Compliance
CMMC Compliance Checklist for DevOps Teams
If your organization handles Controlled Unclassified Information (CUI) and you're pursuing CMMC Level 2, your DevOps practices need to support 110 security controls. Here's a practical checklist focused on the controls most relevant to CI/CD pipelines, source control, and infrastructure automation.
Access Control (AC)
Source Control Access
- ☐ AC.L2-3.1.1 — Limit system access to authorized users. Enforce SSO/SAML for all Git platform access. No local accounts.
- ☐ AC.L2-3.1.2 — Limit system access to authorized transactions. Use repository-level permissions, not org-wide admin.
- ☐ AC.L2-3.1.5 — Employ least privilege. Developers get write access only to repos they need. Admins are limited.
- ☐ AC.L2-3.1.7 — Prevent non-privileged users from executing privileged functions. Protect main/release branches with required reviews.
CI/CD Pipeline Access
- ☐ AC.L2-3.1.1 — Pipeline execution requires authenticated identity. No anonymous triggers.
- ☐ AC.L2-3.1.3 — Control CUI flow. Artifacts containing CUI stay within authorized boundaries. No public artifact repos.
- ☐ AC.L2-3.1.12 — Monitor remote access. Log all CI/CD executions with user attribution.
Audit & Accountability (AU)
Logging Requirements
- ☐ AU.L2-3.3.1 — Create audit records. Log all Git operations (push, merge, branch delete), pipeline executions, and infrastructure changes.
- ☐ AU.L2-3.3.2 — Ensure traceability. Logs must include who, what, when, where. Correlate commits → builds → deployments.
- ☐ AU.L2-3.3.4 — Alert on audit failures. If logging stops, you need to know immediately.
- ☐ AU.L2-3.3.8 — Protect audit logs. Logs should be immutable and stored separately from the systems they monitor.
Configuration Management (CM)
Infrastructure as Code
- ☐ CM.L2-3.4.1 — Establish baselines. Infrastructure defined in code (Terraform, Ansible) with versioned, approved configurations.
- ☐ CM.L2-3.4.2 — Track changes. All infrastructure changes go through version control with review and approval.
- ☐ CM.L2-3.4.3 — Analyze security impact. Changes require security review before merge. Automated policy checks in PR.
- ☐ CM.L2-3.4.5 — Define and enforce access restrictions. Terraform state files protected. Only pipelines apply changes.
Software & Containers
- ☐ CM.L2-3.4.6 — Employ least functionality. Container images minimal—no unnecessary packages, services, or tools.
- ☐ CM.L2-3.4.7 — Restrict nonessential programs. Only approved base images from hardened registry (Iron Bank, internal).
- ☐ CM.L2-3.4.8 — Apply deny-by-exception policy. Kubernetes admission controllers block unapproved images.
Identification & Authentication (IA)
Identity Management
- ☐ IA.L2-3.5.1 — Identify users and devices. Service accounts for pipelines have unique identities. No shared credentials.
- ☐ IA.L2-3.5.2 — Authenticate identities. MFA required for all human access to Git platforms and CI/CD systems.
- ☐ IA.L2-3.5.3 — Use multifactor authentication. Phishing-resistant MFA (hardware keys, FIDO2) for privileged accounts.
- ☐ IA.L2-3.5.10 — Store and transmit protected credentials. Secrets in HashiCorp Vault or equivalent. Never in code or environment variables.
System & Communications Protection (SC)
Data Protection
- ☐ SC.L2-3.13.1 — Monitor communications at boundaries. Network segmentation between dev, CI/CD, and production.
- ☐ SC.L2-3.13.8 — Implement cryptographic mechanisms. TLS 1.2+ for all Git operations. Encrypted artifact storage.
- ☐ SC.L2-3.13.10 — Establish cryptographic key management. Signing keys for commits and artifacts managed centrally.
- ☐ SC.L2-3.13.16 — Protect CUI at rest. Encrypted storage for repos containing CUI. Encrypted backups.
System & Information Integrity (SI)
Security Scanning
- ☐ SI.L2-3.14.1 — Identify and remediate flaws. SAST/DAST in pipeline. SCA for dependencies. Container scanning.
- ☐ SI.L2-3.14.2 — Protect against malicious code. Secret scanning to prevent credential leaks. Dependency confusion protections.
- ☐ SI.L2-3.14.3 — Monitor security alerts. Subscribe to CVE feeds for your dependencies. Automated PR creation for updates.
- ☐ SI.L2-3.14.6 — Monitor organizational systems. Pipeline failures, unusual activity patterns trigger alerts.
Implementation Notes
Start with Evidence Collection
CMMC assessments require evidence. Before implementing controls, ensure you can demonstrate compliance:
- • Screenshots and exports of access control configurations
- • Audit log samples showing required events
- • Policy documents (branch protection rules, required reviewers)
- • Scan reports from security tools
- • System Security Plan (SSP) mapping controls to implementations
Tool Recommendations
| Capability | Tools |
|---|---|
| Source Control | GitHub Enterprise, GitLab |
| CI/CD | GitHub Actions, GitLab CI, Jenkins, Tekton |
| IaC | Terraform, Ansible, Pulumi |
| Secrets Management | HashiCorp Vault, AWS Secrets Manager, Azure Key Vault |
| SAST | SonarQube, Semgrep, CodeQL |
| SCA | Snyk, Dependabot, OWASP Dependency-Check |
| Container Scanning | Trivy, Anchore, Aqua |
| Audit Logging | Splunk, Elastic, Azure Sentinel |
Need help implementing CMMC controls in your DevOps environment?
Contact UsRelated Reading
