In the evolving world of cybersecurity compliance, one concept is rapidly gaining traction among federal contractors and small businesses alike: application allowlisting. While often overlooked due to its perceived complexity, allowlisting is emerging as a foundational requirement, especially for those seeking to meet the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC).
In a recent Carahsoft-hosted webinar, cybersecurity leaders Corey Munson (VP at PC Matic), Willie Crenshaw (former NASA executive and cybersecurity consultant), and Adam Austin (Owner of Totem Technologies) came together to dissect the importance of application allowlisting, its connection to CMMC, and why now is the time to adopt a “default-deny” strategy for endpoint security.
CUI: The New Battleground in Federal Cybersecurity
The conversation opened with a breakdown of Controlled Unclassified Information (CUI)—data that, while not classified, can still cause significant harm if compromised. As Willie Crenshaw explained, “Just because it’s unclassified doesn’t mean it’s free to roam.” From DOD schematics to Department of Education records, CUI spans a wide array of federal missions and programs.
Adam Austin added context by highlighting the Obama-era Executive Order that centralized CUI policy oversight under the National Archives and Records Administration (NARA). Agencies are required to flow down CUI protection standards through their supply chains, making contractors accountable for compliance.
CMMC Model
The DoD’s response to persistent threats to CUI is the Cybersecurity Maturity Model Certification (CMMC), a framework designed to enforce compliance. CMMC is structured into three levels:
- Level 1: Basic safeguarding of Federal Contract Information (FCI)
- Level 2: Advanced protection for CUI, based on NIST SP 800-171 Rev. 2
- Level 3: Protection of “CUI+” related to critical weapons systems, incorporating additional NIST SP 800-172 controls
Austin pointed out that while the requirements to protect CUI have existed for over a decade, CMMC introduces auditable, enforceable mechanisms—potentially including civil and criminal penalties for non-compliance. “It’s no longer just a contract clause—it’s an accountability model,” he said.
CMMC’s rollout is imminent, with final rulemaking stages already under White House review. Contractors will likely see CMMC clauses embedded in new contracts by the end of 2025.
The Misunderstood Power of Application Allowlisting
At the heart of this discussion is application allowlisting—a security strategy that flips the traditional antivirus model on its head. Rather than blocking known bad applications (blacklisting), allowlisting only permits known, verified software to execute, denying everything else by default.
Austin likened it to airport security: “You can’t get past TSA unless you’re on the list. That’s what allowlisting does for your systems—it prevents unknown software from getting in.”
Historically, allowlisting has been underutilized due to the governance and administrative burden of maintaining an allowlist. Organizations struggled with:
- Approving new software (onboarding/offboarding)
- Validating software origins (supply chain risk)
- Managing dynamic IT environments
The Modern Approach: Global and Local Allowlisting
To combat these challenges, PC Matic’s allowlisting offers a practical approach:
- Global Allowlist – Maintained by a malware research team, this list covers widely used, legitimate applications. It serves as a baseline that organizations can deploy instantly without manual setup.
- Local Allowlist – Organizations can customize additional rules, allowing or denying applications based on their specific needs.
For Austin, this was a game-changer: “Most small businesses don’t have the time or expertise to run PowerShell scripts and build their own governance model. PC Matic’s approach gets you started fast and lets you grow into a mature configuration management posture.”
Allowlisting and NIST 800-171
Allowlisting is explicitly required in NIST SP 800-171 Rev. 3, which CMMC Level 2 will soon adopt. It falls under the Configuration Management (CM) control family—one of the most critical yet overlooked components of cybersecurity. Both Austin and Crenshaw emphasized that many compliance failures stem from weak or nonexistent configuration management.
Crenshaw explained that the CDM (Continuous Diagnostics and Mitigation) program in civilian agencies and the rise of zero trust architecture have both converged on the need for stronger control at the software level. “Configuration is where things break down. If you don’t know what’s installed, what’s running, or where it came from, you’ve already lost,” he said.
Allowlisting vs. Antivirus and EDR
While many organizations still rely on antivirus (AV) and endpoint detection and response (EDR) tools, these solutions are reactive and require continuous updates. Allowlisting is proactive, blocking unknown or unauthorized applications from executing in the first place.
Munson noted, “Allowlisting doesn’t replace your EDR, it makes it more effective by reducing the noise.” Additionally, allowlisting is now being required or rewarded in cyber insurance underwriting, showing that risk managers view it as a serious risk-reduction measure.
Supporting Underserved Contractors
Totem Technologies has developed a PC Hardening Guide for Micro Contractors, helping small firms secure their systems even if they lack IT staff. The guide outlines how to harden Windows 11 endpoints and includes instructions for applying allowlisting.
“Even a two-person organization can meet 800-171 controls with the right tools and guidance,” said Austin. The guide includes using PC Matic’s allowlisting solution as a key control.
The Threat Landscape Demands Proactive Measures
Both Crenshaw and Austin warned of the expanding threat landscape, including:
- Zero-day exploits
- AI-enabled attacks
- Browser extension vulnerabilities
- Remote work threats from insecure home networks
“Allowlisting isn’t just about compliance anymore, it’s about survival,” said Crenshaw. “We can’t just rely on antivirus and hope for the best. The adversaries are too good.”
Conclusion: Application Allowlisting Is No Longer Optional
As CMMC becomes a requirement for DoD contractors—and potentially for civilian agencies—application allowlisting is one of the few proactive, enforceable defenses organizations can deploy. With tools like PC Matic’s allowlisting platform and Totem Technologies’ hardening guide, small and large businesses alike can now adopt this security model without prohibitive complexity.
In a world where nation-state threats are targeting not just secrets, but everything from rocket design to student loan data, allowlisting isn’t just a box to check, it’s a foundational control in building a resilient, compliant, and secure cyber environment.
