# CMMC Level 1 Self-Assessment Attestation > **SYNTHETIC SAMPLE** — this is a reference deliverable. Every name, title, account ID, and signature below is fabricated. No real Bowman Machine Works exists. --- **Date of attestation:** 2026-04-10 **Organization:** Bowman Machine Works, Inc. **Address:** 1420 Industrial Parkway, Toledo, OH 43612 **CAGE Code:** [FABRICATED-CAGE] **Contract reference:** FAR 52.204-21 (b)(1) flowed down via purchase order [FABRICATED-PO] from [FABRICATED-PRIME] **System in scope:** Bowman Machine Works production environment, consisting of: - AWS account `555777111222` (us-east-2), hosting the Bowman ERP, CAD drawing bucket, and internal tooling - Single physical office at 1420 Industrial Parkway, Toledo OH - 12 employees, 3 company-issued laptops, 15 Kisi badges, 4 physical keys --- ## Attestation Statement I, **Margaret R. Bowman**, President & Owner of Bowman Machine Works, Inc., attest that: 1. Bowman Machine Works has implemented and is operating the 17 basic safeguarding requirements specified in FAR 52.204-21 (b)(1) and CMMC Level 1, as described in the accompanying evidence package. 2. The 12 "green" automatable practices are supported by the Prowler CIS IG1 scan at `evidence/prowler-cis-output.json`, dated 2026-04-10. 3. The 4 "red" Physical Protection practices (PE.L1-b.1.viii through .xi) and the narrative half of AC.L1-b.1.iv are supported by the Physical Protection Policy at `policies/physical-protection-policy.md`, signed by me effective 2026-03-01. 4. The 1 "amber" practice (AC.L1-b.1.iv) is supported by both the Prowler public-access checks and §5 of the Physical Protection Policy. 5. The 2 open Plan of Action and Milestones items listed in `scope/shared-responsibility-matrix.md` will be remediated by 2026-04-20, at which point this attestation will be re-issued. 6. No Federal Contract Information (FCI) is stored, processed, or transmitted by Bowman Machine Works outside the system boundary described above. I understand that this attestation is self-reported, that CMMC Level 1 does not require C3PAO third-party assessment, and that knowing misrepresentation may constitute a false statement under 18 U.S.C. § 1001 and may expose Bowman Machine Works to liability under the False Claims Act. --- ## Signatures **Authorizing Official** Name: Margaret R. Bowman Title: President & Owner, Bowman Machine Works, Inc. Signature: _________________________________ Date: _________________ **Policy Owner (operational)** Name: [Director of Operations — name omitted in sample] Title: Director of Operations, Bowman Machine Works, Inc. Signature: _________________________________ Date: _________________ **Independent Preparer (optional, for grc.engineering-prepared packages)** Name: grc.engineering Role: compliance-as-code pipeline operator, policy template author Signature: _________________________________ Date: _________________ --- ## Package Integrity Pin At the time this attestation is signed, the evidence package content resolves to the SHA256SUMS hash below. Any subsequent modification of any artifact in this package invalidates the attestation. **SHA256SUMS (top-level package hash):** see `SHA256SUMS` file in the package root. Verify with: ```bash sha256sum -c SHA256SUMS ``` --- ## Contact For questions about this attestation or the underlying evidence: - **Bowman Machine Works operational contact:** [Director of Operations — contact redacted in sample] - **Preparer contact:** grc.engineering — contact at https://grc.engineering *This attestation is effective until 2027-03-01 or until material change to the system boundary, whichever comes first. Annual re-attestation is recommended.*