Home/Resources/Agents/Network Scanner & CUI Topology Mapper
Network & Boundary

Network Scanner & CUI Topology Mapper

Replaces the SSP boundary diagram drawn from memory with one the assessor will actually accept.

Covered practices · NIST SP 800-171 Rev 2
3.13.1Boundary protectionPrimary3.13.6Deny by default, permit by exceptionPrimary3.1.3Control flow of CUI3.13.8Transmission confidentiality3.14.1Flaw remediation
17
Ports fingerprinted per host on every sweep

The problem

The boundary diagram in a CMMC SSP is the document an assessor reads first. It is also the one most contractors get most wrong, because it is drawn from memory and never reconciled with the network as it actually is. Forgotten printers, legacy NAS appliances, a developer's exposed Docker socket, an OT controller someone plugged into the IT subnet, none of them appear on the diagram, and all of them appear on the assessment report at full deduction value.

An on-prem agent on the contractor's own network can do what an external scanner cannot. ARP sweeps return responses from hosts that block ICMP. Port fingerprints classify CUI exposure tier per host. Service banners reveal whether SMBv1, plaintext FTP, or unauthenticated Redis are running where they should not be. The result is a topology that cross-references every discovered host against 800-171 boundary controls in a single pass.

The agent runs explicitly, on networks the contractor owns. It writes an audit log before sending a packet, stays inside the configured subnets, and rate-limits below the threshold that triggers default IDS rules. It is a compliance tool, not a pentest tool, and it produces evidence the C3PAO will sign off on rather than question.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.13.1Boundary protection

Produces the authoritative map of the contractor's CUI boundary,every host in scope, every service exposed, every undocumented crossing. The control assessors use to evaluate whether the contractor knows where their boundary is.

Read in NIST 800-171 r2
NIST 3.13.6Deny by default, permit by exception

Every discovered service is, by definition, a permitted exception. Findings list every service that needs to be either documented in the SSP or shut down.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.1.3Control flow of CUI

The CUI tier classification and flow inference phases produce a defensible answer to where CUI is stored, where it transits, and which paths are unauthorized.

Read in NIST 800-171 r2
NIST 3.13.8Transmission confidentiality

Findings on Telnet, FTP, plaintext SMTP, WinRM HTTP, and SNMP v1/v2c map directly here,these protocols transmit credentials and CUI in the clear.

Read in NIST 800-171 r2
NIST 3.14.1Flaw remediation

SMBv1 in 2026 is a flaw remediation finding,the patch exists, the contractor has not applied it, and EternalBlue is the proof.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Runs with CAP_NET_RAW or root for full ARP sweep and raw socket access. Reads /proc/net/arp before sending packets, batches ICMP fallback at 32 concurrent probes with 300ms timeouts, and fingerprints services on a fixed port list (445, 1433, 3389, 9100, 631, 22, 80, 443, 161, 102, 502, 10250, 2375, 2379, 3000, 389, 636, 88) at 100 probes per second by default. A typical /24 completes in under three minutes and emits a Mermaid graph TD with VLAN subgraphs when switch integration data is available.

Windows

Runs as Administrator. WinPcap/Npcap drives raw ARP, with clean fallback to ICMP when not present. Uses GetIpNetTable2 for the ARP cache and GetAdaptersAddresses for interface enumeration, then runs the same port-list and service-fingerprint logic as Linux so findings are directly comparable across platforms.

macOS

Raw sockets require root. Without root, ARP falls back to ping sweep and the binary says so at runtime, never silently degrades to a partial scan that the contractor mistakes for a full one. Port scans and banner grabs work unprivileged, so most of the audit value is available without elevation.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    SMBv1 enabled on port 445
    EternalBlue vector. Predates FIPS cipher support entirely. 3.14.1 flaw remediation finding regardless of patch level on the rest of the stack.
  • CRITICAL
    Telnet port 23 open
    Plaintext remote access. Credentials and session data transmitted in the clear. Direct 3.13.8 violation, no compensating control possible.
  • CRITICAL
    Docker API on port 2375 without TLS
    Anyone on the network can execute arbitrary code as root on this host. 3.1.2 violation,no access control, not a misconfigured one.
  • CRITICAL
    Open SMTP relay on port 25
    Server accepts MAIL FROM and RCPT TO with external domains. Domain reputation impact and likely abuse vector.
  • HIGH
    Printer on same /24 as CUI servers
    Printer with JetDirect on 9100 shares network segment with database servers. Printers buffer document images on internal storage,segmentation cannot be confirmed without switch access.
  • HIGH
    Multi-homed host crosses subnet boundary
    Host appears in two subnets' ARP caches. Potential undocumented boundary crossing that needs explicit SSP coverage.
SPRS impact

Boundary findings hit several 5-point controls simultaneously. Plaintext protocols accepting connections is 3.13.8 (5 points). Undocumented services running maps to 3.13.6 (3 points). SMBv1 alone is 3.14.1 (3 points) plus 3.13.1 (5 points). A single network scan typically produces auditable evidence for between 6 and 12 controls in one pass, and the topology diagram itself is required SSP content under 3.13.1 regardless of any individual finding. Without it, the contractor is failing 3.13.1 by definition before a single port is checked.

How it hooks into the platform

Once Tolerance is pointed at the configured subnets, the platform discovers hosts and services on its own and re-runs the sweep on a cadence calibrated to network size. You decide whether per-subnet JSON, banners, and the topology graph stay on-prem or sync up. The Mermaid diagram drafts directly into the SSP's network architecture section under 3.13.1. CUI tier classifications populate the data-flow tables for 3.1.3, and each HIGH or CRITICAL host opens a POA&M item with the service, port, and remediation.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Sweeps a full /24 in under three minutes at 100 probes per second
  • Emits an SSP-ready Mermaid topology diagram that validates with mmdc
  • Stays inside the configured subnets, with zero packets sent outside scope
  • Writes an audit log entry before sending the first packet of every scan
  • Treats SMBv1 and Telnet as CRITICAL with no override path
  • Tags every printer node with a VERIFY PRINT CUI label by default
  • Aggregates multi-host findings server-side into a single SSP artifact
Other agents in Network & Boundary
Network & Boundary

Switch Integration & VLAN Topology

Replaces inferred VLAN boundaries with authoritative ones the assessor cannot argue with.

Network & Boundary

Wireless Security Scanner

Catches the evil-twin AP and the WPA2-PSK corporate SSID before the attacker in the parking lot does.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →