egress Validation
- Local IPC isolation: HARD-IPC-01..08 — IPC Boundary Tests
- Host and process isolation: HARD-HOST-01..05, HARD-PROCESS-01..04 — Host Isolation and File System Tests, Process Isolation Tests
SC.L2-3.13.6System & Communications ProtectionDeny network communications by default; allow by exception.- Default-deny and proxy-only: NET-EGRESS-01..13 — Egress Validation
- Protocol gating (UDP/QUIC, tunneling): NET-PROTO-01/05/06/07 — Protocol Validation
SC.L2-3.13.8System & Communications ProtectionProtect the confidentiality/integrity of transmitted information (TLS, pinning, SNI).- TLS pinning and SNI enforcement: NET-ENCRYPT-01..04 — Encryption Validation
- Designated proxy identity/pinning: NET-EGRESS-10 — Egress Validation

NIST Control Family Crosswalk (Classic 800-53-style IDs)

Control IDFamilyRequirement DescriptionMapped Test / Evidence
AC-3Access ControlAccess enforcement.- App authorization and visibility: HARD-POLICY-08/09/10 — Policy Integrity and Authorization Tests
AC-4Access ControlInformation flow enforcement between domains (Sandbox ↔ Host).- Clipboard: DM-CLIP-* — Clipboard Egress Tests
- Drag & Drop: DM-DRAG-* — Drag-and-Drop Egress Tests
- Screen capture/foreground-only/blocks: DM-SCREEN-* — Screen Capture and Share Egress Tests
- Browser uploads and IPv6 parity: DM-WEB-* — Browser Uploads Egress Tests
- Files/Storage contexts and associations: HARD-FILES-* — Files Tab and Storage Contexts Tests
AU-2Audit & AccountabilityEvent logging (what to audit).- Event taxonomy and capture levels: Audit Trails
AU-3Audit & AccountabilityContent of audit records.- Normalized envelope and required fields: Audit Trails
AU-4Audit & AccountabilityAudit storage capacity and rollover.- Capacity/rollover controls and diagnostics: Audit Trails
AU-5Audit & AccountabilityResponse to audit processing failures.- Fail-closed posture (HARD-POLICY-03): Policy Integrity and Authorization Tests
- Failure policy: Audit Trails
AU-6Audit & AccountabilityAudit review, analysis, and reporting.- SIEM queries and evidence packaging: Evidence Capture
CM-3Configuration ManagementConfiguration change control.- Configuration template validation: HARD-POLICY-CFG-01/02/03 — Policy Integrity and Authorization Tests
- Change request workflow auditability: Audit Trails
MP-7Media ProtectionMedia use restrictions.- USB storage attach/write/detach: DM-DEVICE-02/05/06 — Devices Egress Tests
- Printer enumeration/print deny/watermark: DM-DEVICE-PRINT-01/02, DM-DEVICE-01 — Devices Egress Tests
SC-7System & Communications ProtectionBoundary protection.- Egress controls and proxy enforcement: NET-EGRESS-01..13 — Egress Validation
- PAC/WPAD hygiene, CONNECT-to-non-proxy: NET-EGRESS-08/12 — Egress Validation
- Local/remote isolation: NET-ISOLATE-01..04 — Network Isolation Validation
- Local IPC/host/process isolation: HARD-IPC-01..08 — IPC Boundary Tests; HARD-HOST-01..05 — Host Isolation and File System Tests; HARD-PROCESS-01..04 — Process Isolation Tests
SC-8System & Communications ProtectionTransmission confidentiality and integrity.- TLS pinning, SNI, ECH: NET-ENCRYPT-01..04 — Encryption Validation
SI-7System IntegritySoftware/firmware/information integrity.- Policy tampering/rollback detection: HARD-POLICY-02/03 — Policy Integrity and Authorization Tests

Notes

  • Links point to the Canonical Test Catalog pages under Validation. Scenario- and Integration-level procedures map back to these canonical IDs as required by the Validation Architecture.
  • For audit artifacts and packaging conventions, see Evidence Capture. For policy-level auditing configuration, see Audit Trails.