On-prem agents that audit your CMMC posture in place.
Install Tolerance once and the agents take over. They auto-discover every system in scope, run the checks an assessor would actually run, and write structured findings against the right NIST 800-171 controls. Findings can stay fully on-prem or sync up to the platform; your call. Either way, you get a live picture of where you stand, drafted into your SSP and POA&M without anyone touching a spreadsheet.
Install Tolerance once and point it at your environment. It auto-discovers every system in scope (workstations, servers, switches, wireless infrastructure), figures out which checks belong where, and runs them on the right cadence. You choose whether findings stay on-prem or sync to the platform. Each finding lands as a structured Finding with severity, the NIST control it maps to, and remediation guidance. Those findings draft your gap assessment, populate your SSP and POA&M, and stay live between assessments so the day a config drifts is the day you see it.
Cryptography
FIPS-validated crypto enforcement, TLS configuration, key management, and algorithm verification across the OS and application stack.
OS FIPS Mode Detection
The first check between your environment and a 5-point SPRS hit on 3.13.11.
Detects whether the kernel enforces FIPS at the OS level across Linux, Windows, and macOS in under two seconds. Cross-references Apple's Corecrypto CMVP certification history so a stale macOS build cannot slip through. The check most assessors run first; the one most contractors get wrong.
TLS Configuration Checks
Probes the live socket so a stale config file cannot hide a deprecated TLS handshake from the assessor.
Triangulates TLS posture three ways: config-file analysis, live TCP probes against five ports per host, and Windows SChannel registry inspection. Catches the gap between what nginx.conf claims and what port 443 actually negotiates. Surfaces SSH cipher and MAC drift the OS will never block on its own.
Disk Encryption Detection
Per-volume FIPS verdict on every drive that might hold CUI, with the CMVP cert attached.
Inspects LUKS/dm-crypt on Linux, BitLocker on Windows, and FileVault on macOS to verify each volume is encrypted with a FIPS-approved cipher at the right key length. Per-device, never an aggregate is-anything-encrypted check. Produces the volume-by-volume inventory an assessor will ask for and contractors almost never have ready.
Crypto Library Detection
Proves FIPS enforcement at the library level with a live MD5 test no version string can fake.
Catalogs OpenSSL, GnuTLS, NSS, and Windows CNG across every host, then verifies they are not just FIPS-capable but FIPS-active in the running process. A library that still computes MD5 when asked is not in FIPS mode regardless of what its version string claims. The check that catches statically linked applications system-level audits miss.
Crypto Config File Analysis
One misconfigured line in openssl.cnf undoes every other crypto control on the host. This catches it.
Reads RHEL crypto-policies, openssl.cnf in three canonical paths, and java.security across every JDK install on the host. Detects configuration choices that quietly re-enable MD4, RC2, SHA-1, and TLS 1.1 across every application linked against the affected library. A single line here can defeat the OS FIPS posture; the agent surfaces it in seconds.
Algorithm Usage Checks
Audits the keys, certs, and cipher lines that already exist on disk, not just what the policy permits in theory.
Goes beyond configuration to inspect the actual SSH host keys, certificate signature algorithms, and cipher strings sitting in haproxy, stunnel, and postfix configs. FIPS mode being on is not the same as FIPS-approved algorithms being in use. Catches the MD5-signed cert, the DSA host key, and the RC4 line at exact path and line number.
Network & Boundary
CUI boundary discovery, VLAN topology mapping, and wireless segmentation,the controls that prove where CUI is and isn't.
Network Scanner & CUI Topology Mapper
Replaces the SSP boundary diagram drawn from memory with one the assessor will actually accept.
Discovers every host on the in-scope subnets, fingerprints services on 17 ports per host at 100 probes per second, and classifies each host into one of four CUI exposure tiers. Emits a Mermaid topology diagram with VLAN subgraphs ready to drop into the SSP. Catches the forgotten printer, the legacy NAS, and the exposed Docker socket the assessor will find in their first pass.
Switch Integration & VLAN Topology
Replaces inferred VLAN boundaries with authoritative ones the assessor cannot argue with.
Uses SNMP, SSH, or passive LLDP/CDP capture to pull the VLAN table, CAM table, and trunk-port config directly from the switch. Supports Cisco IOS, JunOS, HP-Aruba, UniFi, and any vendor speaking generic SNMP v2c or v3. Boundary findings stop being heuristics and become facts an assessor will accept on the first read of the SSP.
Wireless Security Scanner
Catches the evil-twin AP and the WPA2-PSK corporate SSID before the attacker in the parking lot does.
Passively sniffs 802.11 beacons across 2.4GHz and 5GHz channels to identify the corporate SSID's authentication, encryption, MFP, and WPS posture. Detects rogue APs broadcasting variants of the corporate name within a 30-second full-spectrum sweep. Identifies six distinct wireless security postures per beacon and flags every deviation against the authorized BSSID list.
Identity & Audit
Account hygiene, privilege auditing, authentication mechanism review, and audit log compliance against NIST 3.3.x.
Account & Privilege Auditor
Surfaces the orphaned accounts, NOPASSWD sudo rules, and shared credentials assessors flag first.
Audits local and directory-integrated accounts across Linux, Windows, and macOS for inactive logins, unrestricted sudo, missing lockout policy, weak password hashes, and SSH key sprawl. Covers seven 800-171 controls in a single sweep. Account hygiene produces more CMMC findings than any other 800-171 family, and the agent runs the assessor's first sample before they do.
Audit Log Compliance Checker
Confirms the audit daemon is running, the right events are captured, and the timestamps will hold up.
Audits auditd, Windows Event Log, and macOS auditd for daemon health, required event categories, retention age, log integrity, remote forwarding, and live NTP offset. Surfaces the silent logging regressions a contractor only catches when the assessor asks for six months of evidence. The category responsible for some of the most cited audit gaps and the easiest to leave broken.
Identity & Authentication Auditor
Reports the 3.5.3 SPRS tier (-5, -3, or 0) per host, plus every credential weakness Mimikatz lives on.
Goes deeper than account auditing across PAM modules, Duo and Okta credential providers, smart card readiness, password-hash algorithm strength, and certificate expiry windows. Computes the SPRS partial-credit tier for 3.5.3 per host with no manual interpretation. Surfaces WDigest, LM hash storage, MD5-crypt, and plaintext credentials in .netrc and bash_history in a single sweep.
Endpoint & Integrity
Endpoint protection posture, vulnerability scanning, configuration baselines, and file integrity monitoring.
Vulnerability Scanner
Air-gap-friendly CVE correlation that catches a CISA KEV match without a single packet leaving the contractor's network.
Inventories every installed package across dpkg, rpm, pip, npm, Windows Uninstall registry, and macOS receipts in under 60 seconds per host. Correlates against a bundled NVD database covering three-plus years of advisories and the full CISA Known Exploited Vulnerabilities catalog. Database updates are explicit, signed, and verified before use, so air-gapped enclaves stay air-gapped.
Endpoint Protection Auditor
Confirms the EDR is not just installed but actively scanning, current, and unable to be disabled by malware mid-execution.
Detects and audits Windows Defender, CrowdStrike Falcon, SentinelOne, Carbon Black, ClamAV, and AIDE/rkhunter across every endpoint. Goes well beyond is-it-installed: verifies tamper protection, real-time scanning state, definition currency, exclusion sprawl, and LD_PRELOAD-based rootkit indicators. The audit a contractor running five different AV products across five departments cannot do by hand.
Configuration Baseline Scanner
Signs the secure baseline on first run, then catches every drift away from it on every cadence.
Audits firewall posture, unnecessary services, application allowlisting, USB controls, and 12 kernel-hardening sysctls per host. Captures a signed baseline snapshot keyed to hardware identifiers, then diffs against it on every subsequent scan. Every new service, port, scheduled task, or SUID binary becomes a 3.4.1 finding the moment it appears, not the morning the assessor walks in.
File Integrity Monitor
Cryptographic proof a host has not been tampered with since the last scan, on a cadence the assessor cannot dispute.
Hashes critical system paths with SHA-256 on init, then re-hashes and diffs on every subsequent scan. New SUID binaries, modified kernel modules, changed sudoers, and altered SSH host keys all surface within seconds. Directly addresses 3.14.5 and 3.14.6 with the only check that produces cryptographic-grade evidence of integrity rather than procedural attestation.
Data Protection
Removable media controls and email security,the routes CUI most often leaves the boundary unintentionally.
Removable Media Auditor
Pulls forensic-grade USB history from the registry, then proves storage is blocked or required to be encrypted.
Enumerates the full USB storage history from the Windows registry, Linux udev database, and macOS system_profiler, with vendor, product, and serial per device. Verifies usb-storage blocking, BitLocker To Go enforcement, USBGuard policy, and sanitization-tool readiness across the host. Cross-references printer hard drives discovered by the network scanner so undocumented CUI-bearing media never slips past the SSP.
Email Security Auditor
Probes 16 DKIM selectors, four RBLs, and the live STARTTLS handshake for every contractor domain in scope.
Resolves SPF, DKIM across 16 common selectors, DMARC, MTA-STS, and DANE/TLSA records for every contractor domain. Probes the MX host's STARTTLS handshake live and queries Spamhaus, SpamCop, SORBS, and PSBL for IP reputation in a single pass. Catches the p=none DMARC, the missing MTA-STS, and the under-1024-bit DKIM key the assessor will absolutely ask about.
Want the agents auditing your environment next week?
Book a 30-minute scoping call. We'll confirm what's in your CUI boundary and turn the agents on against your real systems before the call ends.