Open-CMMC. CUI Storage, Open-Sourced.

An Apache-2.0 hardened file browser for on-premise CUI storage at CMMC Level 2 / NIST SP 800-171 Rev 2. Runs as a single Go binary on RHEL 9 or AlmaLinux 9 with FIPS mode enabled. OIDC + MFA, AES-256-GCM envelope encryption, ClamAV scan-on-upload, and a tamper-evident audit chain.

Open Source

What Is Open-CMMC?

Open-CMMC is an open-source reference implementation for storing Controlled Unclassified Information (CUI) on-premise at CMMC Level 2. It is a hardened fork of the Apache-2.0 filebrowser project, rebuilt around the controls in NIST SP 800-171 Rev 2 and designed to ship audit-ready.

Authentication is externalized to OIDC. Files are encrypted at rest with AES-256-GCM envelope encryption. Uploads are scanned by ClamAV (fail-closed). Every action — read, preview, mark change, admin event — emits a tamper-evident audit event with a correlation id. FIPS posture inherits OpenSSL CMVP #4774 via the RHEL / Alma go-toolset.

CMMC Program Final Rule is in effect (32 CFR 170). Phase 2 begins 2026-11-10 and requires a C3PAO assessment for Level 2 contracts. Open-CMMC gives defense suppliers a transparent, inspectable CUI enclave without vendor lock-in.

TroutSoftware/Open-CMMCApache-2.0Go 1.25FIPS 140-3 inheritedCMMC Level 2 Ready

Control Coverage

72 of 110 Controls, Directly in Product Code.

The deployed stack covers ~75 of the 110 NIST SP 800-171 Rev 2 controls. 72 are addressed directly inside the Open-CMMC process. Wazuh (the recommended SIEM + endpoint stack) extends coverage by another 18. The remainder are customer SSP responsibility or host / facility controls.

of 110

Direct in product

added

Wazuh extends

policy

Customer SSP

physical

Host / facility

Family	Name	Total	Direct	Wazuh	SSP
3.1	Access Control	22	18	3	1
3.3	Audit & Accountability	9	6	3	—
3.4	Configuration Management	9	6	3	—
3.5	Identification & Authentication	11	11	—	—
3.6	Incident Response	3	1	2	—
3.8	Media Protection	9	9	—	—
3.11	Risk Assessment	3	—	3	—
3.12	Security Assessment	4	2	—	2
3.13	System & Comms Protection	16	14	—	—
3.14	System & Info Integrity	7	3	4	—

Families 3.2, 3.7, 3.9, 3.10 are omitted — they are customer policy, personnel, maintenance, or physical-protection controls, not product-scope. Full per-control statements are in the repo's compliance-posture.md.

Capabilities

What Open-CMMC Ships With.

Envelope Encryption at Rest

AES-256-GCM per-object envelope encryption. KEK lives in TPM or HSM. BoltDB rows are envelope-encrypted.

OIDC + MFA, FIPS TLS 1.3

Authentication externalized to Keycloak (bundled) or customer Entra GCC-H, Okta Gov, Ping. MFA and passkey flows built in.

Tamper-Evident Audit Chain

Every action emits a structured event with a correlation id. HMAC chain for integrity, forwarded via rsyslog-ossl mTLS to Splunk, Sentinel, or Elastic.

CUI Marking UI (NIST 3.8.4)

Per-folder CUI marks: BASIC, SPECIFIED, SP-PROPIN, SP-PRVCY, SP-ITAR. Admin-gated with fresh MFA required; every change audited.

Single-VM Turnkey Deploy

One binary, one command, one VM. RHEL 9 / AlmaLinux 9 / Rocky 9 with FIPS mode enabled. ~3 minutes from tarball to running enclave.

Apache-2.0, Fork-Friendly

Hardened fork of filebrowser/filebrowser with per-control coverage and gap-analysis docs you can copy into your SSP.

Architecture

One VM, One Command, A Complete CUI Enclave.

The default turnkey shape is a single RHEL 9 / Alma 9 FIPS VM running cmmc-filebrowser plus a bundled Keycloak-FIPS OIDC IdP. Wazuh monitoring and external auth / SIEM integrations are optional add-ons layered on top. Four deploy shapes are supported:

Turnkey all-in-one

Bundled Keycloak + Wazuh. install.sh deploy --with-wazuh on a fresh RHEL/Alma 9 VM.

Federated IdP + bundled SIEM

Customer Entra GCC-H / Okta Gov / Ping for auth. Bundled Wazuh for monitoring.

Bundled IdP + federated SIEM

Bundled Keycloak. Audit forwards to customer Splunk / Sentinel / Elastic via rsyslog-ossl mTLS.

Fully federated

Customer IdP + customer SIEM. Appliance runs only the filebrowser core.

Installation

From Tarball to Running Enclave in ~3 Minutes.

No build toolchain needed on the target. Pick the architecture that matches uname -m.

# Enable FIPS first
sudo fips-mode-setup --enable && sudo reboot

# After reboot
sudo dnf install -y podman jq curl iproute firewalld \
  openssl policycoreutils-python-utils
sudo systemctl enable --now firewalld

# Download the release (amd64 or arm64)
ARCH=amd64
VER=v1.0.0
TAR=cmmc-filebrowser-$VER-linux-$ARCH.tar.gz
curl -LO https://github.com/TroutSoftware/Open-CMMC/releases/download/$VER/$TAR
curl -LO https://github.com/TroutSoftware/Open-CMMC/releases/download/$VER/$TAR.sha256
sha256sum --check $TAR.sha256

# Extract + deploy
tar -xzf $TAR
sudo cmmc-filebrowser-$VER-linux-$ARCH/config/install.sh \
  deploy --from-release "$(realpath $TAR)"

You get a TLS-enabled file browser on https://<host>:8443, Keycloak OIDC on https://<host>:8081, systemd units, firewalld rules, a self-signed CA + leaf cert (replaceable with customer PKI for production), an audit stream to journald, and envelope encryption on by default.

Air-gap installs work the same way — download the tarball on an internet-connected host and scp it to the target before extracting. --from-release skips the build phases entirely.

Documentation

SSP-Ready Evidence.

Open-CMMC is the product + evidence base for a System Security Plan. It doesn't replace the customer's SSP, but it supplies every artifact an assessor needs.