# CMMC Level 1 Self-Assessment Package — Sample

> **SYNTHETIC SAMPLE** — this is a reference deliverable for grc.engineering's **IG1 Starter Pack** engagement. Every name, account ID, and signature in this package is fabricated. Bowman Machine Works is a fictional DIB sub-tier persona (12-person CNC shop, Toledo OH) used to show prospective clients what they receive at the close of a $5–12k, 2–4 week IG1 engagement.

---

**Organization:** Bowman Machine Works, Inc.
**System:** Bowman AWS production environment + Toledo office
**Framework:** CMMC Level 1 (FAR 52.204-21 (b)(1), 17 practices)
**Package Generated:** 2026-04-10
**Prepared By:** grc.engineering

## What This Package Is

This is the complete evidence set that backs Bowman's CMMC L1 **self-assessment**. Unlike CMMC L2, L1 does not require a C3PAO third-party assessment — the company attests to its own posture. This package is what Bowman keeps on file and hands to any prime contractor that flows FAR 52.204-21 (b)(1) down the supply chain.

The package has three ingredients that together cover all 17 practices:

| Ingredient | Covers | Source |
|---|---|---|
| **Prowler CIS IG1 scan** against Bowman's AWS account | 12 "green" practices (AC / IA / SC / SI families) + 1 "amber" practice's data-plane half (AC.L1-b.1.iv) | `evidence/prowler-cis-output.json` |
| **Gap report** summarizing pass/fail | Auto-generated from Prowler output + grc-eng L1 compliance mapping | `reports/gap-report.md`, `reports/gap-report.json` |
| **Physical Protection Policy** (grc-eng template, Bowman-filled) | 4 "red" practices (PE family) + the narrative half of AC.L1-b.1.iv + on-prem media supplement | `policies/physical-protection-policy.md` |
| **Shared Responsibility Matrix** | All 17 practices mapped to Customer / Shared / Provider responsibility | `scope/shared-responsibility-matrix.md` |
| **Self-attestation letter** | Executive sign-off attesting the posture | `evidence/self-attestation-letter.md` |

The **provenance** directory (`provenance/PROVENANCE.md`, `SHA256SUMS`, `MANIFEST.md`) records what tool generated each artifact, from what inputs, at what commit. Any prime can reproduce the scan by re-running the grc-eng pipeline at the pinned commit against the same AWS account.

## How to Navigate

**If you are a prime contractor flowing FAR 52.204-21 (b)(1) down to Bowman** — start with `evidence/self-attestation-letter.md`, then skim the `reports/gap-report.md` for the posture summary, then open any specific practice area of concern in `scope/shared-responsibility-matrix.md`.

**If you are Bowman's internal reviewer** (annual recertification) — start with `assessor-quickstart.md`.

**If you are a prospective grc.engineering client** evaluating whether the IG1 Starter Pack is the right fit — start with `assessor-quickstart.md`, then look at the gap report to see what the auto-scan catches.

## Package Contents

```
sample-ig1-package/
├── README.md                          ← you are here
├── assessor-quickstart.md             5-minute walkthrough
├── MANIFEST.md                        file listing + SHA256
├── SHA256SUMS                         integrity hashes
├── reports/
│   ├── gap-report.md                  gap-scanner.py --level l1 output
│   └── gap-report.json
├── policies/
│   └── physical-protection-policy.md  fills the 4 PE red-set + AC.L1-b.1.iv
├── scope/
│   └── shared-responsibility-matrix.md
├── evidence/
│   ├── prowler-cis-output.json        synthetic Bowman scan (26 checks, 24 PASS + 2 FAIL)
│   └── self-attestation-letter.md     executive attestation
└── provenance/
    └── PROVENANCE.md                  pipeline chain of custody
```

## What Makes This Different from a Word-Document SSP

CMMC L1 self-assessments are usually delivered as a filled-in template — a Word document with rate-limited claims like "we limit access to authorized users." There is no traceable evidence that the claim is true at any given moment, and no way for a prime to verify the claim without trusting the supplier.

grc.engineering's IG1 Starter Pack inverts that:

- Every "green" practice claim is tied to a **timestamped Prowler check ID** you can re-run.
- Every "red" practice claim is tied to a **specific section of the signed Physical Protection Policy** with a named policy owner and review cadence.
- The **SHA256SUMS** file + `PROVENANCE.md` let any reviewer confirm no post-hoc editing.
- The **gap-scanner** (`tooling/gap-scanner.py --level l1`) can be re-run against a future scan in minutes to show posture drift.

See `research/cis-ig1-to-cmmc-l1-crosswalk.md` in the grc.engineering repository for the full 17-practice CIS IG1 → CMMC L1 coverage model, and `research/architecture-decisions.md` ADR-021 for the engagement-tier design decision.

## What This Package Does **Not** Include

L1 does not require, and therefore this package does not include:

- An OSCAL System Security Plan (SSP), Assessment Plan (AP), Assessment Results (AR), or Plan of Action and Milestones (POA&M) — those are L2 artifacts. If Bowman later upgrades to L2 (CUI handling), grc.engineering's L2 pipeline produces the full OSCAL trifecta.
- A C3PAO assessor quickstart — L1 has no C3PAO.
- Component-definitions for every IAM / EC2 / S3 / RDS service — L1 doesn't decompose to the component layer; the CIS IG1 scan + physical policy + SRM is enough. Component-definitions ship with the L2 package.

## Engagement context

This sample reflects the close deliverable of a typical IG1 Starter Pack engagement:

- **Duration:** 2–4 weeks
- **Scope:** single AWS account + single physical office (or fully cloud + remote)
- **Price range:** $5k–$12k (validated empirically on the first engagement, per ADR-021)
- **Intended client:** DIB sub-tier supplier (5–50 employees) with FAR 52.204-21 (b)(1) flowed down, no CUI handling today, wants a defensible L1 self-attestation

For CMMC L2 (110 practices, C3PAO-assessed, $35k–$60k) see the [L2 sample package](../sample-evidence-package/) — same philosophy, full OSCAL stack.