⚠ Educational Use Only — Fictional Scenario
All company names, personnel, contract numbers, CAGE codes, and data in this case study are entirely fictional and created for educational purposes. This material is part of the SANDS/MVCC CMMC Program curriculum. Do not use any information herein as actual legal, compliance, or cybersecurity guidance.
Case Study Metadata
| Version | 1.0 — June 2025 |
| Scope | CMMC Level 2 — 110 NIST SP 800-171 practices across 14 domains |
| Learner Level | Intermediate — assumes basic familiarity with CMMC/DFARS |
| Deliverables | 11 practitioner documents (SSP, POA&M, SAR, IRP, and more) |
| Educational Use | SANDS/MVCC CMMC Program — not for commercial distribution |
About This Case Study
ThreadBridge Solutions, LLC is a fictional small business that manufactures both combat utility uniforms for the Department of Defense and sells commercial office supplies to federal agencies via GSA Schedule. This dual-revenue model places ThreadBridge at the intersection of two distinct compliance regimes: CMMC Level 2 (for CUI-laden defense contracts) and CMMC Level 1 (for commercial GSA supply). Learners will analyze the company's technical environment, identify security gaps, evaluate two real security incidents, and produce the eleven practitioner documents required for a CMMC Level 2 assessment. The scenario deliberately embeds multiple realistic compliance failures common in small-to-midsize defense contractors.
Case Study Documents — Click to Open
Each card opens the corresponding document workspace in the Documents tab.
Doc 01
System Security Plan (SSP)
Doc 02
Plan of Action & Milestones (POA&M)
Doc 03
Asset Inventory
Doc 04
Security Assessment Report (SAR)
Doc 05
Incident Response Plan (IRP)
Doc 06
Access Control Matrix
Doc 07
Audit Log & Monitoring Report
Doc 08
Configuration Management Plan
Doc 09
Vulnerability Scan Report
Doc 10
SPRS Score Worksheet
Doc 11
Maintenance Report
Industry Context
Defense Textile & Apparel — DoD Uniform Manufacturing Sector
The defense uniform manufacturing sector is a specialized niche of the broader defense industrial base (DIB). Companies operating in this space typically hold Defense Logistics Agency (DLA) contracts for combat utility uniforms, physical fitness uniforms, and service dress components. The sector is characterized by high volume, tight delivery schedules, strict technical specifications, and substantial CUI obligations—particularly around material composition and camouflage pattern data that DLA provides to contractors. Below are five representative companies operating in adjacent or overlapping market segments to ThreadBridge Solutions.
| Company | Location | Primary Products | Contract Vehicle | CUI/Compliance Notes |
|---|---|---|---|---|
| American Apparel Inc. | Selma, AL | Combat utility uniforms for all branches | DLA Troop Support IDIQ ($48M) | CUI Uniform specs |
| Bluewater Defense | Corozal, PR | Major military uniforms, ~$1B DoD revenue | DLA multiple-award IDIQ | CUI Specs + delivery data |
| Crye Precision | Brooklyn, NY | Premium military uniform/equipment, ~150 employees | Direct DoD + DLA | ITAR-adjacent; CUI threshold applies |
| Propper International | St. Charles, MO | Full-line military uniforms | DLA + GSA accessories | FCI CUI Both apply |
| Staples Inc. | Framingham, MA | Office supplies to DoD via GSA MAS | GSA MAS Contract 47QSEA19D008T | FCI Only — Level 1 |
ThreadBridge's Unique Position: Unlike pure-play defense apparel manufacturers or pure commercial suppliers, ThreadBridge occupies the intersection of both product lines—manufacturing combat utility uniforms under a DLA IDIQ (triggering CMMC Level 2 obligations) while simultaneously supplying office materials via GSA Schedule (Level 1 only). This dual exposure creates compliance complexity: different data classification requirements, different flow-down clauses, and different assessment timelines must be managed simultaneously within a single 82-person organization.
Company Background
ThreadBridge Solutions, LLC — Organizational Profile
Key Personnel — Click a card to view system access
Margaret Holloway
Chief Executive Officer
FCICUI
System Access
- Email (M365)
- SharePoint
- QuickBooks (view-only)
Access Level: FCI + CUI All Categories
Dennis Park
IT Manager / de facto CISO
FCICUI⚠ Risk
System Access
- Domain Admin — ALL systems
- ERP (admin)
- All servers (local + remote)
- VPN management
- Firewall admin
⚠ Least Privilege Violation: Domain Admin used for day-to-day operations. Links to G-02.
Sandra Ybarra
Contracts Manager
FCICUI
System Access
- ERP (Epicor)
- Email (M365)
- SharePoint (contracts)
Access Level: FCI + CUI (Contracts)
Robert Chen
Production Manager
FCICUI
System Access
- ERP (Epicor)
- Email (M365)
- Manufacturing tablets (Android)
Access Level: FCI + CUI (Specs)
Lisa Nguyen
HR Manager
FCICUI
System Access
- Email (M365)
- SharePoint (HR)
- QuickBooks (HR view)
Access Level: FCI + CUI (Personnel)
Marcus Webb
Warehouse Supervisor
FCI
System Access
- ERP (Epicor — inventory module)
- Email (M365)
Access Level: FCI Inventory Only
Organization Profile
| Legal Name | ThreadBridge Solutions, LLC |
| CAGE Code | 7T4X2 (fictional) |
| DUNS/UEI | 08-347-2198 / TBS22CUMBERLAND |
| Founded | 2004 |
| Ownership | Privately held; WOSB |
| HQ | 1148 Industrial Parkway, Cumberland, MD 21502 |
| Satellite | 88 Commerce Drive, Frostburg, MD 21532 Warehouse — 12 miles from HQ |
| Employees | 82 total |
| Annual DoD Revenue | ~$14.2M |
Active Contracts
| Contract # | Agency | Type | Value | Data | Renewal |
|---|---|---|---|---|---|
| FA4890-25-D-0014 | DLA Troop Support | IDIQ FFP | $11.2M / 5yr | CUI | 18 months URGENT |
| GS-02F-8847X | GSA MAS Sch 75 | MAS | $3.2M annual | FCI only | Annual renewal |
Technical Environment
Asset Inventory, MFA Status, and Third-Party Providers
Asset Inventory
| Asset ID | Description | OS/Platform | Location | Function | FCI | CUI |
|---|---|---|---|---|---|---|
| SRV-001 | ERP Server (Epicor 10.2) | Windows Server 2019 | Cumberland server room | Production scheduling, inventory, contracts | YES | YES |
| SRV-002 | File Server TBS-FS01 | Windows Server 2022 | Cumberland server room | Centralized file storage | YES | YES |
| SRV-003 | Domain Controller TBS-DC01 | Windows Server 2019 | Cumberland server room | AD, DNS, DHCP, Group Policy | YES | Indirect |
| SRV-004 | Backup NAS (Synology DS1821+) | Synology DSM 7.2 | Cumberland server room | Veeam backup target; NO offsite backup | YES | YES Often Overlooked! |
| WRK-001–040 | Windows Workstations (40) | Win 10/11 Pro | Cumberland (30) / Frostburg (10) | Office use, ERP, email | YES | PARTIAL (8 of 40) |
| MOB-001–008 | Android Tablets (8) | Android 12 Samsung | Manufacturing floor | Production tracking via ERP web client | YES | NO Same LAN as CUI servers |
| NET-001 | Sophos XG 310 Firewall | Sophos SFOS 19.5 | Cumberland server room | Perimeter, VPN gateway, IDS/IPS | N/A | N/A |
| NET-002 | Cisco SG350 Switches (3) | Cisco IOS | Cumberland (2) / Frostburg (1) | LAN NO VLANs | N/A | N/A |
| CLO-001 | Microsoft 365 Business Premium | Cloud (Azure) | Microsoft-hosted | Email, Teams, SharePoint, OneDrive | YES | YES — SharePoint folders |
| CLO-002 | QuickBooks Enterprise | Win 10 (ACCT-WRK-01) | Accounting office | AP/AR, payroll support | YES | NO Orphaned admin account |
| PRN-001–003 | Ricoh IM C4500 MFPs (3) | Ricoh OS | Cumberland (2) / Frostburg (1) | Print, scan-to-email, copy | YES | POTENTIAL — can scan to any email |
| VPN-001 | Sophos SSL VPN (12 users) | Embedded in NET-001 | Remote access | Remote workers | YES | YES — tunnels CUI traffic NO MFA |
MFA Status by System
| System | MFA Enforced? | Method | Gap Reference |
|---|---|---|---|
| M365 (Email/SharePoint/Teams) | YES | Conditional Access — Azure AD | — |
| ERP (Epicor 10.2) | NO | Local password only | ⚠ Gap G-01 |
| File Server (TBS-FS01) | NO | AD credentials | ⚠ Gap G-01 |
| Domain Controller (RDP) | NO | AD credentials | ⚠ Gap G-01 |
| Sophos VPN | NO | AD credentials | ⚠ Gap G-01 |
| QuickBooks Enterprise | NO | Local QB database | ⚠ G-01 + orphaned account |
| Backup NAS (Synology) | NO | Shared local account | ⚠ Gap G-01 |
Third-Party Service Providers
| Provider | Location | Services | CUI Access? | Contract Status |
|---|---|---|---|---|
| TechServ LLC | Frederick, MD | ERP maintenance; monthly on-site + remote VPN | YES — ERP (CUI) | Basic MSA only NO CUI clause |
| Cascade Networks | Local | ISP + managed firewall | Firewall access only | ISP agreement — no security addendum |
| ADP | Cloud | Payroll processing | Employee PII = CUI-Privacy | Standard ADP agreement — no flow-down clause |
| Ricoh USA | National | Printer maintenance (quarterly) | Physical MFP access | Standard maintenance contract |
| Microsoft | Cloud | M365 cloud services | All email + SharePoint data | FedRAMP Moderate ✓ |
Data Classification
Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at ThreadBridge
FCI Federal Contract Information
Contract Pricing Data
Bid data, cost proposals to DLA/GSA
Location: File Server + SharePoint
Access: Holloway, Ybarra
Production/Delivery Schedules
Manufacturing timelines, lot quantities
Location: ERP + File Server
Access: Ybarra, Chen, Webb
Contract Performance Reports
Monthly metrics to DLA COR
Location: SharePoint + Email
Access: Ybarra, Holloway
Purchase Order Data (GSA)
Office supply orders, billing codes
Location: ERP + Email
Access: Sales team, Ybarra
Subcontractor Pricing
Vendor bids, raw material pricing
Location: File Server + Email
Access: Ybarra, Chen
CUI Controlled Unclassified Information
Critical Technology — Uniform Technical Specs
Material composition, camo patterns, Army/AF OCP tolerances
Location: /CUI/Contracts/DLA/Specs + SharePoint
Access: Chen, Park, Ybarra
CTI — Delivery Destination Data
Military unit locations, installation addresses for shipments
Location: ERP delivery module + File Server
Access: Ybarra, Chen, Webb
Privacy—Personnel — Employee Clearance Submissions
SF-86 data, personnel security questionnaire responses
Location: /HR/Clearances + SharePoint
Access: Nguyen, Holloway
Export Controlled (EAR) — Synthetic Fabric Data
EAR-controlled synthetic material specs (not ITAR)
Location: /CUI/Materials/EAR + encrypted email
Access: Chen, Park
NOT ALL SENSITIVE DATA IS CUI: Production labor hours, employee payroll, and commercial vendor invoices are sensitive business data but do NOT meet the CUI definition under 32 CFR Part 2002 or the CUI Registry. Misclassifying non-CUI data as CUI creates unnecessary compliance burden without legal basis.
Interactive Quiz: FCI or CUI?
Classify each data item. You'll receive immediate feedback after each answer.
Question 1 of 6
Unit pricing submitted to DLA contracting officer