ThreatLocker and CMMC 2.0

19 min. readlast update: 06.12.2024

 

ThreatLocker's tools can assist your organization when working towards becoming CMMC 2.0 compliant. ThreatLocker can be used as the control for specific practices and assist in meeting other practices either by providing tools that can be used to help other applications meet the compliance level practice or by the ThreatLocker product itself meeting the practice.

For more information on CMMC compliance, visit: CMMC Documentation (defense.gov) 

Access Control (AC) Domain

Level 1 AC Practices

  • AC.L1-3.1.1 - Authorized Access Control
  • "Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)."
    •  ThreatLocker can assist in meeting the control for this practice. ThreatLocker can help create a least-privileged environment using Application Allowlisting by restricting what applications can run, who can use them, and when. 
    •  Ringfencing can restrict the function of applications down to only what is necessary for business.  
    • Storage Control can allow you to block access to folders and files and only permit access to specific applications that need to access those areas.  
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
  • AC.L1-3.1.2 - Transaction & Function Control
  • "Limit information system access to the types of transactions and functions that authorized users are permitted to execute."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker can help create a least-privileged environment using Application Allowlisting by restricting what applications can run, who can use them, and when. 
    •  Ringfencing can restrict the function of applications down to only what is necessary for business.
    • Storage Control can allow you to block access to folders and files and only permit access to specific applications that need to access those areas.  
    • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed. 
    • ThreatLocker Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, or even agent authentication or dynamic ACLs. 

Level 2 AC Practices

  • AC.L2-3.1.3 - Control CUI Flow
  • "Control the flow of CUI in accordance with approved authorizations"
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control allows you to block all external storage devices, allow specific ones by serial number if needed, permit them only for specific machines, or users. You can even limit the folders or file types that these external storage devices can access.
    • ThreatLocker Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, or even agent authentication or dynamic ACLs. 
  • AC.L2.3.1.5 - Least Privilege
  • "Employ the principle of least privilege, including for specific security functions and privileged accounts."
    • ThreatLocker can assist in meeting the control for this practice. Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.  
  • AC.L2-3.1.7 - Privileged Functions
  • "Prevent non-privileged users from executing privileged functions and capture the execution of such functions in the audit logs."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Elevation Control can be used to eliminate local admin accounts. For applications that require elevated permissions, policies can be created to permit elevation just for the application, and only for specific users. 
  • AC.L2-3.1.12 - Control Remote Access
  • "Monitor and control remote access sessions."
    • ThreatLocker can assist in meeting the control for this practice. Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, or even agent authentication or dynamic ACLs. All network activity is captured in the Unified Audit, including the source IP address.
  • AC.L2-3.1.14 - Remote Access Routing
  • "Route remote access via managed access control points."
    • ThreatLocker can assist in meeting the control for this practice. Network Control provides on-demand port control over inbound network traffic. Using custom-built policies, you can allow granular access based on IP address, specific keywords, or even agent authentication or dynamic ACLs. All network activity is captured in the Unified Audit, including the source IP address. 
  • AC.L2-3.1.21 - Portable Storage Use
  • "Limit use of portable storage devices on external systems."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control allows you to block all external storage devices, allow specific ones by serial number if needed, permit them only for specific machines, or users. Storage Control can enforce encryption on external media. Storage control can limit the folders or file types that these external storage devices can access.

Audit and Accountability (AU) Domain

Level 2 AU Practices

  • AU.L2-3.3.1 - System Auditing
  • "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all actions made by users, the SYSTEM account, or applications in your environment. These logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs.   ThreatLocker aslo provides the ability to generate various reports.
  • AU.L2-3.3.2 - User Accountability
  • "Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all actions made by users, the SYSTEM account, or applications in your environment, traceable to the logged in user. These logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs.   
    • Utilizing Storage Control, file access will be audited.
    •  Application Allowlisting will enable the auditing of application usage.  
    • Network Control will log all network activity. 
  • AU.L2-3.3.3 Event Review
  • "Review and update logged events."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will provide very granular oversight of the activity on all your machines, providing a detailed log of events. 
  • AU.L2-3.3.6 - Reduction & Reporting
  • "Provide audit record reduction and report generation to support on-demand analysis and reporting."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all actions made by users, the SYSTEM account, or applications in your environment. The Unified Audit includes very granular filtering ability, and the ability to export the results. The audit logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs.   ThreatLocker also provides the ability to generate various reports.
  • AU.L2-3.3.7 - Authoritative Time Source
  • "Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records."
    • ThreatLocker can assist in meeting the control for this practice. All Unified Audit logs will include a date/time stamp down to the second and will be set to the timezone of the organization. 
  • AU.L2-3.3.8 - Audit Protection
  • "Protect audit information and audit logging tools from unauthorized access, modification, and deletion."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker protects the audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit can not be deleted by anyone unless those logs go past the specified retention time period.
  • AU.L2-3.3.9 - Audit Management
  • "Limit management of audit logging functionality to a subset of privileged users.
    • ThreatLocker can assist in meeting the control for this practice. Only administrators on your ThreatLocker account can access any of the audit logs in ThreatLocker. You can limit the privileges of administrators on your ThreatLocker account to prevent them from viewing the audit if desired. You can lock ThreatLocker staff out of your account as well.  

Configuration Management (CM) Domain

Level 2 CM Practices

  • CM.L2-3.4.1 - System Baselining
  • "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker will baseline every machine and catalog all the applications found on each machine, including the OS version and build. 
    • Utilizing the Application Allowlisting policy and application lists, you can view all software installed and control what can run in your environment.  
  • CM.L2-3.4.3 - System Change Management
  • "Track, review, approve or disapprove, and log changes to organizational systems."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will provide detailed insight and consolidated logging of any activities taking place on any of your devices. 
    • Application Allowlisting and the Approval Center will ensure that users are not able to make any changes or execute unauthorized actions without first requesting and subsequently being granted approval. 
  • CM.L2-3.4.6 - Least Functionality
  • "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."
    • ThreatLocker can assist in meeting the control for this practice. Application Allowlisting enables you to allow only programs necessary for everyday business to transpire.
    • Ringfencing allows you to put boundaries on the applications you have allowed to only do what is needed. 
    • Storage Control can be configured to only allow access to the specific files or folders needed for each application and/or user.
    • Elevation Control enables you to limit or eliminate local administrator accounts and only allow elevated privileges for what is necessary.  
  • CM.L2-3.4.8 - Application Execution Policy
  • "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Application Allowlisting operates using default deny all and permit by exception, creating a true whitelist. 
  • CM.L2-3.4.9 - User-Installed Software
  • "Control and monitor user-installed software."
    • ThreatLocker can assist in meeting the control for this practice. Application Allowlisting provides the ability to control and monitor all software installed in your environment. No user can install software unless you have permitted it. 
    • The Unified Audit will provide a log of all software that is installed or attempted to be installed. 

Identification and Authentication (IA) Domain

Level 1 IA Practices

  • IA.L1-3.5.1 - Identification
  • "Identify information system users, processes acting on behalf of users, or devices."
    • ThreatLocker can assist in meeting the control for this practice. Through the Unified Audit you can track what actions are run, by which user or SYSTEM account, and provide visibility of what processes are run and on which device they occurred. 
  • IA.L2-3.5.7 - Password Complexity
  • "Enforce a minimum password complexity and change of characters when new passwords are created."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Configuration Manager provides the ability to set policies to enforce password policies, setting complexity, length, and age requirements.

Maintenance (MA) Domain

Level 2 MA Practices

  • MA.L2-3.7.2 - System Maintenance Control
  • "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Application Allowlisting can block specific tools that aren't wanted in the environment, including PowerShell or Command Prompt commands, and limit which users can use those tools.
    • Ringfencing can provide boundaries so that once a tool has been permitted, it can only do what it needs to do.
    • Storage Control can keep certain data locations to restricted access with only a few exceptions to prevent these tools from accessing your protected files. 
  • MA.L2-3.7.6 - Maintenance Personnel
  • "Supervise the maintenance activities of personnel without required access authorization."
    • ThreatLocker can assist in meeting the control for this practice .The Unified Audit will provide visibility of any software-related maintenance, tracing it back to the specific user.

Media Protection (MP) Domain

Level 2 MP Practices

  • MP.L2-3.8.2 - Media Access
  • "Limit access to CUI on system media to authorized users."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control enables you to limit access to CUI on system media to only authorized users.  
  • MP.L2-3.8.5 - Media Accountability
  • "Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control allows you to block all external storage devices, allow specific ones by serial number if needed, permit them only for specific machines, or users. Storage Control can enforce encryption on external media. Storage control can limit the folders or file types that these external storage devices can access. 
  • MP.L2-3.8.6 - Portable Storage Encryption
  • "Implement cyrptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherise protected by alternative physical safeguards."
    • ThreatLocker can assist in meeting the control for this practice. Storage Control can enforce encryption on external media. Set policies so that only encrypted external devices can access data locations.
  • MP.L2-3.8.7 - Removeable Media
  • "Control the use of removable media on system components." 
    • ThreatLocker can assist in meeting the control for this practice. Utilizing Storage Control, you can control the use of removable media on system components, and prohibit the use of portable storage devices to only the exact devices you have specified. 
  • MP.L2-3.8.8 - Shared Media
  • "Prohibit the use of portable storage devices when such devices have no identifiable owner." 
    •  ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control provides the ability to block all portable storage devices, and allow them by serial number when needed so any unknown/unidentified portable storage device will be prohibited. 
  • MP.L2-3.8.9 - Protect Backups
  • "Protect the confidentiality of backup CUI at storage locations."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control enables you to limit access to storage locations, including backups. 

Risk Assessment (RA) Domain

Level 2 RA Practices

  • RA.L2-3.11.2 - Vulnerability Scan
  • "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilites affecting those systems and applications are identified."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.
    • ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for immediate revision.  
  • RA.L2-3.11.3 - Vulnerability Remediation
  • "Remediate vulnerabilities in accordance with risk assessments."
    • ThreatLocker can assist in meeting the control for this practice. Application Allowlisting prohibits anything you haven't specifically permitted from running in your environment.  
    • Ringfencing can be configured to eliminate the ability of applications to access the powerful built-in Windows tools that are commonly exploited.
    • Elevation Control enables you to eliminate local admin accounts, reducing the risk of abusing these privileged accounts.
    • Storage Control provides the capability to control access to your protected shares.  
    • Remote Presence will ensure that no device without ThreatLocker can access your valuable shares. 
    • ThreatLocker can help meet the control for this practice. ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.
    • ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for immediate revision.   

System and Communications Protection (SC) Domain

Level 2 SC Practices

  • SC.L2-3.13.4 - Shared Resource Control
  • "Prevent unauthorized and unintended information transfer via shared system resources."
    • ThreatLocker can assist in meeting the control for this practice. Using Storage Control you can prevent unauthorized information transfer via shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types.  
  • SC.L2-3.13.6 - Network Communication By Exception
  • "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker protected devices using a simple server-client connection. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.
  • SC.L2-3.13.16 - Data At Rest
  • "Protect the confidentiality of CUI at rest."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Storage Control enables you to limit access to storage locations, and enforce encryption on removable media to help protect CUI at rest. 
    • ThreatLocker Configuration Manager policies can help by implementing BitLocker on ThreatLocker protected computers.

System and Information Integrity (SI) Domain

Level 1 SI Practices

  • SI.L1-3.14.2 - Malicious Code Protection
  • "Provide protection from malicious code at appropriate locations within organizational information systems." 
    • ThreatLocker can assist in meeting the control for this practice. Through Ringfencing, you can limit what high-risk applications can access. 
    • Application Control will block any executable that isn't expressly permitted with the ThreatLocker default-deny policy, providing protection against malicious code being run in your environment.
    • With Storage Control you can completely restrict access to any data location, and allow only what is needed to go in.     
    • ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met. 
  • SI.L1-3.14.5 - System & File Scanning
  • "Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed."
    • ThreatLocker can assist in meeting the control for this practice. The Unified Audit is a transactional history of everything that ThreatLocker is securing, including simulated denies if the machine is not secured. The Unified Audit will provide a near-real-time log of all files being executed, or attempting to execute. 
  • SI.L2-3.14.3 - Security Alerts & Advisories
  • "Monitor system security alerts and advisories and take action in response."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Ops uses the telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., a vulnerable version of MS Exchange). Once a parameter is set, users can configure action steps to take (i.e., automated notifications or blocking access) if the parameter is met.  
    • ThreatLocker’s Health Center can identify vulnerable machines and link to the offending policies for immediate revision.  
  • SI.L2-3.14.7 - Identify Unauthorized Use
  • "Identify unauthorized use of organizational systems."
    • ThreatLocker can assist in meeting the control for this practice. ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all actions made by users, the SYSTEM account, or applications in your environment, traceable to the logged in user. These logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs.  
    • Utilizing Storage Control file access will be audited.
    •  Application Allowlisting will enable the auditing of application usage.
    • Network Control will log all network activity, including the source IP address.  

 

Updated 4/25/2023

Was this article helpful?