Sector-specific fictional DoD contractors with realistic IT environments, CUI data flows, network diagrams, and CMMC gaps — designed for hands-on Level 2 assessment practice.
Each case study presents a fully developed fictional DoD contractor in a specific Defense Industrial Base sector. Students receive a complete organizational profile, IT asset inventory, network architecture, CUI data flow diagram, security control gaps, vendor relationships, and a CMMC domain assessment. Exercises ask students to validate compliance posture, map findings to specific NIST SP 800-171 practice IDs, produce one of nine standard audit documents, and work through scenario injects that simulate realistic audit findings. Each case study can be used independently or combined for cross-sector comparison exercises.
The Defense Industrial Base spans over 80,000 companies across virtually every economic sector. CMMC applies to any organization that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on behalf of the Department of Defense — regardless of size or industry. Click any category below to explore what these contractors do and how CUI and CMMC obligations arise in their work.
Mid-size DoD subcontractor manufacturing actuator housing assemblies and providing UAV systems integration support. Holds three active DoD contracts across Army, Air Force, and NAVAIR. Operates two sites in Dayton OH and Huntsville AL.
DoD IT services contractor providing managed help desk, SOC-as-a-service, and enterprise IT support to multiple federal agencies. All CUI processed in Azure Government. 85 employees, Arlington VA.
Precision aerospace component manufacturer producing structural airframe parts and avionics housings for DoD prime contractors. Heavy ITAR exposure. 320 employees across two Kansas facilities.
University-affiliated DoD research laboratory performing DARPA and ONR-funded research on autonomous systems and advanced materials. Handles CUI and export-controlled technical data. 45 researchers plus graduate students.
Defense supply chain and warehouse management contractor operating logistics support contracts for Army and Marine Corps. Manages controlled inventory tracking and shipment documentation containing CUI. Jacksonville FL headquarters.
Embedded software and firmware developer producing safety-critical control code for naval weapons system components. Small but highly technical contractor with CI/CD pipeline, open-source dependencies, and serious CMMC obligations. San Diego CA.
DoD management consulting firm providing acquisition support, program management, and policy advisory services to OSD and military departments. Primarily a knowledge-work business — CUI lives in documents, email, and SharePoint. McLean VA.
Biodefense research contractor performing BARDA and DoD-funded medical countermeasure development. Operates BSL-2 and BSL-3 laboratory facilities with separate IT and OT environments. Handles CUI, export-controlled biological research, and personnel data. Frederick MD.