Appearance
Compliance Traceability
This page provides traceability matrices that link Turbo validation suites to NIST 800‑171 (CMMC Level 2) controls. The content documents control coverage and points to canonical tests and policy references that produce audit evidence.
CMMC Level 2 (NIST 800-171 Rev. 3.x) Traceability Matrix
| Control ID | Family | Requirement Description | Mapped Test / Evidence |
|---|---|---|---|
| AC.L2-3.1.2 | Access Control | Limit information system access to authorized users; limit access to types of transactions/functions. | - HARD-POLICY-01, HARD-POLICY-08/09/10 — Policy Integrity & Authorization: Policy Integrity and Authorization Tests - Enforces strong identity (publisher certificate/hash), visibility controls, priority and OR semantics |
| AC.L2-3.1.3 | Access Control (Information Flow) | Control the flow of CUI in accordance with approved authorizations. | - Clipboard: DM-CLIP-01..14 — Clipboard Egress Tests (includes image-size-gated egress: DM-CLIP-09..14) - Clipboard evasion: DM-CLIPBYPASS-01..15 — Clipboard Bypass Tests (includes image format/dimension evasion: DM-CLIPBYPASS-12..15) - Drag & Drop: DM-DRAG-01..03 — Drag-and-Drop Egress Tests - Screen: DM-SCREEN-04/07 — Screen Capture and Share Egress Tests - Browser uploads: DM-WEB-01..10 — Browser Uploads Egress Tests - Files/Storage: HARD-FILES-* — Files Tab and Storage Contexts Tests |
| AU.L2-3.3.1 | Audit & Accountability | Create and retain audit records for defined events. | - Policy: Audit Trails - Procedures: Evidence Capture |
| AU.L2-3.3.4 | Audit & Accountability | Alert when audit processing fails; address capacity and rollover. | - Policy capacity/rollover: Audit Trails - Procedures: Evidence Capture |
| AU.L2-3.3.5 | Audit & Accountability | Response to audit processing failures (fail closed when required). | - HARD-POLICY-03 — Fail-closed posture: Policy Integrity and Authorization Tests - Failure policy and gating: Audit Trails |
| AU.L2-3.3.6 | Audit & Accountability | Review and analyze audit records. | - Review/reporting guidance and envelope fields: Audit Trails - SIEM queries (Splunk/KQL): Evidence Capture |
| AU.L2-3.3.7 | Audit & Accountability | Provide audit reduction and report generation. | - SIEM queries and artifacts packaging: Evidence Capture |
| CM.L2-3.4.3 | Configuration Management | Track, review, approve/disapprove, and log changes. | - Template and validation controls: HARD-POLICY-CFG-01/02/03 — Policy Integrity and Authorization Tests - Policy change requests and auditability: Audit Trails |
| MP.L2-3.8.7 | Media Protection | Restrict the use of removable media and output devices. | - USB mass storage: DM-DEVICE-02/05/06 — Devices Egress Tests - Printing enumeration/denial: DM-DEVICE-PRINT-01/02 — Devices Egress Tests |
| SC.L2-3.13.1 | System & Communications Protection | Monitor and control communications at system boundaries; enforce boundary protections. | - Network isolation: NET-ISOLATE-01..04 — Network Isolation Validation - Egress boundary: NET-EGRESS-01..13 — Egress Validation - Local IPC isolation: HARD-IPC-01..08 — IPC Boundary Tests - Host and process isolation: HARD-HOST-01..05, HARD-PROCESS-01..04 — Host Isolation and File System Tests, Process Isolation Tests |
| SC.L2-3.13.6 | System & Communications Protection | Deny network communications by default; allow by exception. | - Default-deny and proxy-only: NET-EGRESS-01..13 — Egress Validation - Protocol gating (UDP/QUIC, tunneling): NET-PROTO-01/05/06/07 — Protocol Validation |
| SC.L2-3.13.8 | System & Communications Protection | Protect the confidentiality/integrity of transmitted information (TLS, pinning, SNI). | - TLS pinning and SNI enforcement: NET-ENCRYPT-01..04 — Encryption Validation - Designated proxy identity/pinning: NET-EGRESS-10 — Egress Validation |
NIST Control Family Crosswalk (Classic 800-53-style IDs)
| Control ID | Family | Requirement Description | Mapped Test / Evidence |
|---|---|---|---|
| AC-3 | Access Control | Access enforcement. | - App authorization and visibility: HARD-POLICY-08/09/10 — Policy Integrity and Authorization Tests |
| AC-4 | Access Control | Information flow enforcement between domains (Sandbox ↔ Host). | - Clipboard: DM-CLIP-* — Clipboard Egress Tests - Drag & Drop: DM-DRAG-* — Drag-and-Drop Egress Tests - Screen capture/foreground-only/blocks: DM-SCREEN-* — Screen Capture and Share Egress Tests - Browser uploads and IPv6 parity: DM-WEB-* — Browser Uploads Egress Tests - Files/Storage contexts and associations: HARD-FILES-* — Files Tab and Storage Contexts Tests |
| AU-2 | Audit & Accountability | Event logging (what to audit). | - Event taxonomy and capture levels: Audit Trails |
| AU-3 | Audit & Accountability | Content of audit records. | - Normalized envelope and required fields: Audit Trails |
| AU-4 | Audit & Accountability | Audit storage capacity and rollover. | - Capacity/rollover controls and diagnostics: Audit Trails |
| AU-5 | Audit & Accountability | Response to audit processing failures. | - Fail-closed posture (HARD-POLICY-03): Policy Integrity and Authorization Tests - Failure policy: Audit Trails |
| AU-6 | Audit & Accountability | Audit review, analysis, and reporting. | - SIEM queries and evidence packaging: Evidence Capture |
| CM-3 | Configuration Management | Configuration change control. | - Configuration template validation: HARD-POLICY-CFG-01/02/03 — Policy Integrity and Authorization Tests - Change request workflow auditability: Audit Trails |
| MP-7 | Media Protection | Media use restrictions. | - USB storage attach/write/detach: DM-DEVICE-02/05/06 — Devices Egress Tests - Printer enumeration/print deny/watermark: DM-DEVICE-PRINT-01/02, DM-DEVICE-01 — Devices Egress Tests |
| SC-7 | System & Communications Protection | Boundary protection. | - Egress controls and proxy enforcement: NET-EGRESS-01..13 — Egress Validation - PAC/WPAD hygiene, CONNECT-to-non-proxy: NET-EGRESS-08/12 — Egress Validation - Local/remote isolation: NET-ISOLATE-01..04 — Network Isolation Validation - Local IPC/host/process isolation: HARD-IPC-01..08 — IPC Boundary Tests; HARD-HOST-01..05 — Host Isolation and File System Tests; HARD-PROCESS-01..04 — Process Isolation Tests |
| SC-8 | System & Communications Protection | Transmission confidentiality and integrity. | - TLS pinning, SNI, ECH: NET-ENCRYPT-01..04 — Encryption Validation |
| SI-7 | System Integrity | Software/firmware/information integrity. | - Policy tampering/rollback detection: HARD-POLICY-02/03 — Policy Integrity and Authorization Tests |
Notes
- Links point to the Canonical Test Catalog pages under Validation. Scenario- and Integration-level procedures map back to these canonical IDs as required by the Validation Architecture.
- For audit artifacts and packaging conventions, see Evidence Capture. For policy-level auditing configuration, see Audit Trails.
