Skip to content

Add controls matrix and AC family first draft #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cameronhopkin wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add controls matrix and AC family first draft #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
10ab62b
Add controls matrix scaffold and Access Control family first draft
cameronhopkin May 26, 2026
dab814f
Remove phantom pyhcl2 dependency that breaks pip install
cameronhopkin May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 27 additions & 12 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,27 @@
# CMMC Control Validator
# CMMC Validator

[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)

A Python-based tool for validating Infrastructure as Code (IaC) configurations against CMMC Level 2 and NIST SP 800-171 security controls. Designed for organizations preparing for CMMC certification or maintaining continuous compliance.
Validator and reference matrix for CMMC 2.0 Level 2 / NIST SP 800-171 Rev 2 controls. Includes a Python-based Terraform Infrastructure as Code (IaC) compliance scanner and a practitioner reference matrix oriented toward Defense Industrial Base (DIB) contractors.

Maintained by [Waypoint Compliance Advisory](https://waypointca.com) (SDVOSB, CAGE 14Z63).

## Standards revision

This repository tracks **NIST SP 800-171 Rev 2**, the version cited by the CMMC 2.0 final rule (32 CFR Part 170) for Level 2 assessments. NIST SP 800-171 Rev 3 (published May 2024) restructures the controls; migration is on the roadmap and will track DoD's eventual adoption of Rev 3 for CMMC assessments.

## Documentation

- [`controls/`](./controls/) — Reference control matrix with implementation patterns and frequently observed gaps. First family (Access Control) published; remaining families in progress.
- [`gap-patterns/`](./gap-patterns/) — Common assessment gaps with remediation patterns (in progress)
- [`references/`](./references/) — Authoritative source documents
- [`templates/`](./templates/) — Worksheet templates: POA&M, SSP outline, etc. (in progress)

## Overview

CMMC Control Validator parses Terraform configurations and evaluates them against the 110 practices required for CMMC Level 2 certification. It provides:
CMMC Validator parses Terraform configurations and evaluates them against the 110 practices required for CMMC Level 2 certification. It provides:

- **Automated Compliance Checking**: Scan Terraform files for security misconfigurations
- **Gap Analysis Reports**: Identify which controls are met, partially met, or missing
Expand Down Expand Up @@ -57,14 +70,14 @@ CMMC Control Validator parses Terraform configurations and evaluates them agains
### From PyPI

```bash
pip install cmmc-control-validator
pip install cmmc-validator
```

### From Source

```bash
git clone https://github.com/cameronhopkin/cmmc-control-validator.git
cd cmmc-control-validator
git clone https://github.com/WaypointCA/cmmc-validator.git
cd cmmc-validator
pip install -e .
```

Expand Down Expand Up @@ -165,7 +178,7 @@ jobs:
python-version: '3.11'

- name: Install CMMC Validator
run: pip install cmmc-control-validator
run: pip install cmmc-validator

- name: Run Compliance Check
run: |
Expand Down Expand Up @@ -290,8 +303,8 @@ Contributions are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for gui
### Development Setup

```bash
git clone https://github.com/cameronhopkin/cmmc-control-validator.git
cd cmmc-control-validator
git clone https://github.com/WaypointCA/cmmc-validator.git
cd cmmc-validator
python -m venv venv
source venv/bin/activate
pip install -e ".[dev]"
Expand All @@ -300,14 +313,16 @@ pytest

## References

Full reference list in [`references/`](./references/). Key sources:

- [CMMC Model Overview](https://dodcio.defense.gov/CMMC/)
- [NIST SP 800-171 Rev 2](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final)
- [AWS CMMC Resources](https://aws.amazon.com/compliance/cmmc/)

## License

MIT License - see [LICENSE](LICENSE) for details.
MIT License (code) and CC BY 4.0 (matrix content). See [LICENSE](LICENSE) for code license details. Cite Waypoint Compliance Advisory when reusing matrix content.

## Author
## Maintainer

Cameron Hopkin - [GitHub](https://github.com/cameronhopkin)
Maintained by Cameron T. Hopkin on behalf of [Waypoint Compliance Advisory LLC](https://waypointca.com) (SDVOSB, CAGE 14Z63).
Loading
Loading