CMMC / NIST 800-171
Regulator: U.S. Department of Defense
Signal Provenance delivers the Audit and Accountability (AU) family in full, plus strong coverage for Access Control, Identification and Authentication, System and Information Integrity, System and Communications Protection, and Configuration Management. Physical, personnel, and training families require the client's organizational program.
Scope
NIST 800-171 defines the 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. CMMC (Cybersecurity Maturity Model Certification) is the DoD certification program that assesses implementation. Level 2 certification is required for most defense contractors handling CUI.
Control-by-control coverage
Every claim below traces to source code in the echology monorepo or to a deliverable template shipped with Signal Provenance. If the code does not do it, the row is not here.
| Control | Requirement | Coverage | Evidence mechanism | Source |
|---|---|---|---|---|
| AU-2 | Event logging: define auditable events and review the selection | Complete | 49 operational witness points covering leads, financials, decisions, initiatives, findings, gates, agreements, content, tasks, deployments, retention. Per-deployment configurable event types. | ops/db.py _witness, provenance/config.py |
| AU-3 | Content of audit records: what, when, where, source, outcome, identity | Complete | Every Aletheia entry carries event_type, timestamp, workstation, source, result_hash, and actor in the summary payload. All six AU-3 fields are present. | engine/aletheia/ledger.py schema |
| AU-6 | Audit review, analysis, and reporting | Strong | Dashboard visualization of events, chain status, and compliance mapping. Consolidated compliance export with framework mapping. Distributed divergence detection (same file, different hash across hosts). | provenance/dashboard.py, ops/optimize.py, ops/db.py file_locations |
| AU-9 | Protection of audit information from unauthorized access, modification, and deletion | Complete | Hash chain: any modification breaks all subsequent hashes. verify_chain() detects tampering. Ledger lives in a separate database from ops.db. AES-256 at rest. Localhost-only binding. | engine/aletheia/ledger.py, Architecture |
| AU-12 | Audit record generation for defined events with required content | Complete | Automatic witness generation on every operational write, every file event, every inference, and every training run. CLI query via ops ledger history / stats. | ops/db.py, provenance/db.py |
| AC (Access Control family) | Limit system access to authorized users, processes, and devices | Strong | RBAC with 6 roles and 24 permissions. Localhost binding. Client credential gating on upload endpoints. Emergency break-glass with TTL. | ops/rbac.py, ops/dashboard/auth.py |
| IA (Identification and Authentication) | Identify and authenticate users, processes, or devices | Strong | scrypt password hashing (>=12 chars). RFC 6238 TOTP multi-factor. Ed25519 license validation. Workstation identifier on every ledger entry. | ops/rbac.py, provenance/license.py |
| SI (System and Information Integrity) | Identify, report, and correct information and system flaws; ensure integrity of information | Strong | Hash chain verification, schema validation with quality scoring, PII detection, input validation, magic-byte checks. | engine/aletheia/ledger.py, engine/vanta/vanta_security.py |
| SC (System and Communications Protection) | Monitor and control communications at system boundaries | Strong | Localhost-only binding. No external network by default. Remote access via TLS 1.2+ tunnel. | Architecture |
| CM (Configuration Management) | Establish and maintain baseline configurations | Strong | Metadata harvesting, change detection, edit-frequency tracking. Every configuration change is witnessed. | ops/metadata.py |
What Signal Provenance does not do
The platform is the technical evidence layer. The items below require organizational or physical implementation by the client. Listing them explicitly is how we keep the claim honest.
- PE (Physical and Environmental Protection): facility access, transmission media controls.
- AT (Awareness and Training): organizational security awareness program.
- PS (Personnel Security): position categorization, screening, termination procedures.
- MA (Maintenance): controlled maintenance procedures and non-local maintenance controls.
What you get
Each deployment ships these artifacts. All are generated from the live ledger and current deployment state.
CMMC / 800-171 audit export (PDF + JSON)
ops compliance audit <deployment-id> --framework cmmc_nist171 AU family evidence pack
ops ledger history --deployment-id <deployment-id> --format json Direct evidence for AU-2, AU-3, AU-6, AU-9, AU-12.
Chain integrity proof
ops ledger verify <deployment-id> Access control snapshot
ops rbac user-list Distributed divergence report
ops provenance divergence <deployment-id> Flags the same file with different hashes across hosts.
Prove it for your next audit.
Signal Provenance is deployed white-glove. We configure it on your hardware, point it at your folders, and generate your first CMMC / NIST 800-171 coverage export together. Your auditor verifies the hash chain independently.
Schedule your deployment
Canonical URL: /provenance/frameworks/cmmc-nist-800-171/ \u00b7 Cited in every compliance export for CMMC / NIST 800-171.