# Shared Responsibility Matrix — Bowman Machine Works, Inc. — CMMC Level 1

> **SYNTHETIC SAMPLE** — this is a reference deliverable for grc.engineering's IG1 Starter Pack. Bowman Machine Works is a fictional DIB sub-tier persona (12-person CNC shop, Toledo OH) used to show what a completed L1 SRM looks like.

Responsibility codes:
- **C** = Customer (Bowman) fully responsible
- **S** = Shared with cloud provider or service vendor
- **P** = Cloud provider / service vendor fully responsible
- **N/A** = Not applicable given Bowman's scope

| CMMC L1 practice | Responsibility | Evidence source | Notes |
|---|---|---|---|
| AC.L1-b.1.i — Limit access to authorized users | C | IAM inventory + quarterly access review | Director of Operations owns quarterly review |
| AC.L1-b.1.ii — Limit access to transactions/functions | C | IAM policy attachments + MFA enforcement | **Finding:** 1 console user without MFA (`bowman-jdoe`) — POA&M item |
| AC.L1-b.1.iii — Control external connections | S | VPC boundary configuration | Bowman configures SGs / ACLs; AWS provides VPC primitives |
| AC.L1-b.1.iv — Control publicly accessible info | C | Prowler public-access checks + §5 of Physical Protection Policy | Website content review is customer-only; Bowman's marketing person flagged as reviewer |
| IA.L1-b.1.v — Identify users | C | IAM user inventory | **Finding:** password policy minimum length is 8, not 14 — POA&M item |
| IA.L1-b.1.vi — Authenticate identities | C | MFA configuration | Same finding as AC.L1-b.1.ii |
| MP.L1-b.1.vii — Sanitize media | S | Cloud: AWS shared responsibility; on-prem: §6 of Physical Protection Policy | Bowman has 3 company laptops subject to on-prem disposal procedure |
| PE.L1-b.1.viii — Limit physical access | C | §1 of Physical Protection Policy (Facility Access Authorization) | Bowman has a single office at 1420 Industrial Pkwy, Toledo — see policy §1 |
| PE.L1-b.1.ix — Escort visitors | C | §2 of Physical Protection Policy (Visitor Escort Procedure) | Director of Operations is the only escort-privileged individual during business hours |
| PE.L1-b.1.x — Physical access logs | C | §3 of Physical Protection Policy (Physical Access Log) | Kisi cloud access control + paper visitor binder at reception |
| PE.L1-b.1.xi — Physical access devices | C | §4 of Physical Protection Policy (Badge and Key Inventory) | 15 Kisi badges + 4 physical keys tracked at `G:\Security\badge-inventory.xlsx` |
| SC.L1-b.1.xii — Boundary protection | S | Security Groups, NACLs | No WAF deployed (no public-facing web app beyond marketing site on managed host) |
| SC.L1-b.1.xiii — Public-facing subnets | C | VPC subnet configuration | Single public subnet hosts the ERP ALB only |
| SI.L1-b.1.xiv — Correct system flaws | S | SSM Patch Manager | SSM-managed patching enabled; Inspector2 active |
| SI.L1-b.1.xv — Protect from malicious code | S | GuardDuty + endpoint AV | GuardDuty enabled account-wide; Defender for Endpoint on all 3 laptops |
| SI.L1-b.1.xvi — Update malicious code protection | S | GuardDuty managed updates + Defender auto-update | Managed updates — no Bowman action required |
| SI.L1-b.1.xvii — Periodic scans | S | Inspector + GuardDuty + Defender scheduled scans | Inspector weekly; GuardDuty continuous; Defender quick scan daily + full scan weekly |

## PE responsibility decision rationale

Bowman has a single physical office housing 12 employees. The office is a leased commercial suite with a Kisi-controlled main entrance. FCI handling (quote responses, ITAR-flagged drawings from primes) occurs in the office, not exclusively in the cloud. Therefore **PE.L1-b.1.viii through .xi are Customer responsibility** — Bowman deploys the full Physical Protection Policy.

If Bowman later transitions to fully remote and shutters the physical office, the PE responsibility would flip to `P` with AWS handling facility-level physical controls; only §5 (website content review) and §6 (BYOD media disposal) of the policy would remain in scope.

## Open POA&M items (from scan)

| Practice | Finding | Owner | Target remediation |
|---|---|---|---|
| AC.L1-b.1.ii, IA.L1-b.1.vi | User `bowman-jdoe` lacks console MFA | Director of Operations | 2026-04-20 |
| IA.L1-b.1.v | Account password policy minimum length 8, required 14 | Director of Operations | 2026-04-20 |