← CMMC Pack

A real sample CMMC prep pack

Generated for Apex Fasteners LLC, a fictional small aerospace supplier profile, generated from the same intake schema and validator customers use. It is an example artifact, not a statement about a real contractor.

This is the exact pipeline output a paying customer receives — the same prompts, the same validator gate, the same rendering — shown in full. Nothing here is staged or hand-edited. Every document carries its attestation line; items the intake marked "not yet" appear only in the POA&M section, never as current practice.

Apex Fasteners LLC — CMMC Self-Assessment Snapshot

Based on answers provided by Apex Fasteners LLC on 2026-06-30. Self-attested by the contractor; not audited, certified, submitted to SPRS, or reviewed by any third party.

Scope

Apex Fasteners LLC is preparing a Level 2 self-assessment pack after a prime contractor requested CMMC evidence before a 2026-08-15 subcontract renewal. The in-scope enclave is the estimating office, engineering workstation group, Microsoft 365 GCC High tenant, and the released-traveler file share. Apex receives CUI-marked technical drawings from the prime and stores them in a controlled SharePoint site.

Current Control Story

Access uses named accounts, manager approval, quarterly access reviews, and MFA for in-scope users and administrators. Engineering workstations use blocked USB ports except for two approved encrypted drives. SentinelOne alerts and Microsoft secure-score items are reviewed weekly by MSP SecureWorks Co.; critical endpoint patches are applied within 14 days. Microsoft 365 audit logs, firewall logs, endpoint alerts, and administrator-login logs are retained for 90 days. Employees with CUI access complete annual CUI handling and phishing training.

Evidence Sources

Evidence sources named in the intake include Microsoft Entra screenshots, SentinelOne dashboard exports, LMS completion records, ticket-system access reviews, a network diagram, asset inventory, backup restore report, and locked-cabinet photos.

POA&M / Open Items

  • Formal SSP compilation is still open.
  • Log-retention target needs review because current retention is 90 days and the intake names a 180 day target.
  • Subcontractor CUI flow-down language needs review for the heat-treatment subcontractor.
  • No prior SPRS score was provided in the intake.

What This Page Is Not

This page is not a CMMC certification, not a C3PAO assessment, not legal advice, and not an SPRS submission. It is a self-attested preparation snapshot based on buyer-provided facts.

Contact

Prime-contractor or security questions should be sent to security@apex-fasteners.example.

Build my CMMC pack - $499Browse the CMMC guides