# Chain of Custody — IG1 Starter Pack Evidence Package Provenance **Package ID:** IG1-SAMPLE-2026-04-10-bowman-prod **Generated:** 2026-04-10T14:22:00Z **Package type:** CMMC Level 1 self-assessment (17 practices, FAR 52.204-21 (b)(1)) > **SYNTHETIC SAMPLE** — this is a reference deliverable. Git commit hashes, CI run IDs, and signing key fingerprints below are illustrative; a production engagement would record the real values at package-seal time. --- ## Statement of Automated Generation This evidence package was produced by grc.engineering's IG1 Starter Pack pipeline. Every artifact listed in `MANIFEST.md` is deterministically produced from the inputs recorded below and can be reproduced by re-running the pipeline at the same git commit against the same AWS account and the same version of the Physical Protection Policy template. The narrative artifacts (policy, SRM, self-attestation letter) were filled from grc.engineering templates during the engagement and are **not** machine-generated — they are human-authored and signed. The Prowler scan output and the gap report **are** machine-generated and reproducible. --- ## Pipeline Identity | Field | Value | |---|---| | Pipeline | grc.engineering IG1 Starter Pack | | ADR reference | ADR-021 (research/architecture-decisions.md) | | Git repository | grc-eng (grc.engineering private) | | Git commit | `[commit-hash-set-at-package-seal]` | | Git branch | `main` | | Signing fingerprint | `[GPG fingerprint set at package-seal]` | | Signature file | `SHA256SUMS.sig` (detached GPG signature of SHA256SUMS) | | Package prepared by | grc.engineering | | Package prepared for | Bowman Machine Works, Inc. (synthetic sample persona) | --- ## Tool Chain ### Stage 1 — AWS scan | Tool | Version | Purpose | Input | Output | |---|---|---|---|---| | Prowler | 4.x | AWS scan against CIS IG1-derived grc-eng L1 compliance JSON | AWS read-only IAM role in Bowman account `555777111222` (us-east-2); `controls/cmmc-l1/compliance.json` | `evidence/prowler-cis-output.json` | The Prowler run uses the forked compliance JSON at `controls/cmmc-l1/compliance.json` (grc-eng fork of Prowler's schema — ADR-005). The fork declares 42 Prowler AWS checks against the 12 green-set L1 practices. ### Stage 2 — Gap analysis | Tool | Version | Purpose | Input | Output | |---|---|---|---|---| | `tooling/gap-scanner.py --level l1` | grc-eng repo `main` | Score Prowler output against L1 compliance JSON, emit binary pass/fail | `evidence/prowler-cis-output.json`, `controls/cmmc-l1/compliance.json` | `reports/gap-report.md`, `reports/gap-report.json` | ### Stage 3 — Narrative artifacts (human-authored from templates) | Artifact | Template source | Author | |---|---|---| | `policies/physical-protection-policy.md` | `evidence/templates/physical-protection-policy.md` | grc.engineering, filled with Bowman-specific tokens | | `scope/shared-responsibility-matrix.md` | `tooling/client-workspace-template-ig1/scope/shared-responsibility-matrix.md` | grc.engineering, filled with Bowman-specific tokens | | `evidence/self-attestation-letter.md` | grc.engineering IG1 attestation template | Bowman (signature), grc.engineering (preparation) | ### Stage 4 — Packaging | Tool | Version | Purpose | Input | Output | |---|---|---|---|---| | `sha256sum` | GNU coreutils | Compute integrity hashes for every file in package | All artifacts above | `SHA256SUMS` | | `gpg --detach-sign` | GnuPG 2.x | Detached signature over SHA256SUMS | `SHA256SUMS`, grc.engineering signing key | `SHA256SUMS.sig` (production; omitted from sample) | --- ## Reproducibility Contract To reproduce this package: 1. Clone grc-eng at commit `[commit-hash]` 2. Grant the grc-eng Prowler IAM role read-only access to the target AWS account 3. Run: `prowler aws --compliance controls/cmmc-l1/compliance.json --output-directory ` 4. Run: `python3 tooling/gap-scanner.py --workspace --level l1 --prowler /prowler-output.json` 5. Fill the policy and SRM templates from `evidence/templates/physical-protection-policy.md` and `tooling/client-workspace-template-ig1/scope/shared-responsibility-matrix.md` with the client's specific values. 6. Compute SHA256SUMS over the package directory. A prime contractor or regulator wanting independent verification can perform steps 1–4 without any additional grc.engineering involvement beyond an AWS IAM role grant. --- ## Limitations of this sample - **All values are fabricated.** No real Bowman Machine Works AWS account exists. The Prowler JSON output was generated by `scripts/gen_bowman_fixture.py` in the grc-eng repository at the commit referenced above. - **No GPG signature.** The sample does not ship a real `SHA256SUMS.sig` because there is no production grc.engineering signing key exposed to public samples. A real engagement would seal with a signed detached signature. - **Git commit hash is placeholder.** A production engagement would pin the actual commit hash at package-seal time.