CMMC 2.0 / NIST 800-171 Customer Configuration Checklist
Because Vector GFX operates a Zero-Knowledge model, the responsibility for protecting the data created within our applications falls under the customer's "System Security Plan" (SSP). Use this checklist to satisfy your CMMC Level 2 audit objectives.
1. Access Control (AC)
Requirement (3.1.1): Limit system access to authorized users.
Implementation: Ensure Canvas X Draw is only installed on workstations belonging to users with "Need-to-Know" clearance for the project data being illustrated.
Requirement (3.1.2): Limit transactions/functions.
Implementation: Use Windows/macOS Standard User accounts for daily design work. Only use Administrator accounts for the initial installation and updates of Canvas X Draw.
2. Configuration Management (CM)
Requirement (3.4.1): Establish baseline configurations.
Implementation: List Canvas X Draw in your Software Inventory. Record the specific version (e.g., Version N) to prove you are using a version currently supported with security patches.
Requirement (3.4.7): Restrict non-essential software.
Implementation: If using the Air-Gapped Edition, disable all network adapters (WiFi/Ethernet) at the OS level to ensure the workstation remains an isolated enclave.
3. Identification & Authentication (IA)
Requirement (3.5.3): Use multi-factor authentication (MFA).
Implementation: Ensure the Windows or macOS host machine requires MFA (e.g., Windows Hello for Business, Smart Cards, or Yubikeys) before a user can launch the application and access technical drawings.
4. Media Protection (MP)
Requirement (3.8.3): Sanitize or destroy system media.
Implementation: When retiring a workstation used for canvasxdraw ensure the local drive is wiped according to NIST 800-88 standards, as the application saves files locally.
5. System & Information Integrity (SI)
Requirement (3.14.1): Identify, report, and correct system flaws.
Implementation: Subscribe to the Vector GFX Security Advisory mailing list to receive immediate notification of "Critical" patches and "Zero-Day" mitigations.
Security FAQ: Quick Reference for IT Managers
Q: Where is my data stored when I use Canvas X Draw?
A: Locally. Vector GFX has no cloud storage components for your drawings. All .cvx files and exported PDFs reside on your local hard drive or your company’s secure file server.
Q: Does the software "Phone Home" for license checks?
A: The standard version performs a periodic encrypted handshake for license validation. For DOD customers in high-security environments, the Air-Gapped Edition eliminates this requirement entirely, allowing for 100% offline operation.
Q: Is the software FIPS-compliant?
A: As a desktop application, Canvas X Draw utilizes the FIPS 140-2/3 validated cryptographic modules provided by the host Operating System (Windows or macOS) for securing data at rest and in transit.
Q: How do I verify the integrity of the installer?
A: All Vector GFX installers are digitally signed. Right-click the .exe (Windows) or check the .dmg (Mac) to verify the "Digital Signature" is from Vector GFX, Inc.