# 5-Minute Walkthrough You received this package because Bowman Machine Works has a **CMMC Level 1 self-assessment** on file. L1 is the baseline 17-practice requirement flowed down from primes under FAR 52.204-21 (b)(1). It is self-attested (no C3PAO). This guide orients you in five minutes regardless of whether you are: - A prime contractor's flowdown-compliance reviewer checking Bowman's posture - Bowman's own reviewer doing annual recertification - A prospective grc.engineering client evaluating the IG1 Starter Pack --- ## Step 1 — Read the Self-Attestation (30 seconds) **File:** `evidence/self-attestation-letter.md` This is the executive-signed statement that the 17 practices are implemented as described. The signer's name, title, signature date, and the pin-hash of this evidence package are at the bottom. If the pin-hash does not match `SHA256SUMS`, the package has been altered. --- ## Step 2 — Skim the Gap Report (1 minute) **File:** `reports/gap-report.md` The gap report shows the current status of each practice: - **Practices failing:** count of practices where the scan found at least one failing check - **Failing practices:** named list - **Not scanned:** practices whose evidence is narrative-only (the 4 PE practices + the policy half of AC.L1-b.1.iv) For Bowman's sample package, the scan found 2 failing Prowler checks that affect 3 practices (MFA gap on one user, password-policy-length gap account-wide). Both have an open POA&M item in the SRM with a target remediation date. --- ## Step 3 — Check the Responsibility Matrix (1 minute) **File:** `scope/shared-responsibility-matrix.md` The SRM shows who owns each of the 17 practices: - **C** = Bowman - **S** = Shared with AWS - **P** = AWS fully A prime reviewer cares most about the **C** and **S** rows — those are where Bowman has something to prove. The **Open POA&M items** table at the bottom lists every gap the scan found, with an owner and target date. --- ## Step 4 — Trace a "Red" Practice to the Physical Protection Policy (2 minutes) The 4 PE practices (PE.L1-b.1.viii through .xi) and one supplement to AC.L1-b.1.iv cannot be verified by an automated AWS scan — they require narrative evidence. **File:** `policies/physical-protection-policy.md` Each section of the policy maps to one CMMC L1 practice: | Practice | Section | |---|---| | PE.L1-b.1.viii — Limit physical access | §1 Facility Access Authorization | | PE.L1-b.1.ix — Escort visitors | §2 Visitor Escort Procedure | | PE.L1-b.1.x — Physical access logs | §3 Physical Access Log | | PE.L1-b.1.xi — Physical access devices | §4 Badge and Key Inventory | | AC.L1-b.1.iv supplement | §5 Website Content Review Procedure | | MP.L1-b.1.vii supplement | §6 Media Disposal Procedure | Every section names: the control owner, the storage location for the supporting records, the review cadence, and the SLA. The policy is signed in §8 Attestation. --- ## Step 5 — Verify Package Integrity (30 seconds) Check that the package has not been altered since it was signed: ```bash cd sample-ig1-package/ sha256sum -c SHA256SUMS ``` Every file should report `OK`. If any file reports `FAILED`, the package has been tampered with and should not be relied on. The `provenance/PROVENANCE.md` file documents which grc.engineering pipeline commit produced the artifacts. Any prime that wants independent verification can re-run the pipeline at the same commit hash against a read-only IAM role in Bowman's AWS account. --- ## What to Challenge If you are a prime contractor reviewer, these are the questions worth pressing: 1. **Is the AWS account in the scan actually in scope for this contract?** — cross-check the account ID in `evidence/prowler-cis-output.json` against Bowman's contract boundary. 2. **Are the "not scanned" practices (the 4 PE + AC.L1-b.1.iv narrative half) actually implemented, or just documented?** — ask Bowman for an attestation from the named owner in the Physical Protection Policy that the review cadence has been met since the effective date. 3. **Are the open POA&M items on track?** — compare the "target remediation" dates in the SRM against the self-attestation date. If target dates have passed without resolution, ask for an updated POA&M. 4. **When was the scan run?** — check `evidence/prowler-cis-output.json` `time` field. For annual self-assessment, primes typically accept scans <90 days old. --- ## Escalation If anything in this package looks wrong, contact grc.engineering at the address in `provenance/PROVENANCE.md`. grc.engineering is the contractor that prepared the package on Bowman's behalf; Bowman's operational contact is listed in `evidence/self-attestation-letter.md`.