Company logoHelp Center
Visit www.threatlocker.com

ThreatLocker as a CMMC Compliance Control

15 min. readlast update: 04.26.2023

View in Browser

ThreatLocker's tools can assist your organization when you are working towards becoming CMMC compliant. ThreatLocker can be used as the control for specific practices, and assist in meeting other practices either by providing tools that can be used to help other applications meet the compliance level practice or by the ThreatLocker product itself meeting the practice.

Access Control (AC) Domain

  • C001 - Establish system access requirements
    • Level 1 - "Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)."
      •  ThreatLocker can assist in meeting the control for this practice. ThreatLocker can help create a least-privileged environment using Application Control by restricting what applications can run, who can use them, and when. 
      •  Ringfencing can restrict the function of applications down to only what is necessary for business.  
      • Storage Control can allow you to block access to folders and files and only permit access to specific applications that need to access those areas.  
      • Using ThreatLocker Elevation Control you can eliminate the need for local administrator accounts. You can get as granular as limiting the elevation for a single file within an application if that is all that is needed.
    • Level 2 - "Limit use of portable storage devices on external systems."
      • ThreatLocker can be the control for this practice. ThreatLocker Storage Control allows you to block all external storage devices, allow specific ones by serial number if needed, permit them only for specific machines, or users. You can even limit the folders or file types that these external storage devices can access.
  • C002 - Control internal system access
    • Level 1 - "Limit information system access to the types of transactions and functions that authorized users are permitted to execute."  
      • ThreatLocker can assist in meeting the control for this practice. Application Control allows you to specify which users can use which applications. 
      • Utilizing Ringfencing, you control what permitted applications are allowed to interact with, including files, the internet, or other applications.
      •  With Storage Control you can limit file access to only specific programs or users or file types.  
    • Level 2 - "Employ the principle of least privilege, including for specific security functions and privileged accounts."
      • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Elevation Control allows you to take away local admin rights.  
    • Level 2 - "Use non-privileged accounts or roles when accessing nonsecurity functions."
      • ThreatLocker Elevation Control can assist in meeting the control for this practice by enabling you to limit or eliminate the use of local administrator accounts. You can specify which applications are permitted to be run with elevated privileges, and which users can run these said applications.  
      • The Unified Audit will log any elevated actions, whether they were performed using Elevation Control or a local admin account.   
    • Level 3 - "Separate the duties of individuals to reduce the risk of malevolent activity without collusion."
      • ThreatLocker can assist in meeting the control for this practice. Using Application Control you can limit the use of applications by users to allow the use of only what is needed for their job.
      • With Storage Control you can limit the ability of each user to access only what is strictly required for the user's job role.  
    • Level 3 - "Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs."
      • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will log all actions that are performed using elevated privileges.  
      • Application Control blocks any application that hasn't been permitted. 
      • Ringfencing allows you the ability to prevent application hopping so that a user who is permitted to run one application with elevated privileges cannot pivot and run another application with the same elevated permission.   
    • Level 3 - "Control connection of mobile devices."
      • ThreatLocker can assist in meeting the control for this practice. Utilizing Storage Control and setting up Remote Presence, you can prevent any device that is not running ThreatLocker from accessing data locations that you specify.  
      • ThreatLocker Storage Control can also prevent USB or other removable storage devices from accessing data.
  • C003 - Control remote system access
    • Level 2 - "Monitor and control remote access sessions."
      • ThreatLocker can assist in meeting the control for this practice. The ThreatLocker Unified Audit will log all actions done on any machine, including any remote sessions.
      •  Application Control will block any remote access tools/applications that you don't approve.  
    • Level 3 - "Authorize remote execution of privileged commands and remote access to security-relevant information."
      • ThreatLocker can help you meet the control for this practice by allowing you to remove local admin privileges then apply Elevation Control to control who can run what privileged commands.  
      • Storage Control can help you control what information is accessible to what users, regardless of their physical location, or their account privileges. 

Audit and Accountability (AU) Domain

  • C007 - Define audit requirements
    • Level 2 - "Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions."
      • ThreatLocker can be used as the control for this practice. The Unified Audit will ensure that the actions of all individual users can be traced to those users for accountability.  
      • Utilizing Storage Control, file access will be audited.
      •  Application Control will enable the auditing of application usage.  
    • Level 3 - "Review and update logged events."
      • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will provide very granular oversight of the activity on all your machines, providing a detailed log of events.
  • C008 - Perform auditing
    • Level 2 - "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity."
      • ThreatLocker can assist in meeting the control for this practice. The Unified Audit creates an audit log of all actions made by users, the SYSTEM account, or applications in your environment. These logs are retained for 30 days by default, but you can extend the retention period according to your compliance needs.  
    • Level 2 -" Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records."
      • ThreatLocker can assist in meeting the control for this practice. All audit logs will include a date/time stamp down to the second and will be set to the timezone of the organization.
    • Level 3 - "Collect audit information (e.g., logs) into one or more central repositories."
      • ThreatLocker can be used as the control for this practice. The Unified Audit provides a central repository for all data collected in your environment. All child organizations' data is visible from the parent account.
  • C009 - Identify and protect audit information
    • Level 3 - "Protect audit information and audit logging tools from unauthorized access, modification, and deletion."
      • ThreatLocker can be used as the control for this practice. ThreatLocker protects the audit information from unauthorized access, modification, or deletion. Only administrators on your ThreatLocker account can access the audit. You have the ability to lock out ThreatLocker staff. Anything logged in the audit can not be deleted by anyone unless those logs go past the specified retention time period.
    • Level 3 - "Limit management of audit logging functionality to a subset of privileged users."
      • ThreatLocker can be used as the control for this practice. Only administrators on your ThreatLocker account can access any of the audit logs in ThreatLocker. You can limit the privileges of administrators on your ThreatLocker account to prevent them from viewing the audit if desired. You can lock ThreatLocker staff out of your account as well.  
  • C010 - Review and manage audit logs
    • Level 2 - "Review audit logs."
      • ThreatLocker can assist in meeting the control for this practice. ThreatLocker provides audit logs of all actions made in the environment by users, the SYSTEM account, or applications. Those audits are stored for 30 days, but this time period can be extended.
    • Level 3 - "Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity."
      • ThreatLocker can assist in meeting the control for this practice. ThreatLocker helps manage audit logs by combining the logs of all your organizations into one area, showing all actions.  
    • Level 3 - "Provide audit record reduction and report generation to support on-demand analysis and reporting."
      • ThreatLocker can be the control for this practice. Using ThreatLocker's various filtering options in the Unified Audit, you can search for specific information. ThreatLocker also provides the ability to generate various reports.

Configuration Management (CM) Domain

  • C013 - Establish configuration baselines
    • Level 2 - "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles."
      • ThreatLocker can assist in meeting the control for this practice. ThreatLocker will baseline every machine and catalog all the applications found on each machine, including the OS version and build. 
      • Utilizing the Application Control policy and application lists, you can view all software installed and control what can run in your environment. 
    • Level 2 - "Track, review, approve or disapprove, and log changes to organizational systems."
      • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will provide detailed insight and consolidated logging of any activities taking place on any of your devices. 
      • Application Control and the Approval Center will ensure that users are not able to make any changes or execute unauthorized actions without first requesting and subsequently being granted approval.
    • Level 2 - "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities."
      • ThreatLocker can be the control for this practice. Application Control enables you to allow only programs necessary for everyday business to transpire.
      • Ringfencing allows you to put boundaries on the applications you have allowed to only do what is needed. 
      • Storage Control can be configured to only allow access to the specific files or folders needed for each application and/or user.
      • Elevation Control enables you to limit or eliminate local administrator accounts and only allow elevated privileges for what is necessary. 
    • Level 2 - "Control and monitor user-installed software."
      • ThreatLocker can be the control for this practice. Application Control provides the ability to control and monitor all software installed in your environment. No user can install software unless you have permitted it. 
      • The Unified Audit will provide a log of all software that is installed or attempted to be installed.
  • C014 - Perform configuration and change management
    • Level 3 - "Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services."
      • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Application Control can limit what applications can run and what they can communicate with.  
      • Ringfencing enables you to limit internet access to applications, even specifying which ports that application can reach what internet locations from.
      • Storage Control can limit what files and/or folders can be accessed by which applications and/or users.
      • NAC can restrict or prevent network traffic according to various parameters, such as IP address, port number, and/or protocol/service.
    • Level 3 - "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software."
      • ThreatLocker can be the control for this practice. ThreatLocker Application Control gives you the ability to deny all and permit by exception, creating a true whitelist.  

ID and Authentication (IA) Domain

  • C015 - Grant access to authenticated entities
    • Level 1 - "Identify information system users, processes acting on behalf of users, or devices."
      • ThreatLocker can assist in meeting the control for this practice. Through the Unified Audit you can track what actions are run, by which user or SYSTEM account, and provide visibility of what processes are run and on which device they occurred.

Incident Response (IR) Domain

  • C017 - Detect and report events
    • Level 2 - "Detect and report events."
      • ThreatLocker can assist in meeting the control for this practice. ThreatLocker's Unified Audit will provide detailed logs of every action that takes place in your environment, providing you with information you can use in the Incident Response Cycle.
    • Level 2 - "Analyze and triage events to support event resolution and incident declaration."
      • Threatlocker can assist in meeting the control for this practice. The Unified Audit provides a central location to view all activity in your environment, giving you a helpful tool when analyzing and triaging events.

Maintenance (MA) Domain

  • C021 - Manage Maintenance
    • Level 2 - "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance."
      • ThreatLocker can assist in meeting the control for this practice. ThreatLocker Application Control can block specific tools that aren't wanted in the environment, including PowerShell or Command Prompt commands, and limit which users can use those tools.
      • Ringfencing can provide boundaries so that once a tool has been permitted, it can only do what it needs to do.
      • Storage Control can keep certain data locations to restricted access with only a few exceptions to prevent these tools from accessing your protected files.
    • Level 2 - "Supervise the maintenance activities of personnel without required access authorization."
      • The Unified Audit will provide visibility of any software-related maintenance, tracing it back to the specific user.

Media Protection (MP) Domain

  • C023 - Protect and control media
    • Level 2 - "Limit access to CUI on system media to authorized users."
      • ThreatLocker can be used as the control for this practice. ThreatLocker Storage Control enables you to limit access to CUI on system media to only authorized users 
    • Level 2 - "Control the use of removable media on system components." 
      • ThreatLocker can be used as the control for this practice. Utilizing Storage Control, you can control the use of removable media on system components, and prohibit the use of portable storage devices to only the exact devices you have specified.
    • Level 3 - "Prohibit the use of portable storage devices when such devices have no identifiable owner."
      • ThreatLocker can be used as the control for this practice. ThreatLocker Storage Control provides the ability to block all portable storage devices, and allow them by serial number when needed so any unknown/unidentified portable storage device will be prohibited.

Risk Management (RM) Domain

  • C032 - Manage Risk
    • Level 2 - "Remediate vulnerabilities in accordance with risk assessments."
      • ThreatLocker can assist in meeting the control for this practice. Application Control prohibits anything you haven't specifically permitted from running in your environment.  
      • Ringfencing can be configured to eliminate the ability of applications to access the powerful built-in Windows tools that are commonly exploited.
      • Elevation Control enables you to eliminate local admin accounts, reducing the risk of abusing these privileged accounts.
      • Storage Control provides the capability to control access to your protected shares.  
      • Remote Presence will ensure that no device without ThreatLocker can access your valuable shares.

Systems and Communications Protection (SC) Domain

  • C038 - Define security requirements for systems and communications
    • Level 3 - "Prevent unauthorized and unintended information transfer via shared system resources."
      • ThreatLocker can be the control for this practice. Using Storage Control you can prevent unauthorized information transfer via shared system resources by creating policies to only allow specific applications and or users to access specific files, folders, or file types. 
    • Level 3 - "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)."
      • ThreatLocker can assist in meeting the control for this practice. Through Ringfencing you can restrict all network access to any application and only allow on an exception basis as you deem necessary. 
    • Level 3 - "Protect the confidentiality of CUI at rest."
      • ThreatLocker can assist in meeting the control for this practice. The Unified Audit will log only the file names and directory where they are located; there is no visibility of the file contents, protecting the confidentiality of the data within the ThreatLocker Portal.

System and Information Integrity (SI) Domain

  • C041 - Identify malicious content
    • Level 1 - "Provide protection from malicious code at appropriate locations within organizational information systems." 
      • ThreatLocker can be the control for this practice. Through Ringfencing, you can limit what high-risk applications can access. 
      • Application Control will block any executable that isn't expressly permitted with the ThreatLocker default-deny policy, providing protection against malicious code being run in your environment.
      • With Storage Control you can completely restrict access to any data location, and allow only what is needed to go in.    
    • Level 1 - "Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed."
      • The Unified Audit provides a near-real-time log of every file that is executed.
      •  Utilizing Storage Control, you can maintain visibility of files that are downloaded, viewed, or attempted to be executed.  
      • Application Control will prevent any files from running that aren't approved by you, giving you an opportunity to evaluate the file before permitting it.  

Was this article helpful?