Disk Encryption Detection
Per-volume FIPS verdict on every drive that might hold CUI, with the CMVP cert attached.
The problem
Disk encryption is the most heavily weighted control in the SPRS scoring methodology and the easiest to get partially right. A laptop has FileVault on; a backup server does not. A workstation has BitLocker but the spare volume is decrypted. The user thinks they are covered. The assessor goes drive by drive, host by host, and finds the gap inside the first hour.
The failure mode that gets scored worst is the −5 tier, no encryption at rest at all. The −3 tier is encryption present but not FIPS-validated, usually because the cipher is Twofish, Serpent, or an AES-CBC mode that predates the system's CMVP certification. Both are scored, both are visible to the assessor, and both demand different remediation paths the contractor has to plan for.
Physical access to an unencrypted drive bypasses every other control on the host. An assessor will ask whether the contractor maintains a documented inventory of every volume that might hold CUI, including external drives, backup arrays, and printer storage. This agent produces that inventory automatically and keeps it current between assessments.
What CMMC requires
NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.
Verifies CUI-bearing volumes are protected by full-volume encryption,the primary mechanism for confidentiality of CUI at rest.
Read in NIST 800-171 r2↗Confirms the cipher and module performing the encryption are CMVP-validated. LUKS2 with AES-XTS-256, BitLocker with XTS-AES, and FileVault with Corecrypto all qualify; non-AES ciphers do not.
Read in NIST 800-171 r2↗Identifies LUKS key slots, BitLocker recovery key targets, and FileVault institutional key handling so key management practices can be reviewed against the implementation.
Read in NIST 800-171 r2↗Treats the presence and configuration of disk encryption as a baseline item. Its absence on any device is a configuration management gap.
Read in NIST 800-171 r2↗How it works
Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.
Runs dmsetup ls --target crypt to enumerate every dm-crypt device, then dmsetup table per device to parse the cipher field, flagging anything that is not AES-based such as twofish, serpent, cast5, or blowfish. Falls back to lsblk -o NAME,FSTYPE for crypto_LUKS entries when dmsetup is unavailable. Cross-checks /proc/mounts for /dev/mapper/ entries so configured-but-unmounted volumes do not silently pass.
Runs manage-bde -status (requires Administrator) and parses Protection On/Off plus Encryption Method per volume. Accepts XTS-AES 256/128 and AES-CBC 256/128; flags Protection Off, Fully Decrypted, or unsupported ciphers as discrete findings. If the tool fails for permissions reasons, surfaces a HIGH unverified finding instead of a silent pass, since the assessor will require evidence either way.
Runs fdesetup status across every detected volume. FileVault On passes because Apple's FIPS-validated Corecrypto handles AES-XTS 128 by default. Anything else is CRITICAL. Maps the macOS version to the relevant CMVP cert so an auditor can cite the exact certificate number on the SSP narrative.
What it finds
Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.
- CRITICALVolume encryption disabledBitLocker Protection Off, FileVault Off, or no LUKS device for a mounted CUI-relevant volume,direct −5 on 3.13.11 and 3.13.16.
- HIGHNon-AES cipher in useLUKS device using Twofish, Serpent, CAST5, or Blowfish. Encryption is present but not FIPS-validated,−3 tier.
- HIGHAES key shorter than 256 bitsLUKS table reports a key shorter than 512-bit XTS (256-bit AES). The cipher is approved but the key length falls below the operational minimum.
- HIGHBitLocker check failed for permissionsmanage-bde -status could not run elevated. The agent treats this as unverified rather than passing,the assessor will require evidence either way.
- MEDIUMEncrypted volume defined but not mountedLUKS device exists in dmsetup output but no /dev/mapper/ entry appears in /proc/mounts. The volume is configured but not in active use,verify scope.
This agent is the primary determinant of the −5 versus −3 tier on 3.13.11 for data at rest. No encryption costs the full 5 points; encryption with a non-FIPS cipher costs 3. The gap between those tiers, and the cost of a contractor not knowing which tier they are in, is the single SPRS exposure most often closed during a Tolerance engagement. Paired with the OS FIPS check, every host in scope produces a defensible-on-paper SPRS calculation for both 3.13.11 and 3.13.16, with the CMVP cert and per-volume cipher table cited inline.
How it hooks into the platform
The platform inventories every mounted volume on every in-scope host without anyone running a command, and re-checks each one on a cadence tuned to whether it carries CUI. You configure whether per-device cipher and key-size results stay on-prem or sync up. Results land in the SSP's cryptographic protection section as a table covering device, mount point, cipher, key size, and validation cert. The gap assessment computes the SPRS tier for 3.13.11 and 3.13.16 across the fleet. POA&M items name the volume and include cryptsetup, manage-bde, or fdesetup remediation.
How we know it's working
Acceptance criteria from the engineering spec,what the agent must do to ship.
- Audits every mounted volume per host, never aggregates a single verdict
- Runs unprivileged on Linux against dmsetup and lsblk state
- Surfaces Windows permissions failures as unverified findings, never silent passes
- Returns a structured volume inventory even on fully clean hosts
- Cites the matching macOS Corecrypto CMVP certificate per finding
Run this agent against your environment.
Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.