Evidence Package Overview
Acme Precision Manufacturing CUI Environment -- CMMC Level 2
Assessment flow: start with the SSP for the big picture, drill into component-definitions for per-control detail, verify claims against assessment-results, and check the POA&M for gaps.
Authorization Boundary
AWS account 111222333444 -- VPC-isolated CUI processing environment. Includes EC2 instances running SolidWorks PDM, PostgreSQL RDS for ERP, S3 buckets for technical drawing storage, and CloudTrail for audit logging. Excludes corporate email (M365 GCC, separate assessment scope).
System Components
| Component | Type | Controls |
|---|---|---|
| AWS Identity and Access Management | service | AC.L2-3.1.1 |
| AWS CloudTrail + GuardDuty | service | AU.L2-3.3.1 |
| AWS IAM & Network Hardening | service | CM.L2-3.4.6 |
| AWS IAM Password & Authenticator Policy | service | IA.L2-3.5.7 |
| AWS Encryption at Rest | service | SC.L2-3.13.11 |
| AWS Encryption in Transit | service | SC.L2-3.13.8 |
System Security Plan
system-security-plan.json SSP
The SSP describes the system boundary, enumerates components, and documents how each CMMC L2 requirement is implemented. Below is the metadata and one sample implemented-requirement.
{
"system-security-plan": {
"uuid": "b8190c64-4280-57b0-9044-3ae79a16e441",
"metadata": {
"title": "Acme Precision Manufacturing CUI Environment -- System Security Plan",
"last-modified": "2026-04-12T13:26:14Z",
"version": "0.1.0",
"oscal-version": "1.2.1",
"parties": [
{ "type": "organization", "name": "Acme Precision Manufacturing, Inc." },
{ "type": "organization", "name": "grc.engineering" }
]
},
"system-characteristics": {
"system-name": "Acme Precision Manufacturing CUI Environment",
"description": "AWS-hosted CAD/CAM and ERP systems processing ITAR technical drawings",
"authorization-boundary": {
"description": "AWS account 111222333444 -- VPC-isolated CUI processing environment..."
}
}
}
}Sample Implemented Requirement: AC.L2-3.1.1
Each implemented-requirement links statements to Prowler check IDs and enforcement artifacts.
{
"control-id": "AC.L2-3.1.1",
"description": "This component limits AWS access to authorized users...",
"props": [
{ "name": "implementation-status", "value": "implemented" }
],
"statements": [
{
"statement-id": "AC.L2-3.1.1_smt.a",
"description": "Root account is sealed. iam_no_root_access_key is satisfied...",
"props": [{
"name": "prowler-check-ids",
"value": "iam_no_root_access_key,iam_root_mfa_enabled"
}],
"links": [
{ "href": "terraform/main.tf", "rel": "implementation" },
{ "href": "steampipe/ac-l2-3.1.1.sql", "rel": "validation" }
]
}
]
}Assessment Results
assessment-results.json AR
Each result block contains observations from a Prowler scan. Every observation has a check ID, pass/fail status, severity, and the timestamp when the check executed.
resource: arn:aws:acm:us-east-1:111222333444:certificate/acme-erp-cert
collected: 2026-04-12T12:55:35Z | method: AUTOMATED
resource: arn:aws:cloudtrail:us-east-1:111222333444:trail/acme-cui-trail
collected: 2026-04-12T12:55:35Z | method: AUTOMATED
resource: arn:aws:iam::111222333444:root
collected: 2026-04-12T12:55:35Z | method: AUTOMATED
resource: arn:aws:s3:::acme-legacy-uploads
collected: 2026-04-12T12:55:35Z | method: AUTOMATED
Raw OSCAL Observation
{
"uuid": "ba8b4ab4-a840-429a-ab70-e2e3773eb06b",
"title": "Ensure ACM certificates are not expiring within 30 days",
"description": "Prowler check acm_certificates_expiration_check: Pass. Resource: AwsAcmCertificate arn:aws:service:us-east-1:111222333444:acme-erp-cert",
"methods": ["AUTOMATED"],
"collected": "2026-04-12T12:55:35Z",
"props": [
{ "name": "prowler-check-id", "value": "acm_certificates_expiration_check" },
{ "name": "prowler-status", "value": "Pass" },
{ "name": "prowler-severity", "value": "High" }
]
}Plan of Action and Milestones
poam.json POA&M
12 open items with a current SPRS score of 62. Each item is linked to specific failing observations in the assessment results.
Related observation: 7de3a278-2ea7-4e2b-911e-b39880c99871
Related observation: 22af3322-285b-4b60-914c-4ebe979bc250
Related observations: 9ff006f6-..., 44168398-...
Related observation: 5fb75688-c406-486a-849e-167008ff20ad
Raw OSCAL POA&M Item
{
"uuid": "9d71e057-43d0-412e-a60c-42175329ed97",
"title": "3.1.1 -- Limit system access to authorized users",
"description": "Requirement 3.1.1 has 1 failing check(s) across 1 resource(s).",
"props": [
{ "name": "sprs-points", "value": "5" },
{ "name": "severity", "value": "critical" },
{ "name": "poam-id", "value": "POAM-3_1_1" },
{ "name": "status", "value": "open" }
],
"related-observations": [
{ "observation-uuid": "7de3a278-2ea7-4e2b-911e-b39880c99871" }
]
}Component Definition: AWS IAM
aws-iam-ac-l2-3.1.1.json Component Definition
This component covers the IAM layer of AC.L2-3.1.1 -- 9 of the 26 Prowler checks that map to NIST SP 800-171 Rev 2 section 3.1.1. Four statements decompose the control into verifiable sub-goals.
| Statement | Description | Prowler Checks |
|---|---|---|
| smt.a | Root account sealed | iam_no_root_access_key, iam_root_mfa_enabled |
| smt.b | Users MFA-bound, activity-gated | iam_user_mfa_enabled_console_access, iam_user_accesskey_unused, + 5 more |
| smt.c | No wildcard-admin grants | iam_aws_attached_policy_no_administrative_privileges, + 2 more |
| smt.d | MFA-required break-glass path | Compensating control (documented) |
Enforcement Layers
| Layer | Tool | Artifact |
|---|---|---|
| Plan-time | OPA / Conftest | opa/ac-l2-3.1.1.rego |
| Live-state | Steampipe | steampipe/ac-l2-3.1.1.sql |
| Infrastructure | Terraform | terraform/main.tf |
| Assurance case | GSN | oscal/assurance-case.gsn.json |
{
"component-definition": {
"metadata": {
"title": "grc-eng AWS IAM Component -- AC.L2-3.1.1 (IAM layer)",
"oscal-version": "1.2.1"
},
"components": [{
"title": "AWS Identity and Access Management (grc-eng baseline)",
"type": "service",
"purpose": "Limit AWS access to authorized users, processes, and devices at the IAM layer, per CMMC AC.L2-3.1.1",
"control-implementations": [{
"source": "trestle://profiles/cmmc-l2/profile.json",
"implemented-requirements": [{
"control-id": "AC.L2-3.1.1",
"props": [
{ "name": "implementation-status", "value": "implemented" }
],
"statements": [/* 4 statements: smt.a through smt.d */]
}]
}]
}]
}
}Component Definition: AWS CloudTrail + GuardDuty
aws-cloudtrail-au-l2-3.3.1.json Component Definition
Covers AU.L2-3.3.1 -- system audit log creation and retention. Multi-region CloudTrail with S3 data events, CloudWatch integration with 365-day retention, VPC flow logs, and GuardDuty continuous monitoring.
| Prowler Check | What It Verifies |
|---|---|
cloudtrail_multi_region_enabled | CloudTrail records in all regions |
cloudtrail_s3_dataevents_read_enabled | S3 read events captured |
cloudtrail_s3_dataevents_write_enabled | S3 write events captured |
cloudtrail_cloudwatch_logging_enabled | Events forwarded to CloudWatch |
cloudwatch_log_group_retention_policy_specific_days_enabled | 365-day retention |
vpc_flow_logs_enabled | Network-level activity capture |
guardduty_is_enabled | Continuous threat monitoring |
securityhub_enabled | Centralized findings |
Component Definition: AWS Encryption at Rest
aws-encryption-rest-sc-l2-3.13.11.json Component Definition
Covers SC.L2-3.13.11 -- FIPS-validated cryptography for CUI at rest. All storage services use AWS KMS Customer Managed Keys backed by FIPS 140-2 Level 3 HSMs.
| Service | Prowler Check |
|---|---|
| S3 (technical drawings) | s3_bucket_default_encryption |
| EBS (SolidWorks PDM) | ec2_ebs_volume_encryption |
| RDS (ERP database) | rds_instance_storage_encrypted |
| DynamoDB | dynamodb_tables_kms_cmk_encryption_enabled |
| EFS | efs_encryption_at_rest_enabled |
| OpenSearch | opensearch_service_domains_encryption_at_rest_enabled |
| CloudWatch Logs | cloudwatch_log_group_kms_encryption_enabled |
| CloudTrail logs | cloudtrail_kms_encryption_enabled |
Provenance and Chain of Custody
provenance/
This evidence package was generated by an automated compliance-as-code pipeline. No manual editing occurred after generation.
| Field | Value |
|---|---|
| Pipeline Version | 1.0.0 |
| Git Commit | abc1234def5678 |
| CI/CD Run | GHA-run-12345 |
| Signing Key | B4A7 2E8F 9C01 D345 ... |
| OSCAL Version | 1.2.1 |
Tool Chain
| Stage | Tool | Version | Purpose |
|---|---|---|---|
| Scanning | Prowler | 4.x | AWS security scanning |
| Transformation | oscal-emitter | 0.1.0 | Prowler JSON to OSCAL |
| Verification | OPA | 0.68.0 | Policy-as-code |
| Verification | Steampipe | 0.24.x | Live-state queries |
| Validation | compliance-trestle | 4.0.1 | OSCAL schema validation |
| Integrity | sha256sum + gpg | -- | Hash and sign |
Verification Commands
# Verify file integrity
sha256sum -c SHA256SUMS
# Verify GPG signature (requires grc.engineering public key)
gpg --verify SHA256SUMS.sig SHA256SUMS
# Validate OSCAL schema compliance
trestle validate -f system-security-plan.json
trestle validate -f assessment-results.json
trestle validate -f poam.json