← Compliance Hub

CMMC 2.0

CMMC 2.0 Compliance with CtrlLayer

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now a contractual requirement for defense contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). With over 300,000 companies in the Defense Industrial Base (DIB), CMMC compliance is a market differentiator and a business necessity. CtrlLayer provides the endpoint security controls required across all three CMMC maturity levels.

CMMC 2.0 Maturity Levels

Level 1

Foundational

Basic safeguarding of FCI. 17 practices from FAR 52.204-21. Self-assessment.

CtrlLayer addresses all relevant endpoint practices
Level 2

Advanced

Protection of CUI. 110 practices aligned with NIST SP 800-171 Rev 2. Third-party assessment for critical programs.

CtrlLayer maps to key 800-171 control families
Level 3

Expert

Enhanced protection against advanced persistent threats. Based on NIST SP 800-172. Government-led assessment.

CtrlLayer provides advanced detection and response
AC

Access Control

Limit system access to authorized users, processes, and devices, and to the types of transactions and functions that authorized users are permitted to exercise.

L1 L2

AC.L1-3.1.1 — Authorized Access Control

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices.

  • RBAC+ABAC Policy Engine: Every elevation request is evaluated against policies that consider user role, device identity, application, time context, and risk score before granting access.
  • Agent Authentication: The Windows agent authenticates to the backend using signed JWT tokens. Unauthorized agents cannot connect to the management platform.
  • Default Deny Posture: All access requests are denied unless explicitly authorized by policy or administrator approval.
L2

AC.L2-3.1.5 — Least Privilege

Employ the principle of least privilege, including for specific security functions and privileged accounts.

  • App-Scoped Elevation: Privilege grants are scoped to individual applications. Users never receive full administrator access to the system — only the specific privilege needed for the specific task.
  • Just-In-Time Access: Elevation grants are time-limited and automatically expire. No standing privileges persist after task completion.
  • Separation of Duties: Elevation approval workflows separate the person requesting access from the person (or policy) authorizing it.
L2

AC.L2-3.1.7 — Privileged Functions

Prevent non-privileged users from executing privileged functions and audit the execution of such functions.

  • Elevation Control: Without an approved elevation grant, users cannot execute applications that require administrative privileges. The agent intercepts and controls all privilege escalation.
  • Complete Audit Trail: Every privileged function execution is logged with user identity, application, device, timestamp, grant details, and hash-chain integrity verification.
L2

AC.L2-3.1.12 — Remote Access Control

Monitor and control remote access sessions.

  • VPN-less Architecture: Agent provides secure, authenticated endpoint management from any network location without requiring VPN infrastructure.
  • Session Monitoring: All remote elevation sessions are monitored, logged, and time-bounded. Administrators can view active sessions and revoke access in real-time.
  • QR-Based Tech Delegation: Remote technician sessions use cryptographically bound QR codes, ensuring identity verification and time-limited access.
AU

Audit and Accountability

Create, protect, and retain system audit records to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.

L2

AU.L2-3.3.1 — System Auditing

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

  • Comprehensive Event Logging: Every elevation request, approval, denial, execution, USB event, network connection, and security incident is captured with full context.
  • Hash-Chain Integrity: Audit records are linked via cryptographic hashes. Each entry's hash incorporates the previous entry, creating a tamper-evident chain.
  • Configurable Retention: Audit log retention policies are configurable to meet the CUI retention requirements specified in DoD contracts.
L2

AU.L2-3.3.2 — User Accountability

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable.

  • Individual Attribution: Every action in the system is attributed to a specific, authenticated user. No shared accounts are supported.
  • Non-Repudiation: Cryptographically signed elevation grants bind a specific user identity to a specific action at a specific time on a specific device.
  • Forensic Chain: The hash-chain audit log provides legally defensible evidence that specific actions were performed by specific users.
L2 L3

AU.L2-3.3.5 — Audit Log Correlation

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful activity.

  • Blue Team Correlation Engine: Automated cross-source event correlation identifies complex attack patterns spanning multiple events, devices, and time periods.
  • Pattern Detection: Pre-built detections for brute force attempts, lateral movement, privilege escalation chains, policy bypass attempts, and data exfiltration indicators.
  • Incident Timeline Reconstruction: Forensic analysis tools enable complete reconstruction of event sequences leading to and following security incidents.
MP

Media Protection

Protect, control, and manage CUI on system media.

L1 L2

MP.L2-3.8.1 — Media Protection

Protect system media containing CUI, both paper and digital.

  • USB Storage Control: Three enforcement modes — block (no USB access), read-only (prevent data write), and allow with time-limited leases. Default posture is configurable per policy.
  • Device Identification: Every USB device is identified by serial number, vendor ID, product ID, and device class. Policies can whitelist specific approved devices.
  • Media Audit Trail: Complete log of every USB connection, disconnection, read attempt, and write attempt across all managed endpoints.
L2

MP.L2-3.8.7 — Removable Media Control

Control the use of removable media on system components.

  • Policy-Based Control: Granular USB policies by user role, device type, time of day, and media classification. Different policies for different security contexts.
  • Time-Limited Exceptions: When USB access is needed, grants are time-limited and automatically expire. Full audit trail of all data transfer during the exception window.
  • Automated Enforcement: Policies are enforced at the endpoint level by the agent, preventing bypass even when devices are disconnected from the network.
SC / SI

System Communications & Integrity

Monitor, control, and protect communications and detect threats to system integrity.

L1 L2

SC.L1-3.13.1 — Boundary Protection

Monitor, control, and protect communications at external boundaries and key internal boundaries.

  • Network Connection Monitoring: Agent monitors all inbound and outbound connections from each endpoint, providing visibility into network boundaries from the device perspective.
  • Encrypted Communications: All agent-to-server communication uses AES encryption over TLS 1.3, protecting CUI in transit.
  • Anomalous Connection Detection: Connections to unknown or suspicious destinations are flagged by the Security Master agent for investigation.
L2 L3

SI.L2-3.14.6 / SI.L2-3.14.7 — System Monitoring

Monitor organizational systems and identify unauthorized use. Identify unauthorized use of organizational systems.

  • Continuous Endpoint Monitoring: Agent provides real-time monitoring of process execution, network activity, USB events, and privilege escalation across all managed systems.
  • Threat Intelligence Matching: Security Master cross-references endpoint activity against 48,000+ threat intelligence indicators, identifying known threats in real-time.
  • Behavioral Analysis: Blue Team engine uses behavioral pattern analysis to identify unauthorized use that may not match known threat signatures.
  • Automated Alerting: Severity-based alerting with configurable escalation ensures rapid response to detected threats against CUI.

CUI Protection Summary

How CtrlLayer protects Controlled Unclassified Information across the complete lifecycle.

Prevent Unauthorized Access

App-scoped elevation and RBAC+ABAC policies ensure only authorized personnel can access systems containing CUI. Zero standing privileges eliminate persistent risk.

Prevent Unauthorized Extraction

USB control policies prevent copying CUI to removable media. Network monitoring detects unauthorized data transfer attempts. All data channels are monitored.

Detect Compromise Attempts

Blue Team correlation engine identifies attack patterns targeting CUI. Threat intelligence matching detects known APT techniques used against the DIB.

Maintain Evidence Chain

Hash-chain tamper-proof audit logs provide the forensic evidence needed for CMMC assessments and incident investigations. Every access to CUI is documented.

Win DoD Contracts with Confidence

See how CtrlLayer accelerates your CMMC 2.0 certification journey.

Request a CMMC Readiness Assessment