What you’re looking at
CMMC Level 1 is the 17-practice baseline flowed down by primes under FAR 52.204-21 (b)(1). It is self-assessed — no C3PAO. This package is the full evidence set a DIB sub-tier supplier keeps on file to back that self-attestation.
Unlike a Word-document SSP, every “green” practice is tied to a timestamped Prowler check ID, every “red” practice is tied to a signed policy section, and the whole package is pinned with SHA256 hashes so any prime can verify nothing was altered after signing.
Posture at a glance
Package contents
| Artifact | Type | Purpose |
|---|---|---|
| README.md | narrative | Package overview |
| assessor-quickstart.md | narrative | 5-minute walkthrough for reviewers |
| reports/gap-report.md | machine | gap-scanner.py --level l1 output |
| reports/gap-report.json | machine | Same, JSON |
| policies/physical-protection-policy.md | template-filled | Closes 4 PE practices + AC.L1-b.1.iv narrative + MP.L1-b.1.vii |
| scope/shared-responsibility-matrix.md | template-filled | 17 practices by Customer / Shared / Provider |
| evidence/prowler-cis-output.json | machine | Synthetic Bowman scan, 26 checks |
| evidence/self-attestation-letter.md | signed | Executive FAR 52.204-21 attestation |
| provenance/PROVENANCE.md | narrative | Pipeline chain of custody |
| MANIFEST.md · SHA256SUMS | integrity | File listing + hashes |
Findings summary
The scan found 2 failing Prowler checks that cascade into 3 CMMC L1 practices. Both have open POA&M items with 2026-04-20 target remediation.
| Practice | Check | Status |
|---|---|---|
| AC.L1-b.1.ii | iam_user_mfa_enabled_console_access | FAIL |
| IA.L1-b.1.v | iam_password_policy_minimum_length_14 | FAIL |
| IA.L1-b.1.vi | iam_user_mfa_enabled_console_access | FAIL |
Coverage model
The L1 practices split into three coverage tiers based on whether CIS IG1 + Prowler can verify them:
| Tier | Count | Evidence source |
|---|---|---|
| green | 12 | Prowler CIS IG1 scan (fully automated) |
| amber | 1 | AC.L1-b.1.iv — Prowler data-plane checks + §5 of Physical Protection Policy (website content review) |
| red | 4 | PE.L1-b.1.viii-xi — §1–4 of Physical Protection Policy (physical facility controls, narrative only) |
See research/cis-ig1-to-cmmc-l1-crosswalk.md in the grc-eng repository for the full mapping.
Verify package integrity
cd sample-ig1-package/ sha256sum -c SHA256SUMS
Every file should report OK. If any file fails, the package has been altered after signing.
What makes this different
Most IG1 self-assessments are a filled-in Word template. The claims are rate-limited assertions with no machine-verifiable backing. A prime has to trust the supplier; a supplier has to re-write the document every renewal.
grc.engineering’s IG1 Starter Pack inverts that:
- Every “green” practice is tied to a timestamped Prowler check ID any reviewer can re-run.
- Every “red” practice is tied to a specific section of a signed policy with a named owner and review cadence.
- The
SHA256SUMS+PROVENANCE.mdpair makes post-hoc editing detectable. - Re-running the gap scanner against a fresh scan takes minutes, not weeks — so posture drift is visible.
Engagement sizing
- Duration: 2–4 weeks
- Price range: $5k–$12k (validating empirically on the first engagement per ADR-021)
- Target client: DIB sub-tier supplier, 5–50 employees, FAR 52.204-21 (b)(1) flowed down from a prime, no CUI handling today
- If CUI arrives later: the L2 engagement (110 practices, C3PAO, $35k–$60k) ships the full OSCAL stack — see the L2 sample package