{
  "generated": "2026-04-14T13:29:52.092501+00:00",
  "workspace": "/mnt/c/dev/grc-eng",
  "scan_coverage": {
    "total_requirements": 17,
    "scanned": 12,
    "passing": 9,
    "failing": 3,
    "not_scanned": 0,
    "no_checks_defined": 5,
    "failing_requirements": [
      {
        "id": "b.1.ii",
        "name": "AC.L1-b.1.ii Limit information system access to the types of transactions and functions that authorized users are permitted to execute",
        "sprs_pts": 1,
        "severity": "medium",
        "failing_checks": [
          "iam_user_mfa_enabled_console_access"
        ],
        "total_checks": 6
      },
      {
        "id": "b.1.v",
        "name": "IA.L1-b.1.v Identify information system users, processes acting on behalf of users, or devices",
        "sprs_pts": 1,
        "severity": "medium",
        "failing_checks": [
          "iam_password_policy_minimum_length_14"
        ],
        "total_checks": 3
      },
      {
        "id": "b.1.vi",
        "name": "IA.L1-b.1.vi Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems",
        "sprs_pts": 1,
        "severity": "medium",
        "failing_checks": [
          "iam_user_mfa_enabled_console_access"
        ],
        "total_checks": 3
      }
    ],
    "not_scanned_requirements": [],
    "no_checks_requirements": [
      {
        "id": "b.1.vii",
        "name": "MP.L1-b.1.vii Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse",
        "sprs_pts": 1
      },
      {
        "id": "b.1.viii",
        "name": "PE.L1-b.1.viii Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals",
        "sprs_pts": 1
      },
      {
        "id": "b.1.ix",
        "name": "PE.L1-b.1.ix Escort visitors and monitor visitor activity",
        "sprs_pts": 1
      },
      {
        "id": "b.1.x",
        "name": "PE.L1-b.1.x Maintain audit logs of physical access",
        "sprs_pts": 1
      },
      {
        "id": "b.1.xi",
        "name": "PE.L1-b.1.xi Control and manage physical access devices",
        "sprs_pts": 1
      }
    ]
  },
  "srm_gaps": {
    "total_requirements": 110,
    "mapped": 0,
    "unmapped": 110,
    "tbd_responsibility": [],
    "no_owner": [],
    "na_without_notes": []
  },
  "sprs": {
    "framework": "CMMC-L1",
    "l1_practices_total": 17,
    "l1_practices_failing": 3,
    "l1_failing_detail": [
      {
        "id": "b_1_ii",
        "practice_id": "AC.L1-b.1.ii",
        "coverage": "green"
      },
      {
        "id": "b_1_v",
        "practice_id": "IA.L1-b.1.v",
        "coverage": "green"
      },
      {
        "id": "b_1_vi",
        "practice_id": "IA.L1-b.1.vi",
        "coverage": "green"
      }
    ],
    "note": "CMMC L1 is binary self-assessment \u2014 no SPRS score. 17 practices must all be implemented (13 via CIS IG1, 4 via Physical Protection Policy, 1 via combined data-plane checks + website review procedure)."
  },
  "readiness": {
    "Access Control (AC)": {
      "code": "3.1",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "Awareness & Training (AT)": {
      "code": "3.2",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": true
    },
    "Audit & Accountability (AU)": {
      "code": "3.3",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "Configuration Management (CM)": {
      "code": "3.4",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "Identification & Authentication (IA)": {
      "code": "3.5",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "Incident Response (IR)": {
      "code": "3.6",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "Maintenance (MA)": {
      "code": "3.7",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": true
    },
    "Media Protection (MP)": {
      "code": "3.8",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": true
    },
    "Personnel Security (PS)": {
      "code": "3.9",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": true
    },
    "Physical Protection (PE)": {
      "code": "3.10",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": true
    },
    "Risk Assessment (RA)": {
      "code": "3.11",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "Security Assessment (CA)": {
      "code": "3.12",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "System & Communications Protection (SC)": {
      "code": "3.13",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    },
    "System & Information Integrity (SI)": {
      "code": "3.14",
      "rating": "GREEN",
      "failing_count": 0,
      "critical_count": 0,
      "blockers": [],
      "non_automatable": false
    }
  },
  "data_sources": {
    "compliance_json": "/mnt/c/dev/grc-eng/controls/cmmc-l1/compliance.json",
    "prowler_results": "site/sample-ig1-package/evidence/prowler-cis-output.json",
    "srm": null
  }
}