Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker and CMMC 2.0

35 min. readlast update: 08.29.2025

ThreatLocker has tools that can assist your organization in becoming CMMC 2.0 compliant. It can be used as the control for specific practices and assist in meeting other practices either by providing tools that can be used to help other applications meet the compliance-level practice or by the ThreatLocker product itself meeting the practice. CMMC follows the guidelines set by controls appearing in NIST SP 800-171 Rev. 2.

For more information on CMMC compliance, visit: CMMC Documentation (defense.gov)

Access Control (AC)

AC.L1-B.1.I - Authorized Access Control

  • "Limit information system access to authorized users, processes acting on behalf of 
    authorized users, or devices (including other information systems).    "
    • ThreatLocker can assist in meeting the control for this practice. It can create a least-privileged environment by using Application Allowlisting, which restricts which applications can run, who can use them, and when.
    • Ringfencing can restrict the function of applications to only what is necessary for business functionality.
    • Storage Control can allow you to block access to folders and files, only permitting access to applications that require access to certain areas.
    • ThreatLocker Elevation Control eliminates the need for local administrator accounts and enables you to block elevation for single files within an application.
    • Configuration Manager has features that allow users to restrict access to certain aspects of machines with ThreatLocker installed on them. It can work at a granular level of the computer, making it easy for users to enforce UAC settings, restrict certain accounts within the system, and more. Configuration Manager works similarly to Active Directory in that it enables users to limit user access to areas that should not be accessible to them.
    • ThreatLocker Detect allows users to create policies that match specific actions on a machine in the organization. If an action matches a created policy, you can set a 'Policy Action' for how you would like ThreatLocker to respond to these activities. ThreatLocker Detect allows users to restrict access to specific actions on machines by permitting the ability to Lockdown or Isolate a machine should an unauthorized action occur.

AC.L1-B.1.II - Transaction & Function Control

  • "Limit information system access to the types of transactions and functions that authorized users are permitted to execute." 
    • ThreatLocker can help meet the control for this practice. It can help create a least-privileged environment by using Application Allowlisting, which restricts which applications can run, who can use them, and when.
    • Ringfencing can restrict the function of applications to only what is necessary for business functionality.
    • Storage Control can allow you to block access to folders and files, only permitting access to applications that require access to certain areas.
    • ThreatLocker Elevation Control eliminates the need for local administrator accounts and enables you to block elevation for single files within an application.
    • ThreatLocker Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, agent authentication, or dynamic ACLs. 
    • Configuration Manager has features that allow users to restrict access to certain aspects of machines with ThreatLocker installed on them. It can work at a granular level of the computer, making it easy for users to enforce UAC settings, restrict certain accounts within the system, and more. Configuration Manager works similarly to Active Directory, enabling users to limit user access.
    • ThreatLocker Detect allows users to create policies that match specific actions on a machine in the organization. If an action matches a created policy, you can set a 'Policy Action' for how you would like ThreatLocker to respond to these activities. ThreatLocker Detect allows users to restrict access to specific actions on machines by permitting the ability to Lockdown or Isolate a machine should an unauthorized action occur.
    • Web Control permits users to create policies that restrict users' access to specific domains or websites that fit into a pre-designated category by ThreatLocker. If users in your organization are not allowed access to certain websites, these interactions can be restricted.
    • Using Cloud Detect, users can create policies restricting user accounts from taking unauthorized actions. If an unauthorized action happens on an account matching a created policy, a policy action can be set up to lock out the account, further preventing unauthorized activity.

AC.L1-B.1.III - External Connections

  • "Verify and control/limit connections to and use of external information systems."
    • ThreatLocker Detect can verify when outside or unexpected users attempt to interact with unexpected connections or devices. The machines can be locked down or isolated by setting up policies and rules for alerting when users interact with unauthorized processes.
    • Web Control permits users to create policies that restrict users' access to specific domains or websites that fit into a pre-designated category by ThreatLocker. If users in your organization are not allowed access to certain websites, these interactions can be restricted.

AC.L2-3.1.1 - Authorized Access Control

  • "Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)."
    • ThreatLocker can assist in meeting the control for this practice. Ringfencing allows users to create             
    • ThreatLocker Storage Control allows you to block all external storage devices, allow specific ones by serial number if needed, and permit them only for particular machines or users. You can even limit the folders or file types these external storage devices can access.
    • ThreatLocker Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, agent authentication, or dynamic ACLs.
    • Configuration Manager can be used similarly to Active Directory in that certain accounts can be configured to limit specific permissions. The Configuration Manager can limit specific account characteristics, ensuring that an account or process does not gain access to parts of the system meant to be inaccessible.
    • ThreatLocker Detect allows users to create policies that perform specific actions. Depending on the policy created, a policy action can be put in place that locks down or isolates the machine. This can prevent certain processes from taking action on a system.

AC.L2.3.1.5 - Least Privilege

  • "Employ the principle of least privilege, including for specific security functions and privileged accounts."
    • ThreatLocker Application Control can assist in meeting the control for this practice as it allows users to choose which applications users in the organization can access. By setting up individual groups, users fitting specific parameters can create policies that permit or deny applications meeting their needs. This way, users are not allowed applications that would grant them special permissions if it is not something required to perform their job (i.e., a user in the IT department might need a policy for a remote access application, whereas a user from Marketing does not).
    • Using ThreatLocker Elevation Control, you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • The Web Control module can be used to deny access to websites that aren't necessary for your organization. By creating policies that deny specific categories or domains, you can prevent users from gaining access to websites that are not currently permitted.

AC.L2-3.1.7 - Privileged Functions

  • "Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs."
    • ThreatLocker can assist in meeting the control for this practice. Ringfencing allows you to limit applications' interactions with other system components. This ensures that an application cannot perform activities outside its intended purpose.
    • ThreatLocker Elevation Control can be used to eliminate local admin accounts. For applications requiring elevated permissions, policies can permit elevation just for the application, and only for specific users. 
    • ThreatLocker Configuration Manager can be used to disable the administrator account so that users cannot access it while using their machine. It can also be used to rename the administrator account, making it harder for users to access entirely. This will prevent users from executing specific actions that should not be accessible to them naturally.
    • ThreatLocker Detect allows users to create policies that follow certain policy conditions and policy actions. By creating a ThreatLocker Detect policy, depending on the parameters, if users execute a privileged action without permission, ThreatLocker Detect can lock down or isolate the machine.
    • The ThreatLocker Unified Audit can log certain functions that might display users attempting to use or using privileged functions within the system. This feature creates an audit log of all user actions, which are retained by default for 30 days. This log retention can be extended according to your compliance needs.

AC.L2-3.1.12 - Control Remote Access

  • "Monitor and control remote access sessions."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Application Allowlisting can limit which remote access applications users have access to. Creating policies for remote access applications in your organization prevents users from downloading unauthorized ones. Additionally, users must request permission to execute these files if a remote access session does not match a hash or custom rule within an existing policy. This is useful for cases where attackers send out fake remote access sessions to gain control over someone's system.
    • Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, agent authentication, or dynamic ACLs. All network activity, including the source IP address, is captured in the Unified Audit.
    • ThreatLocker Detect can also assist in meeting the control for this practice. Using ThreatLocker Detect, users can set policies permitting or denying specific IP addresses. By setting a range of permitted (or denied) IP addresses, a policy action can be implemented to isolate or lock down the machine should an unauthorized IP address be contacted via remote connection.

AC.L2-3.1.14 - Remote Access Routing

  • "Route remote access via managed access control points."
    • ThreatLocker can assist in meeting the control for this practice. Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, agent authentication, or dynamic ACLs. All network activity, including the source IP address, is captured in the Unified Audit.

AC.L2-3.1.21 - Portable Storage Use

  • "Limit use of portable storage devices on external systems."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control allows you to block all external storage devices, allow specific ones by serial number if needed, or permit them only for specific machines or users. Storage Control can enforce encryption on external media and limit the folders or file types that these external storage devices can access.

Audit and Accountability (AU) Domain

AU.L2-3.3.1 - System Auditing

  • "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all user actions, the SYSTEM account, or applications in your environment. These logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs. ThreatLocker also provides the ability to generate various reports.
    • ThreatLocker Detect has a list of set policies that can generate logs depending on the actions taken on the computer. It also allows administrators to create other policies to gain information for which ThreatLocker does not already have a policy. A series of logs can be viewed on each computer, including information on the generated alert. This information is retained even after the alert is cleared.

AU.L2-3.3.2 - User Accountability

  • "Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all user actions, the SYSTEM account, or applications in your environment, traceable to the logged-in user. These logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs.
    • ThreatLocker Application Control generates logs in the Unified Audit that specify which user interacts with certain applications.
    • With Storage Control, file access will be audited and appear in the Unified Audit. This provides a granular understanding of which users accessed a file in the system, even if no policy concerns that file.
    • Network Control will log all network activity within the Unified Audit.
    • ThreatLocker Detect can be used to log information about alerts generated in the system. This information can provide logs that specify which user performed an action on the system and what the action was. This information is retained even after the alert is cleared.
    • The ThreatLocker System Audit retains information about administrator activities in the ThreatLocker Portal. This information shows whether administrators add or delete policies, change organization settings, etc. If an administrator has performed an unauthorized action, that information will be viewable in the System Audit, which is retained indefinitely.

AU.L2-3.3.3 Event Review

  • "Review and update logged events."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will provide very granular oversight of the activity on all your machines, providing a detailed log of events. The Unified Audit will update as soon as logs are available on the machine, which can be looked back on for up to 30 days, as this is the default retention period. This period can be extended according to your compliance needs.
    • ThreatLocker Detect can be used to log information about alerts generated in the system. This information can provide logs that specify which user performed an action on the system and what the action was. This information is retained even after the alert is cleared.
    • The ThreatLocker System Audit logs information about changes to the ThreatLocker organization you are operating in. Viewing this log regularly can show you information about actions that administrators within your organization conduct.

AU.L2-3.3.5 - Audit Correlation

  • "Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity."
    • ThreatLocker Detect can assist in meeting the control for this practice. It can be used to report and respond to suspicious or unauthorized activity within your organization or on specific machines. Certain policies are already in place or can be set to alert you of unauthorized actions being taken in the organization. These actions will then remain recorded within the computer's ThreatLocker Detect logs, where reviews can be done to determine which user was responsible for these actions, along with other information.

AU.L2-3.3.6 - Reduction & Reporting

  • "Provide audit record reduction and report generation to support on-demand analysis and reporting."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all user actions, the SYSTEM account, or applications in your environment. The Unified Audit includes very granular filtering abilities and the ability to export the results. The audit logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs. ThreatLocker also provides the ability to generate various reports.
    • ThreatLocker offers a 'Scheduled Report' feature, allowing users to create customized reports containing information that they would like to view easily. Additionally, users can decide the frequency at which they receive these reports and create multiple ones to view at the same time.

AU.L2-3.3.7 - Authoritative Time Source

  • "Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records."
    • ThreatLocker can assist in meeting the control for this practice. All Unified Audit logs will include a date/time stamp down to the second and will be set to the organization's time zone. 
    • The ThreatLocker Detect logs generated whenever an alert appears display a date and time down to the second, which correlates with the user's time zone. A 'Date Created' field is also displayed alongside the ThreatLocker Detect alerts, which signifies when the alert first appeared in the ThreatLocker Detect Alert Center.
    • The System Audit logs all appear with a date/time stamp down to the second so that users can easily view audit logs within their organization.

AU.L2-3.3.8 - Audit Protection

  • "Protect audit information and audit logging tools from unauthorized access, modification, and deletion."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker protects the audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You can lock out ThreatLocker staff. Anything logged in the audit can not be deleted by anyone unless those logs go past the specified retention time period.

AU.L2-3.3.9 - Audit Management

  • "Limit management of audit logging functionality to a subset of privileged users."
    • ThreatLocker can assist in meeting the control for this practice. Only administrators on your ThreatLocker account can access any of the audit logs in ThreatLocker. If desired, you can limit the privileges of administrators on your ThreatLocker account to prevent them from viewing the audit. You can also lock ThreatLocker staff out of your account.

Configuration Management (CM) Domain

CM.L2-3.4.1 - System Baselining

  • "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles."
    • ThreatLocker can assist in meeting the control for this practice. Once the ThreatLocker agent is first downloaded, ThreatLocker will take a baseline of the machine. This baseline will scan the machine for any drivers that are specific to the computer, and this information is always retained in the Unified Audit. When the baseline is complete, other baselines can always be initiated at any time.
    • You can view all software policies in your environment by utilizing Application Control. These lists will describe which software is permitted or denied, and on which machines this applies to.

CM.L2-3.4.3 - System Change Management

  • "Track, review, approve or disapprove, and log changes to organizational systems."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will provide detailed insight and consolidated logging of any activities on your devices. 
    • Application Allowlisting and the Approval Center will ensure that users cannot make changes or execute unauthorized actions without first requesting and subsequently being granted approval.
    • The System Audit logs all changes made within the ThreatLocker Portal. It highlights whether users grant permissions to applications, websites, etc., that were not initially permitted for the user. The System Audit logs are retained indefinitely.

CM.L2-3.4.6 - Least Functionality

  • "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."
    • ThreatLocker can assist in meeting the control for this practice. Application Allowlisting and Application Control allow users to moderate which applications can be used in the organization. While machines are in 'Secured' mode, users must request access to use any other applications, which can be reviewed by an organization administrator or a Cyber Hero. This ensures that only applications that are essential to the organization are permitted.
    • Ringfencing allows you to limit applications' interactions with other system components. This ensures that an application cannot perform activities outside its intended purpose.
    • Storage Control can be configured to allow access only to the specific files or folders needed by each application and/or user.
    • Elevation Control enables you to limit or eliminate local administrator accounts and only allow elevated privileges for what is necessary.
    • ThreatLocker Configuration Manager can be used similarly to Active Directory in that it can enforce specific settings for how a machine interacts in the organization. Policies can be created that limit user capabilities on the machine and add another level of security if a machine is compromised.
    • ThreatLocker Detect allows users to create policies restricting them from operating specific functions on their machines. A policy can be made to isolate or lock down the machine in response to a user's attempt to perform an unauthorized activity.

CM.L2-3.4.7 - Nonessential Functionality

  • "Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services."
    • ThreatLocker can assist in meeting the control for this practice. By using Application Allowlisting and Application Control, users can choose which programs can be accessible within the organization. By not creating a policy, users whose machines are in Secured Mode will not be able to access these applications. Policies can also be created to deny applications that should not be permitted in the organization.
    • Ringfencing is a tool that allows users to limit how applications interact with the rest of a system. By applying Ringfencing to applications in your organization, you can restrict applications from performing nonessential functions that might compromise your security.
    • By using Network Control, users can restrict or entirely disable certain IP addresses, ports, and protocols from interacting with the organization. These can be set up by denying certain known malicious IP addresses or simply permitting only a range of known IP addresses to interact with your organization.
    • Configuration Manager can be used to create policies that restrict or deny certain actions on a user's system. The Configuration Manager can be used to confirm that a user is only allowed to use a machine in specific ways, similarly to how Active Directory works in an environment.
    • ThreatLocker Detect can create policies that isolate or lock down a machine if an unauthorized action is detected. This could apply to a user attempting to run a nonessential program or performing a function on the machine.

CM.L2-3.4.8 - Application Execution Policy

  • "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Application Allowlisting operates using a default deny-all and permit by exception method, creating a true whitelist. When a machine is in Secured Mode, users can only download applications if they are reviewed and approved by an administrator in the organization.

CM.L2-3.4.9 - User-Installed Software

  • "Control and monitor user-installed software."
    • ThreatLocker can assist in meeting the control for this practice. Application Allowlisting and the Application Control Center allow users to control and monitor all software installed within the environment. As long as the machine is set to be in Secured Mode, users will require permission from an administrator before they can install an application.
    • Utilizing the Unified Audit, you can view logs of all user interactions on the machine. This will include software that a user installs and software that was attempted to be installed.
    • ThreatLocker Detect permits users to create policies that restrict what users install on a system. Depending on the parameters input, administrators in the organization can create policies that lock down or isolate machines if an application is attempted to be installed on a computer. This could prevent users from attempting to install software that should not be allowed in the organization.

Identification and Authentication (IA) Domain

IA.L1-3.5.1 - Identification

  • "Identify information system users, processes acting on behalf of users, or devices."
    • ThreatLocker can assist in meeting the control for this practice. Through the Unified Audit, you can track the actions run by which user or SYSTEM account. You are also provided visibility of what processes are run and on which device they occur.
    • ThreatLocker Detect can also log information that shows what a SYSTEM agent or user is doing as long as a policy monitors those actions. Once a log is created, it is retained so it can be reviewed later. ThreatLocker Detect logs will show information on users who performed these actions on the system.

IA.L2-3.5.7 - Password Complexity

  • "Enforce a minimum password complexity and change of characters when new passwords are created."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Configuration Manager allows setting policies to enforce password policies, setting complexity, length, and age requirements.

Incident Response (IR) Domain

IR.L2-3.6.1 - Incident Handling

  • "Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Detect can detect a wide array of malicious behavior that could indicate an attack on machines. Users can also create their own policies to add to the organization. By utilizing our Cyber Hero MDR Team alongside this, you will be notified when malicious behavior is detected. In addition, ThreatLocker Detect can be used to lock down or isolate your machine should malicious activity happen.
    • ThreatLocker now offers DAC Checks. These checks monitor potential compliance violations that your organization's machines might face. They can be used as a starting point to determine whether changes should be made to settings on your machines, as not responding to these compliance violations puts your organization at higher risk for attacks.

IR.L2-3.6.2 - Incident Reporting

  • "Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Detect keeps track of all incidents that occur on a machine. In the event of an incident, logs associated with that machine will begin generating, and if the incident is cleared, these logs are retained indefinitely. This way, users can always look back on previous alerts to gain necessary information. With the addition of Cyber Hero MDR, Cyber Heroes can also reach out to specified organizational officials should the need arise, and if enough information is provided.

Maintenance (MA) Domain

MA.L2-3.7.2 - System Maintenance Control

  • "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Application Allowlisting can block specific tools that aren't wanted in the environment, including PowerShell or Command Prompt commands, and limit which users can use those tools.
    • Ringfencing can provide boundaries so that once a tool has been permitted, it can only perform particular actions. If set up correctly, Ringfencing prevents applications from interacting with other system parts in ways they should not.
    • Storage Control can be used to restrict access to certain data locations. This way, only some users can access them, and anyone without permission cannot.
    • Elevation Control prevents users from accessing admin-only applications on their machines. With Elevation Control, users must request access before they can gain admin-level access to applications. This prevents users from gaining access to features they do not need.
    • ThreatLocker Detect can be used to create policies that prevent users from accessing specific tools within the organization. It can also notify administrators if someone attempts to interact with these system maintenance tools. Users can create policies that isolate or lock down the machine when an unauthorized user attempts an unauthorized action in the environment.

MA.L2-3.7.6 - Maintenance Personnel

  • "Supervise the maintenance activities of personnel without required access authorization."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will provide visibility of any software-related maintenance, tracing it back to the specific user.
    • ThreatLocker Detect will also receive logs from disturbances on the system. If these maintenance activities trigger alerts, these logs can be examined to verify whether this was a planned maintenance period.

Media Protection (MP) Domain

MP.L2-3.8.1 - Media Protection

  • "Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital."
    • ThreatLocker can assist in meeting the control for this practice. By using Storage Control, users can restrict access to storage devices to only specific users. Users in your organization who are not allowed access to these storage areas will be barred from opening them.
    • ThreatLocker Detect allows users to create policies that respond if users access unauthorized areas of a system. If a user attempts to access an unauthorized document, as outlined in the policy, a policy action can be taken to isolate or lock down a machine.

MP.L2-3.8.2 - Media Access

  • "Limit access to CUI on system media to authorized users."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control enables you to limit access to CUI on system media to only authorized users. Users in your organization who are not allowed access to these storage areas will be barred from opening them.
    • ThreatLocker Detect can be used to create policies that respond if users access unauthorized areas of a system. If a user attempts to access an unauthorized document outlined in the policy, a policy action can be input that isolates or locks down a machine.

MP.L2-3.8.5 - Media Accountability

  • "Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control allows you to block all external storage devices, allow specific ones by serial number if needed, and permit them only for particular machines or users. Storage Control can enforce encryption on external media. Storage Control can limit the folders or file types these external storage devices can access.
    • ThreatLocker Detect can be used to create policies that respond if users access unauthorized areas of a system. If a user attempts to access an unauthorized document outlined in the policy, a policy action can be input that isolates or locks down a machine.

MP.L2-3.8.6 - Portable Storage Encryption

  • "Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards."
    • ThreatLocker can assist in meeting the control for this practice. Storage Control can enforce encryption on external media and set policies so only encrypted external devices can access data locations.

MP.L2-3.8.7 - Removable Media

  • "Control the use of removable media on system components."
    • ThreatLocker can assist in meeting the control for this practice. Utilizing Storage Control, you can control the use of removable media on system components and prohibit using portable storage devices only for the specified devices.
    • ThreatLocker Detect allows you to create policies that detect certain device types and interactions with them on a machine. A policy action can be set to lock down or isolate the machine should an unauthorized device type be detected on the system. You can set a policy action to identify certain serial numbers so specific devices can be permitted, whereas others would activate the policy action.

MP.L2-3.8.8 - Shared Media

  • "Prohibit the use of portable storage devices when such devices have no identifiable owner."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control allows blocking all portable storage devices and allows them to be accessed by serial number when needed, so any unknown/unidentified portable storage device will be prohibited. 
    • ThreatLocker Detect allows you to create policies that detect certain device types and interactions with them on a machine. A policy action can be set to lock down or isolate the machine should an unauthorized device type be detected on the system. Users can set a policy to identify certain serial numbers so specific devices can be permitted, whereas others would activate the policy action.

MP.L2-3.8.9 - Protect Backups

  • "Protect the confidentiality of backup CUI at storage locations."
    • ThreatLocker Storage Control enables you to limit access to storage locations, including backups, to meet this practice's requirements.
    • ThreatLocker Detect allows you to create policies that detect when users interact with storage locations on a system. A policy action can be set that locks down or isolates the machine should an unauthorized user attempt to access a confidential storage location.

Risk Assessment (RA) Domain

RA.L2-3.11.2 - Vulnerability Scan

  • "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure policy actions to lock down the machine, isolate the machine from the network, or notify specific users at the organization.
    • The ThreatLocker Health Center provides users with a simple way to view possible vulnerabilities in their organization. This includes information on policies that permit all applications in your organization, policies that haven't been used, and more. The Health Center can also show if users outside their usual locations attempt to log in to your ThreatLocker account.
    • The ThreatLocker DAC check gives users a pre-determined list of checks that signify possible vulnerabilities within your organization. These checks list which computers are affected, the risks and resolutions of these checks, and which compliance standards might be affected if this check is not passed.
    • ThreatLocker Patch Management scans user machines and can detect if installed applications have not been updated to the latest version. Outdated versions of applications bring a higher vulnerability risk to your organization.

RA.L2-3.11.3 - Vulnerability Remediation

  • "Remediate vulnerabilities in accordance with risk assessments."
    • ThreatLocker can assist in meeting the control for this practice. Application Allowlisting prohibits anything you haven't explicitly permitted from running in your environment.  
    • Ringfencing can be configured to eliminate the ability of applications to access the powerful built-in Windows tools that are commonly exploited.
    • Elevation Control enables you to eliminate local admin accounts, reducing the risk of abusing these privileged accounts.
    • Storage Control provides the capability to control access to your protected shares.
    • ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure policy actions to apply if the parameters are met.
    • ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for immediate revision.
    • ThreatLocker DAC Checks can identify computers with potentially vulnerable settings enabled and identify which computers in the organization have similar settings, providing information on how to remediate each vulnerability.
    • Patch Management can quickly update out-of-date software in your organization or schedule regular software updates for applications that have this configured.

Security Assessment (CA) Domain

CA.L2-3.12.3 - Security Control Monitoring

  • "Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls."
    • ThreatLocker can assist in meeting the control for this practice. Using the Unified Audit, users can review logs within the organization to identify any unintended behavior. The Unified Audit provides a wide array of information, including the user associated with the behavior. By default, the Unified Audit retains information up to 30 days. This log retention can be extended according to your compliance needs.
    • ThreatLocker Detect provides continuous monitoring of a user's system. When enabled, it operates in the background. If suspicious activity is detected on the machine, such as activity that matches an existing ThreatLocker policy or policy created by an admin at your organization, an alert will be generated that notifies users. A policy action can also be created that locks down or isolates the computer instead.
    • ThreatLocker DAC checks can be used to monitor machines in your organization continuously. They verify whether computers in your environment meet certain compliance guidelines. If a machine has any potential vulnerabilities that could prevent your organization from meeting compliance, depending on whether ThreatLocker has created a DAC check, you will see that information here.

System and Communications Protection (SC) Domain

SC.L2-3.13.4 - Shared Resource Control

  • "Prevent unauthorized and unintended information transfer via shared system resources."
    • ThreatLocker can assist in meeting the control for this practice. Using Storage Control, you can prevent unauthorized information transfer via shared system resources by creating policies allowing specific applications and/or users to access particular files, folders, or file types.
    • ThreatLocker Detect allows users to create policies that lock down or isolate a machine should an unauthorized user attempt to access a shared system resource.

SC.L2-3.13.6 - Network Communication By Exception

  • "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker-protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.
    • ThreatLocker Detect policies can be created to lock down or isolate machines should unauthorized network activity be attempted. They can also alert users of unauthorized network activity.

SC.L2-3.13.16 - Data At Rest

  • "Protect the confidentiality of CUI at rest."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control enables you to limit access to storage locations and enforce encryption on removable media to help protect CUI at rest. 
    • ThreatLocker Configuration Manager policies can help by implementing BitLocker on ThreatLocker-protected computers.
    • ThreatLocker Detect policies can be created to isolate or lock down a machine if potentially malicious activity is detected.

System and Information Integrity (SI) Domain

SI.L1-3.14.2 - Malicious Code Protection

  • "Provide protection from malicious code at appropriate locations within organizational information systems."
    • ThreatLocker can assist in meeting the control for this practice. Application Control will block any executable that isn't expressly permitted with the ThreatLocker default-deny policy, protecting against malicious code run in your environment.
    • Through Ringfencing, you can limit what high-risk applications can access.
    • With Storage Control, you can restrict access to any data location and allow only what is needed.     
    • ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure policy actions to apply if the parameters are met.

SI.L1-3.14.5 - System & File Scanning

  • "Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit is a transactional history of everything ThreatLocker secures, including simulated denies if the machine is not secured. The Unified Audit will provide a near-real-time log of all files being executed or attempting to execute.
    • ThreatLocker Detect stores logs based on potentially malicious behavior recorded on the machine, depending on whether a policy is in place to detect that behavior. These logs are kept indefinitely.

SI.L2-3.14.3 - Security Alerts & Advisories

  • "Monitor system security alerts and advisories and take action in response."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Detect uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure policy actions to apply if the parameters are met.
    • The ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for immediate revision.
    • ThreatLocker DAC Checks allow users to see which computers have potential vulnerabilities by viewing their settings.

SI.L2-3.14.6 - Monitor Communications for Attacks

  • "Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks."
    • ThreatLocker Detect policies can be set up to notify you if unauthorized IP addresses are attempting to gain remote access to a machine in your organization. If this is detected, Network Control can be used alongside it to ensure the malicious actor cannot infiltrate your organization by enabling a Network Control policy.

SI.L2-3.14.7 - Identify Unauthorized Use

  • "Identify unauthorized use of organizational systems." 
    • ThreatLocker can assist in meeting the control for this practice. Application Allowlisting will enable the auditing of application usage.
    • The Unified Audit creates an audit log of all user actions, the SYSTEM account, or applications in your environment, traceable to the logged-in user. These logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs.
    • Utilizing Storage Control, file access will be audited.
    • Network Control will log all network activity, including the source IP address.
Was this article helpful?