ThreadBridge Solutions | CMMC Readiness Portal

Org Profile

Headquarters

1148 Industrial Parkway, Cumberland, MD 21502

Satellite Facility

88 Commerce Drive, Frostburg, MD 21532

Ownership

Privately held; woman-owned small business (WOSB)

Founded

2004

Total Employees

82 (40 Prod, 12 Admin, 8 IT, 15 Sales, 7 Mgmt)

Annual DoD Revenue

~$14.2M ($11M Uniforms / $3.2M GSA)

Key Personnel

MH

Margaret Holloway

CEO

DP

Dennis Park

IT Manager / de facto CISO

SY

Sandra Ybarra

Contracts Manager

RC

Robert Chen

Production Manager

LN

Lisa Nguyen

HR Manager

Active Federal Contracts

Contract Number	Agency	Type	Product / Service	CUI Scope	Status
FA4890-25-D-0014	DLA Troop Support	IDIQ	Combat Utility Uniforms (OCP/PFU)	YES	Active
GS-02F-8847X	GSA MAS (Sch 75)	Multiple Award	Office Supplies	FCI ONLY	Active

Logical Network Topology

FULL ASSET INVENTORY Audit Target: 58 Physical Assets

ID	Name	OS / Platform	Role	Data Sensitivity
SRV-001	Epicor Server	Win Server 2019	Production ERP	CUI / FCI
SRV-002	TBS-FS01	Win Server 2022	Central File Storage	CUI / PII / PII
SRV-003	TBS-DC01	Win Server 2019	Identity (AD/DNS)	System Critical
SRV-004	TBS-NAS-01	Synology DSM 7.2	Backup Repository	CUI Snapshot
NET-001	Sophos XG 310	Sophos SFOS	Firewall / VPN	Security Control
WRK-001–040	Staff Laptops/PCs	Win 10/11 Pro	Office Operations	Mixed
MOB-001–008	Android Tablets	Android 12	Floor Scanning	FCI Only
PRN-001–003	Ricoh MFPs	Ricoh Embedded	Scan/Print Hub	Processing CUI

Authentication Summary

Internal Network

Windows Active Directory username/password. No MFA enforced for local logins, RDP, or Server Admin sessions.

Cloud (M365)

Azure AD Conditional Access. MFA Enforced for all remote logins via Microsoft Authenticator.

CUI Inventory (Controlled Unclassified Information)

CUI Type	Description	Storage Location	Owner
Technical Specs	Uniform design, camouflage patterns	FS-01 (/CUI/Specs)	Robert Chen
Contract Info (CTI)	Deployment schedules, unit designations	Epicor / FS-01	Sandra Ybarra
Personnel Privacy	Employee security clearance data	FS-01 (/HR/Private)	Lisa Nguyen
Export Control	Proprietary material blend data (EAR)	FS-01 / Email	Margaret Holloway

FCI Inventory (Federal Contract Information)

FCI Type	Description	Storage Location
Pricing/Bids	GSA and DLA bid documents	SharePoint / Email
PO History	Office supply order records	Epicor / Email
Schedules	General logistics and shipping dates	ERP / FS-01

v1.2

IT Systems Master Map

Foundational technical summary of TBS internal assets.

VIEW DOCUMENT

v2.1

TBS Employee Handbook: IT Appendix

Standards for device usage and user behavior.

VIEW DOCUMENT

Draft

Internal Response Guide

Disaster recovery and event management notes.

VIEW DOCUMENT

v1.0

Removable Storage Protocol

Controls for USB drives and physical media.

VIEW DOCUMENT

v3.4

Identity Management SOP

Lifecycle of user credentials and admin access.

VIEW DOCUMENT

Provider	Service Role	Remote Access Method	Data Access
TechServ LLC	ERP Maintenance	Client-to-Site SSL VPN	Admin / CUI
Cascade Networks	Managed ISP / UTM	Dedicated WAN Port	Metadata Only
Ricoh USA	Print Management	Physical Only	Potential Buffer CUI
Microsoft	SaaS Platform	Tenant Admin Portal	CUI / FCI / Email

Dennis Park, IT Manager (Interview Summary)

"MFA? Yeah, we have it on Microsoft 365 because Margaret was worried about account takeovers. For the local stuff—ERP, File Server—it's just regular passwords. The VPN too. Adding MFA to all that is on my to-do list, but we've got a small team."

"Domain admins? That's me and my IT spec, Jennifer. We both use those accounts as our main logins. It just makes things faster when we're troubleshooting for users."

Sandra Ybarra, Contracts Manager (Interview Summary)

"CUI documents? They usually come in via email. I save them to the contract folder. Dennis restricted that folder a few months back, I think. I don't know who has the actual list of permissions."

"Phishing? Yeah, we had one last year. We reset the person's password. No, we didn't report it to the DoD. We checked her outgoing mail and didn't see anything stolen, so we thought we were good."

Internal Maintenance Log (Extract)

Date	Engineer	System	Work Description
Mar 15, 2026	Kyle (TechServ)	SRV-001	Applied Epicor security patches. Used personal USB for offline patch file transfer.
Apr 02, 2026	Dennis Park	SRV-003	AD Schema cleanup.

INC-001: Compromised Account (Historical)

Timeline: ~10 Months Ago

Context: Accounting staff entered credentials into a fake DLA portal. Account was used by attacker to log into M365 SharePoint from a foreign IP.

Result: Dennis Park reset the password and disabled the account for 24 hours. No data export review was conducted. No DoD reporting was initiated.

Assessor GAP Observation Matrix

ID	Control Family	Observation Detail
G-01	IA	Failure to implement MFA for local network sessions and VPN access.
G-02	AC	Privileged accounts used for non-privileged tasks (Domain Admin as primary).
G-03	MA	No escort policy for third-party maintenance; personal USBs used on production servers.
G-04	IR	Historical incident not reported to DIBNet despite potential CUI exposure.

Internal Vuln Scan Result (Doc 9 Extract)

Severity	CVE / Title	System	Discovery Date
CRITICAL	CVE-2021-34527 (PrintNightmare)	WRK-001-040	14 Months Ago
CRITICAL	Exposed SMBv1 Protocol	SRV-001	14 Months Ago
HIGH	End-of-Support OS (Win 7/8 remnants)	Sales WRK	14 Months Ago

Org Profile

Key Personnel

Logical Network Topology

Authentication Summary

IT Systems Master Map

TBS Employee Handbook: IT Appendix

Internal Response Guide

Removable Storage Protocol

Identity Management SOP

Dennis Park, IT Manager (Interview Summary)

Sandra Ybarra, Contracts Manager (Interview Summary)

Policy Document