Open-CMMC.Open-Source CUI Storage for CMMC Level 2.

The free, Apache-2.0 solution for CMMC file hosting & sharing. 72 of 110 NIST SP 800-171 Rev 2 controls covered directly in product code.

Open Source

What Is Open-CMMC?

Open-CMMC is open-source CUI storage for defense suppliers preparing for CMMC Level 2. It is a hardened fork of filebrowser, rebuilt around the NIST SP 800-171 Rev 2 controls and designed to run on-premise on a single RHEL 9 or AlmaLinux 9 VM.

You get FIPS-mode crypto, OIDC + MFA, AES-256-GCM envelope encryption, ClamAV scan-on-upload, and a tamper-evident audit chain, all in one Go binary, deployed in about three minutes. The compliance-posture and gap-analysis docs lift straight into your CUI enclave System Security Plan.

CMMC Program Phase 2 begins 2026-11-10 and requires a C3PAO assessment for Level 2 contracts. Open-CMMC fits into the broader on-premise CMMC compliance approach without vendor lock-in or per-seat license cost.

TroutSoftware/Open-CMMCApache-2.0Go 1.25FIPS 140-3 inheritedCMMC Level 2 Ready

Control Coverage

72 of 110 Controls, Directly in Product Code.

The deployed stack covers ~75 of the 110 NIST SP 800-171 Rev 2 controls. 72 are addressed directly inside the Open-CMMC process. Wazuh (the recommended SIEM + endpoint stack) extends coverage by another 18. The remainder are customer SSP responsibility or host / facility controls.

of 110

Direct in product

added

Wazuh extends

policy

Customer SSP

physical

Host / facility

Family	Name	Total	Direct	Wazuh	SSP
3.1	Access Control	22	18	3	1
3.3	Audit & Accountability	9	6	3	-
3.4	Configuration Management	9	6	3	-
3.5	Identification & Authentication	11	11	-	-
3.6	Incident Response	3	1	2	-
3.8	Media Protection	9	9	-	-
3.11	Risk Assessment	3	-	3	-
3.12	Security Assessment	4	2	-	2
3.13	System & Comms Protection	16	14	-	-
3.14	System & Info Integrity	7	3	4	-

Families 3.2, 3.7, 3.9, 3.10 are omitted: they are customer policy, personnel, maintenance, or physical-protection controls, not product-scope. Full per-control statements are in the repo's compliance-posture.md.

Capabilities

What Open-CMMC Ships With.

Envelope Encryption at Rest

AES-256-GCM per-object envelope encryption. KEK lives in TPM or HSM. BoltDB rows are envelope-encrypted.

OIDC + MFA, FIPS TLS 1.3

Authentication externalized to Keycloak (bundled) or customer Entra GCC-H, Okta Gov, Ping. MFA and passkey flows built in.

Tamper-Evident Audit Chain

Every action emits a structured event with a correlation id. HMAC chain for integrity, forwarded via rsyslog-ossl mTLS to Splunk, Sentinel, or Elastic.

CUI Marking UI (NIST 3.8.4)

Per-folder CUI marks: BASIC, SPECIFIED, SP-PROPIN, SP-PRVCY, SP-ITAR. Admin-gated with fresh MFA required; every change audited.

Single-VM Turnkey Deploy

One binary, one command, one VM. RHEL 9 / AlmaLinux 9 / Rocky 9 with FIPS mode enabled. ~3 minutes from tarball to running enclave.

Apache-2.0, Fork-Friendly

Hardened fork of filebrowser/filebrowser with per-control coverage and gap-analysis docs you can copy into your SSP.

Need Help Deploying

Three Ways to Reach a C3PAO-Ready Enclave.

Open-CMMC is free to clone, install, and run yourself. If you want a second set of eyes, or want us to do the deployment, pick the level of help that matches where you are.

Tier 1

30 min with an engineer

30 minutes with a Trout engineer over screen-share. Bring whatever is on your mind: FIPS mode, OIDC, audit forwarding, control mapping, deployment shape. Open-ended conversation.

For: sysadmins running the install themselves who want to talk it through.

Book a slot

Tier 2

Full deployment

We install on your VM, integrate Entra ID, Okta, or Keycloak, forward audit logs to your SIEM, and hand over the SSP evidence pack.

For: MSPs or in-house teams without OS-hardening time. SOW within 48 hours.

Install on RHEL 9 / Alma 9 / Rocky 9
IdP integration (Entra GCC-H / Okta Gov / Keycloak)
Audit forwarder + SIEM integration
SSP evidence pack handoff
30 days post-deployment support

Request a quote

Tier 3

C3PAO-ready bundle

Open-CMMC covers 72 of 110 controls. Access Gate adds another ~20 at the network layer. Our partner C3PAO runs the readiness review.

For: contractors with a CMMC Level 2 assessment scheduled in the next 6 months.

Open-CMMC + Access Gate deployment
SSP coverage matrix across 110 controls
Gap analysis + remediation plan
Partner C3PAO readiness review
Single contract, single assessor

Start an intake

Comparison

Where Open-CMMC Fits Alongside Other CMMC File-Sharing Tools.

Open-CMMC sits in the open-source, on-premise corner of the CMMC file-sharing space. The hosted SaaS options cover the same controls with vendor-managed operations and per-seat licensing. The table below maps where each option lands on the capabilities that matter for a CMMC Level 2 assessment. All comparisons come from public vendor documentation. let us know if anything is out of date.

Capability	Open-CMMC	PreVeil	Egnyte	GCC High	Box Federal	Kiteworks
Open-source (Apache-2.0)
On-premise deploy		Hybrid (E2E)	Yes (Connect)
FIPS 140 validated crypto	Inherited (OS)
OIDC + MFA built in
Envelope encryption (per-object)		E2E
Tamper-evident audit chain
800-171 controls covered in product	72 of 110	Vendor docs	Vendor docs	Vendor docs	Vendor docs	Vendor docs
Self-host data and keys		Hybrid	Yes (Connect)
Per-seat license cost	$0	Per-user/mo	Per-user/mo	Per-user/mo	Per-user/mo	Per-user/mo

Open-CMMC trades vendor-managed operations for transparency, self-hosted data and keys, and zero license cost. The CUI enclave architecture page walks through when on-premise fits and when a hosted SaaS option is the better choice.

Architecture

One VM, One Command, A Complete CUI Enclave.

The default turnkey shape is a single RHEL 9 / Alma 9 FIPS VM running cmmc-filebrowser plus a bundled Keycloak-FIPS OIDC IdP. Wazuh monitoring and external auth / SIEM integrations are optional add-ons layered on top. Four deploy shapes are supported:

Turnkey all-in-one

Bundled Keycloak + Wazuh. install.sh deploy --with-wazuh on a fresh RHEL/Alma 9 VM.

Federated IdP + bundled SIEM

Customer Entra GCC-H / Okta Gov / Ping for auth. Bundled Wazuh for monitoring.

Bundled IdP + federated SIEM

Bundled Keycloak. Audit forwards to customer Splunk / Sentinel / Elastic via rsyslog-ossl mTLS.

Fully federated

Customer IdP + customer SIEM. Appliance runs only the filebrowser core.

Installation

From Tarball to Running Enclave in ~3 Minutes.

No build toolchain needed on the target. Pick the architecture that matches uname -m.

# Enable FIPS first
sudo fips-mode-setup --enable && sudo reboot

# After reboot
sudo dnf install -y podman jq curl iproute firewalld \
  openssl policycoreutils-python-utils
sudo systemctl enable --now firewalld

# Download the release (amd64 or arm64)
ARCH=amd64
VER=v1.0.0
TAR=cmmc-filebrowser-$VER-linux-$ARCH.tar.gz
curl -LO https://github.com/TroutSoftware/Open-CMMC/releases/download/$VER/$TAR
curl -LO https://github.com/TroutSoftware/Open-CMMC/releases/download/$VER/$TAR.sha256
sha256sum --check $TAR.sha256

# Extract + deploy
tar -xzf $TAR
sudo cmmc-filebrowser-$VER-linux-$ARCH/config/install.sh \
  deploy --from-release "$(realpath $TAR)"

You get a TLS-enabled file browser on https://<host>:8443, Keycloak OIDC on https://<host>:8081, systemd units, firewalld rules, a self-signed CA + leaf cert (replaceable with customer PKI for production), an audit stream to journald, and envelope encryption on by default.

Air-gap installs work the same way: download the tarball on an internet-connected host and scp it to the target before extracting. --from-release skips the build phases entirely.

Documentation

SSP-Ready Evidence.

Open-CMMC is the product + evidence base for a System Security Plan. It doesn't replace the customer's SSP, but it supplies every artifact an assessor needs.

Compliance posture

Per-control coverage, installed.

docs/compliance-posture.md

Gap analysis

Pre-fork baseline, per-control statements.

docs/gap-analysis.md

Architecture

Data-flow diagrams, boundaries, inheritance.

docs/architecture.md

OIDC providers

Entra GCC-H, Keycloak, Okta Gov setup.

docs/oidc-providers.md

Audit forwarder

rsyslog-ossl mTLS for Splunk / Sentinel / Elastic.

docs/audit-forwarder.md

Wazuh integration

Agent install, decoders, bundled-mode compose.

docs/wazuh-integration.md

Operator 2FA + passkey

TOTP and FIDO2 security keys walkthrough.

docs/operator-2fa.md

AlmaLinux 9 setup

Full deployment guide, RHEL/Alma 9, FIPS.

docs/almalinux9-setup.md

FAQ

Frequently Asked Questions

Is Open-CMMC a CMMC-certified product?

No product is itself "CMMC certified." CMMC is an assessment of the operating organization, not a vendor stamp. Open-CMMC covers 72 of 110 NIST SP 800-171 Rev 2 controls directly in product code and provides the artifacts (audit logs, control mappings, gap analyses) that a C3PAO needs to validate those controls in your environment. The CMMC shared responsibility matrix maps which controls Open-CMMC owns versus your team.

How does Open-CMMC compare to PreVeil or GCC High?

Open-CMMC is the open-source, on-premise, per-seat-cost-zero baseline. PreVeil and GCC High are closed-source SaaS with hosted operations and vendor-side control inheritance. Open-CMMC trades vendor-managed compliance for full transparency, self-hosted data and keys, and no license cost; the trade is that you (or a partner) operate it. The comparison table on this page details every dimension, and the CUI enclave architecture page covers when on-premise fits and when a hosted SaaS option is the better choice.

What is a CUI enclave?

A CUI enclave is a defined, isolated environment where Controlled Unclassified Information is stored, accessed, and audited under documented controls. The enclave boundary is what limits the scope of your CMMC assessment to a specific subset of users, systems, and data flows. Open-CMMC is the enclave's file-storage component; Access Gate handles the network-layer enclave boundary.

Which NIST SP 800-171 controls does Open-CMMC cover?

Open-CMMC addresses 72 of 110 controls directly inside product code, across families 3.1 (Access Control), 3.3 (Audit and Accountability), 3.4 (Configuration Management), 3.5 (Identification and Authentication), 3.6 (Incident Response), 3.8 (Media Protection), 3.11 (Risk Assessment), 3.12 (Security Assessment), 3.13 (System and Communications Protection), and 3.14 (System and Information Integrity). Wazuh extends coverage by another 18. The remainder are customer SSP, physical-protection, or maintenance controls outside product scope. The per-family coverage table on this page shows the breakdown.

Is Open-CMMC FIPS 140-3 validated?

Open-CMMC inherits FIPS 140-3 validated crypto from the underlying RHEL 9 / AlmaLinux 9 go-toolset (OpenSSL CMVP #4774). When the OS is in FIPS mode and the binary is built with the FIPS-enabled toolset, all symmetric crypto, TLS, and HMAC operations use validated modules. The product does not implement its own cryptography. See the FIPS-validated encryption guide for the assessment-side detail.

Can Open-CMMC and Access Gate be used together?

Yes, and that is the recommended architecture. Open-CMMC handles the file-storage layer of your CUI enclave (NIST families 3.1, 3.3, 3.8, 3.13). Access Gate handles the network-layer enclave boundary (zero-trust access control, microsegmentation, session logging) to cover the controls Open-CMMC alone cannot address. The two together close roughly 92 of 110 controls; the remainder is policy and physical.

Get Started

Ship Audit-Ready. Without Vendor Lock-In.

Clone the repo, read the posture, run the installer. Apache-2.0 means no seat tax and no feature gates.

View on GitHub CMMC Solution Overview Talk to an Engineer