What This Package Contains
Documented
Diagrams
(4 Closed, 1 Open)
The Fictional Entity
Cogswell Cogs, Inc. is a precision mechanical components manufacturer producing gear assemblies and motion control components under an Army Contracting Command contract. The entity is entirely fictional. Nothing in the package describes any real organization, system, facility, or security posture. The documentation reflects one reasonable interpretation of NIST SP 800-171 Rev 2 implementation for a small DIB contractor with 12 CUI-authorized users, a defined CUI enclave, and a Microsoft 365 GCC High environment.
| Organization | Cogswell Cogs, Inc. (fictional) |
| System | CUI Processing Environment (CPE): 12 workstations, file server, domain controller, SonicWall firewall, FortiGate VPN, Wazuh SIEM, M365 GCC High |
| CUI Types | Controlled Technical Information (CTI), Export Controlled, Privacy |
| SPRS Score | 107 (1 partially implemented practice) |
| Cloud Services | Microsoft 365 GCC High (FedRAMP High), Azure GCC High, Tenable Nessus, KnowBe4 |
| Personnel | 12 CUI-authorized users, CEO (System Owner), IT Manager (ISSO), IT Administrator |
Why This Matters
The Phase 1 realities analysis documented that the National Defense Industrial Association found nearly all SSPs encountered in the field were inadequate, and that C3PAO assessment delays stem most often from incomplete SSPs, unclear control narratives, and insufficient evidence. The gap between what contractors think an SSP should look like and what a C3PAO actually evaluates is the primary driver of assessment failure.
This package exists to close that gap. It demonstrates what a complete SSP looks like at the level of specificity a C3PAO requires: each control tied to a named system component, a narrative description of how the control is implemented in the actual environment, the responsible individual identified by name and role, and the supporting documentation referenced by document ID and storage location. The POA&M demonstrates what a properly structured remediation plan looks like, including milestone detail, resource allocation, evidence artifact tracking, and the 180-day compliance deadline under 32 CFR Part 170.
This package is a starting point for understanding, not a ready-to-submit deliverable. Every defense contractor's environment is different. Security controls, system boundaries, CUI data flows, and POA&M remediation strategies must be designed and validated against each organization's specific infrastructure, contractual obligations, and risk posture.
What the SSP Demonstrates
The SSP covers all 14 practice families with environment-specific implementation narratives. Access Control documents Active Directory group policies, VPN authentication with MFA, and Intune mobile device management. Audit and Accountability describes a Wazuh SIEM deployment with centralized log collection and M365 integration. Configuration Management documents CIS benchmarks enforced through Group Policy with formal change management. Media Protection addresses USB prohibition, encrypted backup, and CUI transport policies. Physical Protection documents keycard access, Verkada surveillance, visitor escort procedures, and alternate work site policies.
Each control entry follows a consistent structure: practice number, requirement text, implementation status, the specific system component it applies to, a narrative description of how the control is implemented in the Cogswell Cogs environment, and the responsible role. This is the format that mirrors what a C3PAO assessment team evaluates, and it is substantially different from the checklist-style output that GRC platforms typically produce.
What the POA&M Demonstrates
The POA&M contains one open item (practice 3.13.12, Teams Admin Center policy enforcement) and four closed items from the 2025 remediation cycle. The open item includes full administrative data, deficiency description with root cause analysis, compensating controls documentation, a formal risk acceptance statement from the System Owner, three remediation milestones with dates and responsible parties, seven evidence artifacts required for closure, and a monthly reporting schedule to the C3PAO.
The four closed items provide a documented remediation history showing how the organization identified, addressed, verified, and closed prior deficiencies across endpoint DLP deployment, cross-source SIEM correlation, AppLocker server enforcement, and annual risk assessment updates. This history is itself an assessment artifact: it demonstrates to the C3PAO that the organization has a mature remediation process, not just a list of open findings.
The Diagram-to-SSP Crosswalk
The crosswalk maps each of the eight architecture diagrams to the specific NIST controls they evidence, with required evidence artifacts listed per practice. It includes a pre-assessment task section for the one pending evidence gap, with the exact artifacts the IT Administrator must produce, and a table of the five verification steps a C3PAO assessor will perform when examining the SIEM configuration. This is a C3PAO assessment preparation tool that most contractors do not know they need until the assessment team requests it.
Download the Complete Package
95 pages. SSP v3.0, POA&M v3.2, all architecture diagrams, diagram-to-SSP crosswalk, pre-assessment task documentation, and evidence artifact tracking. Free educational download.
The CMMC Decision, Second Edition
Chapter 6 ("Blind Spots") addresses the physical security controls documented in the Cogswell Cogs facility floor plan. Chapter 7 ("The Dress Rehearsal") covers the mock audit process that validates SSP accuracy before the C3PAO assessment. Chapter 8 ("Assessment Day") describes what the formal evaluation looks like.
Free Download →