A real sample CMMC prep pack
Generated for Apex Fasteners LLC, a fictional small aerospace supplier profile, generated from the same intake schema and validator customers use. It is an example artifact, not a statement about a real contractor.
This is the exact pipeline output a paying customer receives — the same prompts, the same validator gate, the same rendering — shown in full. Nothing here is staged or hand-edited. Every document carries its attestation line; items the intake marked "not yet" appear only in the POA&M section, never as current practice.
Apex Fasteners LLC — CMMC Self-Assessment Snapshot
Based on answers provided by Apex Fasteners LLC on 2026-06-30. Self-attested by the contractor; not audited, certified, submitted to SPRS, or reviewed by any third party.
Scope
Apex Fasteners LLC is preparing a Level 2 self-assessment pack after a prime contractor requested CMMC evidence before a 2026-08-15 subcontract renewal. The in-scope enclave is the estimating office, engineering workstation group, Microsoft 365 GCC High tenant, and the released-traveler file share. Apex receives CUI-marked technical drawings from the prime and stores them in a controlled SharePoint site.
Current Control Story
Access uses named accounts, manager approval, quarterly access reviews, and MFA for in-scope users and administrators. Engineering workstations use blocked USB ports except for two approved encrypted drives. SentinelOne alerts and Microsoft secure-score items are reviewed weekly by MSP SecureWorks Co.; critical endpoint patches are applied within 14 days. Microsoft 365 audit logs, firewall logs, endpoint alerts, and administrator-login logs are retained for 90 days. Employees with CUI access complete annual CUI handling and phishing training.
Evidence Sources
Evidence sources named in the intake include Microsoft Entra screenshots, SentinelOne dashboard exports, LMS completion records, ticket-system access reviews, a network diagram, asset inventory, backup restore report, and locked-cabinet photos.
POA&M / Open Items
- Formal SSP compilation is still open.
- Log-retention target needs review because current retention is 90 days and the intake names a 180 day target.
- Subcontractor CUI flow-down language needs review for the heat-treatment subcontractor.
- No prior SPRS score was provided in the intake.
What This Page Is Not
This page is not a CMMC certification, not a C3PAO assessment, not legal advice, and not an SPRS submission. It is a self-attested preparation snapshot based on buyer-provided facts.
Contact
Prime-contractor or security questions should be sent to security@apex-fasteners.example.
System Security Plan Starter
Based on answers provided by Apex Fasteners LLC on 2026-06-30. Self-attested by the contractor; not audited, certified, submitted to SPRS, or reviewed by any third party.
Scope
Apex Fasteners LLC builds CNC-machined brackets and fastener kits for aerospace prime contractors. The Level 2 self-assessment request was triggered by a prime-contractor renewal due 2026-08-15. The in-scope enclave is the estimating office, engineering workstation group, Microsoft 365 tenant, and the file share used for prime drawings.
CUI Flow
CUI-marked technical drawings arrive through the prime contractor's portal. Estimating downloads the files, stores them in the controlled Microsoft 365 SharePoint site, and engineering uses them to create work instructions. Shop-floor CNC machines receive released job travelers only.
In-Scope Systems And Providers
- Microsoft 365 GCC High for email and SharePoint.
- SentinelOne for endpoint monitoring.
- On-prem Windows file server for released travelers.
- MSP SecureWorks Co. administers Microsoft 365 and endpoint monitoring.
- Backblaze stores encrypted server backups.
Current Control Story
Named user accounts are required. The IT manager provisions access after manager approval and removes access during offboarding. MFA is in place for in-scope users and administrators. USB ports are blocked on engineering workstations except two approved encrypted drives held by the IT manager. Microsoft 365 audit logs, firewall logs, endpoint alerts, and administrator-login logs are retained for 90 days.
POA&M
- Compile the formal SSP from this starter pack and advisor review notes.
- Extend log-retention target from 90 days toward the reviewed 180 day target.
- Add subcontractor CUI flow-down wording to purchase-order language after contract-owner review.
Review Sequence
President with IT manager and MSP support owns the self-assessment. The MSP and prime-contracts manager should review this pack before any SPRS update or affirmation.
SPRS Score Brief
Based on answers provided by Apex Fasteners LLC on 2026-06-30. Self-attested by the contractor; not audited, certified, submitted to SPRS, or reviewed by any third party.
Current Status
No prior SPRS score was provided in the intake. This pack does not calculate, certify, or submit a score to SPRS. It organizes buyer-attested facts so Apex Fasteners LLC, its MSP, and its executive owner can review evidence before any score update or affirmation.
Evidence Needed Before Scoring
- Confirm the system boundary for Microsoft 365 GCC High, engineering workstations, estimating, and the released-traveler file share.
- Export MFA and administrator-access evidence from Microsoft Entra.
- Export SentinelOne vulnerability and endpoint status reports.
- Attach LMS completion reports for annual CUI handling and phishing training.
- Attach ticket-system access-review records and patch/change tickets.
Owner Review
The president is the assessment owner. The IT manager and MSP SecureWorks Co. should review technical evidence. The prime-contracts manager should review CUI flow-down language and contract-specific reporting commitments before any update is submitted elsewhere.
What This Brief Is Not
This brief is not a CMMC certification, not a C3PAO assessment, not legal advice, and not an SPRS submission.
POA&M Roadmap
Based on answers provided by Apex Fasteners LLC on 2026-06-30. Self-attested by the contractor; not audited, certified, submitted to SPRS, or reviewed by any third party.
| Open item | Owner | Why it matters | Evidence to collect |
|---|---|---|---|
| Formal SSP has not been compiled | President + IT manager | The scope and CUI flow need one reviewed source of truth before affirmation | Final SSP, network diagram, asset inventory |
| Log retention is currently 90 days | IT manager + MSP | Retention should be reviewed against the 180 day target stated in the intake | Microsoft 365 audit settings, firewall log settings, endpoint alert retention |
| Subcontractor CUI flow-down language needs review | Prime-contracts manager | One heat-treatment subcontractor receives released drawings | Purchase-order wording, subcontractor acknowledgement, contract-owner review note |
| SPRS score has not been calculated or submitted | President | A score should not be updated until evidence is reviewed | Evidence register, POA&M, advisor sign-off |
Target Context
Apex Fasteners LLC is trying to be ready for the 2026-08-15 renewal. This date is context, not a claim that every open item will be closed by then.
CMMC Evidence Register — Apex Fasteners LLC
Based on answers provided by Apex Fasteners LLC on 2026-06-30. Self-attested by the contractor; not audited, certified, submitted to SPRS, or reviewed by any third party.
Evidence area: Assessment scope
Current statement: The in-scope enclave is the estimating office, engineering workstation group, Microsoft 365 tenant, and released-traveler file share. Evidence to collect: Network diagram, asset inventory, Microsoft 365 tenant summary.
Evidence area: CUI flow
Current statement: CUI drawings arrive through the prime portal, move into SharePoint, and are used by engineering for work instructions. Evidence to collect: CUI flow diagram, SharePoint site permissions, sample redacted workflow ticket.
Evidence area: Identity and access control
Current statement: Named accounts are provisioned after manager approval and reviewed quarterly. Evidence to collect: Entra user export, access-review tickets, offboarding sample.
Evidence area: MFA
Current statement: MFA is enforced for in-scope users and administrators. Evidence to collect: Entra MFA policy screenshot or export.
Evidence area: Removable media and printed CUI
Current statement: USB ports are blocked except two approved encrypted drives; printed CUI is locked and shredded. Evidence to collect: Endpoint policy screenshot, encrypted-drive custody log, cabinet photo, shred procedure.
Evidence area: Configuration and patch management
Current statement: Apex uses a standard workstation image, monthly Windows patch cycle, and change tickets for firewall or tenant changes. Evidence to collect: Patch report, image baseline note, sample change ticket.
Evidence area: Vulnerability management
Current statement: SentinelOne alerts and Microsoft secure-score items are reviewed weekly by the MSP; critical endpoint patches are applied within 14 days. Evidence to collect: SentinelOne report, MSP weekly review note, patch tickets.
Evidence area: Logging and monitoring
Current statement: Microsoft 365 audit logs, firewall logs, endpoint alerts, and administrator-login logs are retained for 90 days. Evidence to collect: Retention settings, alert review procedure. POA&M / open item: Review whether the 90-day retention window needs extension.
Evidence area: Incident reporting
Current statement: The IT manager triages alerts and escalates suspected CUI exposure to the president within one business day. Evidence to collect: Incident procedure, contact tree, contract-specific reporting steps after contracts review.
Evidence area: Employee training
Current statement: Employees with CUI access complete annual CUI handling and phishing training. Evidence to collect: LMS completion export.
Evidence area: External service providers
Current statement: MSP SecureWorks Co. administers Microsoft 365 and endpoint monitoring; Backblaze stores encrypted server backups. Evidence to collect: MSP agreement summary, backup configuration, provider responsibility notes.
Evidence area: Subcontractor flow-down
Current statement: One heat-treatment subcontractor receives released drawings. Evidence to collect: Purchase-order language and subcontractor acknowledgement. POA&M / open item: Add CUI flow-down terms after contract-owner review.