# IG1 Starter Pack — Sample Evidence Package Manifest **Package ID:** IG1-SAMPLE-2026-04-10-bowman-prod **Generated:** 2026-04-10T14:22:00Z **Generator:** grc.engineering IG1 Starter Pack (ADR-021) **Subject:** Bowman Machine Works, Inc. — **synthetic, for demonstration only** (no real AWS account, CAGE code, or signatures) --- ## Verification To verify the integrity of all files in this package: ```bash sha256sum -c SHA256SUMS ``` Every file listed below must match its SHA256 hash. If any file fails verification, the package should be considered tampered and a fresh copy requested from the delivering organization. --- ## File Listing Short hashes below. See `SHA256SUMS` for the full 64-char values. | Path | Type | Description | SHA256 (short) | |---|---|---|---| | `index.html` | Landing page | Browsable landing page for the sample package (hosted at signalplane.co). | `8cf20698c04c` | | `README.md` | Narrative | Package overview; what it is, who it serves, how to navigate. | `7b7d3cace426` | | `assessor-quickstart.md` | Narrative | 5-minute walkthrough for prime-flowdown reviewers and internal reviewers. | `003676ea45be` | | `reports/gap-report.md` | Machine-generated | `gap-scanner.py --level l1` output in Markdown. Binary pass/fail against 17 L1 practices. | `e8318918968e` | | `reports/gap-report.json` | Machine-generated | Same as above in JSON — for programmatic consumption. | `46d789f3224c` | | `policies/physical-protection-policy.md` | Narrative (template-filled) | Bowman-filled Physical Protection Policy. Closes 4 PE red-set practices + AC.L1-b.1.iv narrative + MP.L1-b.1.vii on-prem supplement. | `4d040acfe17d` | | `scope/shared-responsibility-matrix.md` | Narrative (template-filled) | Bowman-specific SRM. 17 L1 practices mapped to Customer / Shared / Provider responsibility, with POA&M summary. | `2a02520201a9` | | `evidence/prowler-cis-output.json` | Machine-generated | Synthetic Prowler CIS IG1 scan against Bowman's AWS account. 26 checks (24 PASS + 2 FAIL). | `d8649eac8697` | | `evidence/self-attestation-letter.md` | Narrative (signed) | Executive self-attestation letter. FAR 52.204-21 (b)(1) attestation, 18 U.S.C. § 1001 acknowledgement, package integrity pin. | `c8743af56730` | | `provenance/PROVENANCE.md` | Narrative | Pipeline chain of custody. Which tool produced which artifact, reproducibility contract, sample limitations. | `de13bf74f6cd` | | `SHA256SUMS` | Integrity | SHA256 hashes for every file above. | — (self) | --- ## Package statistics - 9 artifacts + SHA256SUMS - 3 machine-generated (Prowler scan, gap-report markdown, gap-report JSON) - 4 narrative (README, quickstart, attestation, provenance) - 2 template-filled (policy, SRM) - 26 Prowler checks executed (24 PASS + 2 FAIL) - 17 CMMC L1 practices covered: 12 green (scanned) + 1 amber (scan+policy) + 4 red (policy) - 3 open POA&M items (2 failing Prowler checks → 3 affected practices with shared root cause) --- ## Not included (L1 scope) L1 self-assessments do not require, and therefore this package does not include: - OSCAL SSP / AP / AR / POA&M JSON (L2 artifact stack — see `site/sample-evidence-package/` for the L2 variant) - Component-definitions per AWS service (L2 decomposition) - GSN assurance-case fragments (L2 deliverable per ADR-007) - C3PAO assessor quickstart (L1 has no C3PAO)