3.13.11
OS FIPS Mode Detection
The first check between your environment and a 5-point SPRS hit on 3.13.11.
Resources // On-Prem Agents
On-prem agents that audit your CMMC posture in place.
Install Tolerance once and the agents take over. They auto-discover every system in scope, run the checks an assessor would actually run, and write structured findings against the right NIST 800-171 controls. Findings can stay fully on-prem or sync up to the platform; your call. Either way, you get a live picture of where you stand, drafted into your SSP and POA&M without anyone touching a spreadsheet.
18
Agents shipping or in flight
05
Control families covered
42
NIST 800-171 Rev 2 requirements touched
How the agents fit
Install Tolerance once and point it at your environment. It auto-discovers every system in scope (workstations, servers, switches, wireless infrastructure), figures out which checks belong where, and runs them on the right cadence. You choose whether findings stay on-prem or sync to the platform. Each finding lands as a structured Finding with severity, the NIST control it maps to, and remediation guidance. Those findings draft your gap assessment, populate your SSP and POA&M, and stay live between assessments so the day a config drifts is the day you see it.
Family // Cryptography
Cryptography
FIPS-validated crypto enforcement, TLS configuration, key management, and algorithm verification across the OS and application stack.
3.13.8
TLS Configuration Checks
Probes the live socket so a stale config file cannot hide a deprecated TLS handshake from the assessor.
3.13.163.13.11
Disk Encryption Detection
Per-volume FIPS verdict on every drive that might hold CUI, with the CMVP cert attached.
3.13.11
Crypto Library Detection
Proves FIPS enforcement at the library level with a live MD5 test no version string can fake.
3.13.113.4.2
Crypto Config File Analysis
One misconfigured line in openssl.cnf undoes every other crypto control on the host. This catches it.
3.13.113.13.10
Algorithm Usage Checks
Audits the keys, certs, and cipher lines that already exist on disk, not just what the policy permits in theory.
Family // Network & Boundary
Network & Boundary
CUI boundary discovery, VLAN topology mapping, and wireless segmentation,the controls that prove where CUI is and isn't.
3.13.13.13.6
Network Scanner & CUI Topology Mapper
Replaces the SSP boundary diagram drawn from memory with one the assessor will actually accept.
3.13.13.13.6
Switch Integration & VLAN Topology
Replaces inferred VLAN boundaries with authoritative ones the assessor cannot argue with.
3.1.173.1.16
Wireless Security Scanner
Catches the evil-twin AP and the WPA2-PSK corporate SSID before the attacker in the parking lot does.
Family // Identity & Audit
Identity & Audit
Account hygiene, privilege auditing, authentication mechanism review, and audit log compliance against NIST 3.3.x.
3.1.13.1.5
Account & Privilege Auditor
Surfaces the orphaned accounts, NOPASSWD sudo rules, and shared credentials assessors flag first.
3.3.13.3.2
Audit Log Compliance Checker
Confirms the audit daemon is running, the right events are captured, and the timestamps will hold up.
3.5.33.5.10
Identity & Authentication Auditor
Reports the 3.5.3 SPRS tier (-5, -3, or 0) per host, plus every credential weakness Mimikatz lives on.
Family // Endpoint & Integrity
Endpoint & Integrity
Endpoint protection posture, vulnerability scanning, configuration baselines, and file integrity monitoring.
3.11.23.11.33.14.1
Vulnerability Scanner
Air-gap-friendly CVE correlation that catches a CISA KEV match without a single packet leaving the contractor's network.
3.14.23.14.33.14.4
Endpoint Protection Auditor
Confirms the EDR is not just installed but actively scanning, current, and unable to be disabled by malware mid-execution.
3.4.13.4.23.4.6
Configuration Baseline Scanner
Signs the secure baseline on first run, then catches every drift away from it on every cadence.
3.14.53.14.6
File Integrity Monitor
Cryptographic proof a host has not been tampered with since the last scan, on a cadence the assessor cannot dispute.
Family // Data Protection
Data Protection
Removable media controls and email security,the routes CUI most often leaves the boundary unintentionally.
3.8.73.8.6
Removable Media Auditor
Pulls forensic-grade USB history from the registry, then proves storage is blocked or required to be encrypted.
3.13.8
Email Security Auditor
Probes 16 DKIM selectors, four RBLs, and the live STARTTLS handshake for every contractor domain in scope.
Want the agents auditing your environment next week?
Book a 30-minute scoping call. We'll confirm what's in your CUI boundary and turn the agents on against your real systems before the call ends.