The CMMC policy pack maps the controls of the Cybersecurity Maturity Model Certification (CMMC) to checks that the Anchore Enterprise policy engine can evaluate against container images. The pack is grounded in NIST SP 800-171r3, the security-requirement publication that CMMC uses as its control set, and ships as a single bundle ready to import as a policy.
What’s in the Pack
- Pack name: Anchore CMMC — NIST 800-171r3
- Frameworks covered: CMMC compliance via NIST 800-171r3 controls
- Artifact coverage: container images and SBOMs. The pack ships rule sets for both, plus the mappings that bind each rule set to its artifact type.
- Rule set organization: rule sets are named by NIST 800-171r3 control identifier (for example
03.01.07 — Least Privilege), so the mapping from a bundle finding back to its underlying compliance control is direct.
The pack maps the 800-171r3 controls that are reachable from SBOM and image content into rule sets the policy engine can evaluate. Controls that depend on organizational process or physical environment — rather than artifact content — are out of scope for a container-image or SBOM policy and are not represented in the bundle.
How to Use the Pack
Import the pack like any other policy — see Manage Policies for the GUI, AnchoreCTL, and API workflows. Once imported, scope it to the registries and repositories it should apply to through Policy Mappings, and attach any allowlists you need before activating it as the account’s default policy.
The CMMC pack is intended as a starting point. Most teams customize mappings, attach allowlists for accepted risks, or layer additional rule sets on top before activating the pack against production registries.