Patriot Field Rations, Inc.

CMMC Level 2 Audit Training

This training scenario is entirely fictitious and created for educational purposes only. Any resemblance to real organizations, contracts, or individuals is coincidental.
Company Patriot Field Rations, Inc.
Industry Operational Rations
Headquarters Cedar Ridge, Ohio
Employees 180 Total
Target Level CMMC Level 2
Seeded Gaps 14 Identified

Company Overview

Company Profile

  • Legal Name: Patriot Field Rations, Inc. (PFRI)
  • Year Founded: 1994
  • Headquarters: 2400 Mission Ridge Parkway, Cedar Ridge, OH 45101
  • Ownership: Privately held, majority employee-owned (ESOP)
  • CAGE Code: 9X7P3
  • UEI: N9KJQLF6P2L5
  • Primary NAICS: 311999 – All Other Miscellaneous Food Manufacturing
  • Secondary NAICS: 311612 – Meat Processed from Carcasses

Mission Statement

"Patriot Field Rations, Inc. delivers mission-ready, shelf-stable rations that help U.S. and allied forces perform at their best in any environment, backed by uncompromising quality, safety, and cybersecurity across our global supply chain."

Facilities

Headquarters & Administrative Center

Cedar Ridge, OH

Functions: Executive leadership, HR, Finance, Contracts, IT, Cybersecurity & Compliance, R&D/Menu Development, QA, Program Management.

IT Footprint:

  • Corporate network core, primary data center, collaboration platforms, contract systems.

Patriot Production Plant

Patriot, WV

Functions: Large-scale cooking, retort processing, packaging, assembly of MRE components and full meal bags.

Handles:

  • Detailed recipes, nutritional formulas, packaging specifications (CUI).

IT Footprint: MES, RationSpec terminals, QA lab systems, production workstations.

Liberty Distribution Center

Liberty Junction, KY

Functions: Warehousing, staging, distribution of finished MRE cases to DLA depots and FEMA staging sites.

Handles:

  • Shipping manifests, pallet-level traceability, routing instructions (CUI).

IT Footprint: WMS, RF scanners, shipping label printers, thin clients.

In-scope for CMMC Level 2

All three facilities are in-scope because PFRI’s DoD contracts involve Controlled Unclassified Information (CUI) flowing through engineering, contracts, and logistics systems. Students should identify where CUI is concentrated: HQ engineering/contract systems, plant recipe/spec systems, and logistics data at distribution.

Active DoD Contracts

Contract 1: Individual Operational Ration Packs – Theater Performance

CMMC LEVEL 2
Contract ID: W91RAT-24-C-0037
Ceiling Value: $410,000,000
Customer: ACC, DLA Troop Support
Period: Jan 1, 2024 – Dec 31, 2026 (+2 options)

Description: Supply of 2.4 million MRE cases; customization of menus and nutritional profiles under Army/DLA specifications.

Data Types

  • FCI: Pricing, schedules, metrics.
  • CUI: Menu formulations, nutritional performance data, packaging design, shipping profiles.

Cyber Requirements

DFARS 252.204-7021; C3PAO assessment required by end of 2027.

Seeded Issue (Boundary/Data Location):

A 2022 pre-award prototype phase used a generic commercial cloud platform (β€œShareSpace”). Not all folders migrated to GovCloud; a subset of early CUI-labeled documents remains in the legacy ShareSpace tenant.

Contract 2: Humanitarian Daily Ration Variant – Pork-Free

CMMC LEVEL 2
Contract ID: SPE3S1-25-D-HDR1
Ceiling Value: $220,000,000
Customer: DLA Support
Period: Nov 1, 2025 – Oct 31, 2030 (IDIQ)

CUI Details

Shipment profiles, contingency stockpiling locations, technical packaging indicators tested under gov protocols.

DLA Terms

Maintain SPRS score; provide SSP/POA&M evidence on request.

Seeded Issue (Data Handling):

Shipment manifests generated through a third-party NGO platform; staff occasionally email sensitive destination data to that partner via regular corporate email instead of the secured enclave.

Contract 3: Training and Garrison Rations

CMMC LEVEL 1

Role: Subcontractor to a large food distribution prime. Value: $65,000,000 share. Data: FCI only.

Seeded Issue (Scoping):

Internal documentation in RationSpec system does not clearly label which records are FCI-only vs. CUI-involved, creating confusion in scoping the Level 2 environment.

Organizational Structure

Executive Leadership

  • CEO: Laura McKenna
  • COO: Marcus Riley
  • CFO: Ellen Zhou
  • CIO: David Hernandez
  • CISO / Director GRC: Priya Nair
  • VP Operations: Tom Garland
  • QA & Regulatory Director: Dr. Nina Patel
  • HR Director: Richard Lawson
  • Contracts Director: Hannah Schultz

Key Departments

  • Operations: Production, maintenance, operators, shipping/receiving.
  • QA & Regulatory: Inspectors, lab techs, compliance specialists.
  • R&D / Menu Dev: Food scientists, packaging engineers.
  • IT & Cyber: Infrastructure, GRC, Security Engineers.
  • Logistics: Planners, dock schedulers.

Role–CUI Exposure Summary

Exposure Level Roles / Departments Data Types
High R&D, Menu Dev, Packaging Engineering, Contracts, GRC, IT Admins Recipes, mission-profiles, contract mods, audit logs, GovCloud CUI
Moderate QA, Logistics Planners Technical specs, test protocols, shipping profiles
Low/FCI Operations, Finance, Warehouse Clerks Purchase orders, generic ops data

Seeded Organizational Gaps (AC-2, AC-6)

  • HR role catalog differs from Active Directory groups; job titles like β€œSenior Menu Engineer” do not map cleanly to access profiles.
  • Plant Maintenance Supervisor has legacy local admin access on production workstations and is misclassified as β€œProduction Engineer” in one access group.

IT Environment & Infrastructure

Corporate Segment

10.20.0.0/22

HQ Workstations, Servers, GovCloud Access.

Plant Segment

10.30.0.0/22

MES, RationSpec, Engineering, OT-adjacent systems.

Distribution Segment

10.40.0.0/23

WMS, RF Scanners, Thin Clients.

Critical Systems & Servers

Hostname OS / Application Function / Data Notes / Issues
DC1 / DC2 Win Server 2019 / AD Identity, DNS; Indirect CUI Domain controllers for HQ and Plant.
MES01 Win Server 2019 / ProdFlow Manufacturing execution, work orders. Patching 45 days behind.
RSPC01 Win Server 2019 / RationSpec Recipes, CUI nutritional formulas. Patching 45 days behind.
FILEENG01 Win Server 2016 CUI Engineering drawings, artwork. SMBv1 active. No patch in 120 days.
GOVCLOUD SaaS / GovCloud Suite Email, Document library, SSP/POA&M. Primary CUI repository.
LEGACYSTOR Commercial Cloud Old Contract 1 specs (Residual CUI). Accounts still active; not in enclave.
WMS01 Win Server 2012 R2 Inventory, manifests (Some CUI). End-of-Support OS; High Vuln findings.

Endpoint Inventory

  • HQ: 70 Win 11 laptops/desktops (Mixed use).
  • Plant: 80 Win 10 workstations (MES terminals), 10 Engineering laptops.
  • Distribution: 30 thin clients, 25 Handheld RF Scanners (Android).

Security Stack

  • Endpoint: Protection Suite X on all Windows.
  • Vulnerability: VulnSight (Monthly server, Quarterly WS).
  • SIEM: LogWatch (Aggregates HQ/DC; 14d local only for Plant).

Seeded IT Weaknesses (CM, RA, SI)

  • 10 engineering laptops routinely leave the network, missing scan and backup windows.
  • RF Scanners are not centrally managed; asset records are incomplete.
  • QA Lab instruments run Windows 7 Embedded with limited patching.

Network Diagrams (Reference Architecture)

These network diagrams illustrate how Patriot Field Rations, Inc. has structured its enterprise network, defined a CUI enclave, and segmented key systems across the Headquarters, Patriot Production Plant, and Liberty Distribution Center. In real CMMC assessments, diagrams like these are used to validate system boundaries, identify CUI data flows, and support System Security Plan documentation. Use Figures 1–3 alongside the IT Environment tab as you complete the SSP, Asset Inventory, SAR, POA&M, and related CMMC documents.

Figure 1: High-Level Enterprise Network Topology CUI Enclave Boundary Headquarters – Cedar Ridge, OH Corporate Network: 10.20.0.0/22 User LAN – HQ Workstations & Laptops Server LAN – HQ Data Center DC1 (Win Server 2019) FILEENG01 (Win Server 2016) BACKUP01 (Win Server 2019) Perimeter Firewall & Web Filter VPN Endpoint – HQ IPsec Gateway Patriot Production Plant – Patriot, WV Plant Network: 10.30.0.0/22 User LAN – Plant Supervisors & Eng. Server LAN – Plant Systems MES01 – ProdFlow MES Server RSPC01 – RationSpec App Server Plant IPsec Gateway Internet (Backup Only) Liberty Distribution Center – KY Warehouse Network: 10.40.0.0/23 WMS01 – Warehouse Management Sys RF Scanners & Label Printers Distribution IPsec Gateway GovCloud Suite CUI/FCI Library LogWatch SIEM Central Analytics LEGACYSTOR ShareSpace (Gap) IPsec Tunnel HQ-Plant IPsec HQ-Dist Legend Site Network Server/Gateway CUI Enclave Known Gap

Figure 1 – High-level enterprise topology showing HQ, Patriot Production Plant, and Liberty Distribution Center networks, site-to-site VPNs, internet egress points, and the CUI enclave boundary.

Figure 2: CUI Enclave Logical Architecture CUI Enclave (CMMC Level 2) User Roles R&D / Menu Engineers Packaging Engineers Contracts & Analysts QA & Regulatory Staff IT Administrators Application & Data Layer RSPC01 – RationSpec (Recipes/Specs) FILEENG01 – Eng. File Server (TDPs) MES01 – ProdFlow MES (CUI Loads) WMS01 – Warehouse Mgmt (CUI-Linked) GovCloud – CUI Document Library Security Controls MFA & Conditional Access Perimeter Firewalls Endpoint Protection Suite X LogWatch SIEM LEGACYSTOR (ShareSpace) Residual CUI – Out of Scope Migration Gap / Risk Item

Figure 2 – Logical CUI enclave architecture, including in-scope applications, data stores, user roles, security controls, and legacy out-of-scope cloud storage hosting residual CUI.

Figure 3: Patriot Production Plant Network Detail Patriot Production Plant – Patriot, WV Plant Network: 10.30.0.0/22 Plant User VLAN – Eng. & Supervisors Subnet: 10.30.10.0/24 ENG-WS-01..10 (Workstations) SUP-WS-01..15 (Supervisors) ⚠ Laptops miss scan windows MES/RationSpec Server VLAN Subnet: 10.30.20.0/24 MES01 – ProdFlow MES Server RSPC01 – RationSpec Application Server ⚠ Patching 45d behind QA Lab VLAN Subnet: 10.30.30.0/24 QA-LAB-01..05 (Windows 7 Embedded) Limited patch windows; CUI data flow. ⚠ Local logs only (Gap) Production/OT VLAN Production Line Systems (OT) Isolated via segment firewalls. Plant Firewall VPN Tunnel to HQ Logs -> SIEM

Figure 3 – Patriot Production Plant network detail, illustrating internal VLANs, key servers, CUI data flows, and logging/patching focal points relevant to the CMMC Level 2 assessment.

Security Posture & Compliance Status

-38 Current SPRS Score
76Implemented
18Partial
16Not Implemented

CMMC / NIST 800-171 Gaps by Family

Access Control (AC)

  • Role inconsistencies (AC-2/6).
  • External remote access for some engineers not locked to enclave (AC-17).

Audit & Accountability (AU)

Plant MES and WMS do not send logs to SIEM; 14-day local retention only (AU-2/6).

Config Mgmt & Media Prot (CM/MP)

  • Baselines exist but legacy deviations undocumented (CM-2/6).
  • Media disposal for QA backup DVDs/USBs is informal (MP-6).

Physical & Risk (PE/RA)

  • Distribution Center badge system managed by landlord (PE-3).
  • Vuln findings not consistently tied to risk ratings/POA&M (RA-3).

Policies & Procedures

Use this section to understand how Patriot Field Rations, Inc. has documented key cybersecurity policies and procedures. As you complete the SSP, POA&M, SAR, and other CMMC documents, reference these excerpts to justify your control descriptions and identify where practice diverges from policy.

Access Control Policy (ACP) β–Ό

Defines how Patriot Field Rations, Inc. manages user identities, roles, and access rights to systems that process FCI and CUI.

Patriot Field Rations, Inc. maintains a risk-based access control program to ensure that only authorized individuals are granted access to information systems and data commensurate with their job responsibilities. Access to systems that store or process Controlled Unclassified Information (CUI) is explicitly limited to users whose roles require such access.

User accounts are provisioned based on HR-approved roles and are granted least-privilege access to domain, application, and data resources. All access requests must be documented via an approved access request form and authorized by the user’s manager and the system owner.

Access to CUI systems (including RationSpec, the Engineering File Server, and the GovCloud Collaboration Suite CUI library) requires multifactor authentication (MFA), strong passwords, and alignment with defined access control groups. Administrative access is restricted to designated IT personnel and is reviewed at least quarterly.

When personnel change roles or leave the company, HR notifies IT within one business day. IT disables or adjusts accounts in line with the updated role. Periodic access reviews are conducted semi-annually to verify that all users have appropriate access rights.

Related Documents:

– System Security Plan (SSP) – πŸ“„ Open SSP Β· πŸ› οΈ SSP Tool

– Access Control Matrix – πŸ“„ Open ACM Β· πŸ› οΈ ACM Tool

Incident Response Plan (IRP) Overview β–Ό

Summarizes how Patriot Field Rations, Inc. prepares for, detects, responds to, and recovers from cybersecurity incidents affecting in-scope systems.

Patriot Field Rations, Inc. maintains a formal Incident Response Plan (IRP) covering all systems in scope for CMMC Level 2. The plan defines clear phases of incident handling: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

The Cybersecurity & Compliance team serves as the core incident response team (IRT), supported by IT infrastructure, application owners, HR, Legal, and Communications as needed. All employees are required to promptly report suspected security incidents to the Service Desk or Security Operations Center (SOC).

For systems containing CUI, incident responders must assess potential loss of confidentiality, integrity, or availability and, when warranted, initiate notifications to affected stakeholders and government points of contact in accordance with contract requirements. Significant incidents are documented in an incident record that captures root cause, impact, response actions, and corrective actions.

The IRP is reviewed at least annually and after major incidents. Tabletop exercises are conducted at least once per year to validate the plan and train staff in their roles and responsibilities.

Related Documents:

– Incident Response Plan – πŸ“„ Open IRP Β· πŸ› οΈ IRP Tool

– Security Assessment Report – πŸ“„ Open SAR Β· πŸ› οΈ SAR Tool

Configuration Management Policy (CMP) β–Ό

Describes how Patriot Field Rations, Inc. manages changes to systems, configurations, and baselines.

Patriot Field Rations, Inc. enforces a formal configuration management policy to ensure that systems are deployed, maintained, and modified in a controlled manner. All in-scope servers, workstations, and network devices must adhere to approved configuration baselines aligned with company standards and applicable industry benchmarks.

Proposed changes to production systems are documented in change requests that describe the business justification, technical approach, risk assessment, testing plan, and back-out plan. Normal changes are reviewed and approved by the Change Advisory Board (CAB), which includes representatives from IT, Cybersecurity & Compliance, and affected business units.

Emergency changes are permitted when necessary to address critical vulnerabilities or system outages but must be documented and reviewed retrospectively at the next CAB meeting. Unapproved or undocumented changes to in-scope systems are prohibited.

Configuration baselines and system inventories are reviewed periodically to verify that deployed systems match approved configurations, and deviations are either remediated or formally documented as exceptions.

Related Documents:

– Configuration Management Plan – πŸ“„ Open CMP Β· πŸ› οΈ CMP Tool

– Asset Inventory & Categorization – πŸ“„ Open Asset Inventory Β· πŸ› οΈ Asset Tool

– Maintenance Report – πŸ“„ Open Maintenance Β· πŸ› οΈ Maintenance Tool

Audit Logging & Monitoring Standard (ALMS) β–Ό

Defines logging, monitoring, and review requirements for systems supporting CMMC Level 2.

Patriot Field Rations, Inc. requires security-relevant events from in-scope systems to be logged, protected, and regularly reviewed. Critical infrastructure components, domain controllers, servers hosting CUI, and perimeter security devices are configured to forward logs to the centralized LogWatch SIEM platform.

Logged events include user authentication attempts, administrative actions, configuration changes, access to sensitive data repositories, and security alerts generated by endpoint and network protection tools. Log data is retained for a minimum of 12 months, with at least 90 days readily available online for analysis.

The Cybersecurity & Compliance team reviews SIEM alerts daily and produces a summary of notable events on at least a weekly basis. Higher-risk alerts, such as repeated failed logins or anomalous login locations for privileged accounts, are investigated promptly according to the Incident Response Plan.

Systems that cannot currently forward logs to the SIEM must store logs locally with appropriate protections and retention. These gaps are tracked as part of the POA&M until fully addressed.

Related Documents:

– Audit Log & Monitoring Report – πŸ“„ Open ALMR Β· πŸ› οΈ ALMR Tool

– Security Assessment Report – πŸ“„ Open SAR Β· πŸ› οΈ SAR Tool

Vendor & Supply Chain Security Policy (VSSP) β–Ό

Establishes security expectations for suppliers and partners that support operational rations and related IT services.

Patriot Field Rations, Inc. recognizes that suppliers and logistics partners play a critical role in securely delivering rations to government customers. The Vendor & Supply Chain Security Policy sets minimum security requirements for third parties that process, store, or transmit the company’s data, including CUI related to contracts, specifications, and shipments.

Suppliers handling CUI or providing critical IT or logistics services must complete a security assessment questionnaire and provide evidence of appropriate controls, such as multi-factor authentication, patch management, and incident response capabilities. Where applicable, contracts must include clauses requiring adherence to CMMC requirements and prompt notification of security incidents.

Vendor risk is assessed based on the sensitivity of shared data and the criticality of services. High-risk suppliers are reviewed at least annually. Unresolved high-risk findings may result in mitigation plans, contractual remedies, or consideration of alternate suppliers.

Information sharing with suppliers is limited to the minimum necessary to fulfill contractual obligations, and the use of unauthorized cloud services or consumer-grade collaboration tools for CUI is prohibited.

Related Documents:

– System Security Plan (SSP) – πŸ“„ Open SSP Β· πŸ› οΈ SSP Tool

– Plan of Action & Milestones – πŸ“„ Open POA&M Β· πŸ› οΈ POA&M Tool

– Security Assessment Report – πŸ“„ Open SAR Β· πŸ› οΈ SAR Tool

Personnel & Training Metrics

180

Total Staff

93%

Total Completion

16

Overdue Staff

Department Training Breakdown

Department Completion Rate
IT & Cybersecurity100%
Contracts & Program Mgmt95%
R&D / Menu Development92%
QA / Regulatory90%
Plant Operations91%
Distribution Operations86%

Seeded Training Gaps

  • 5 engineers, 3 warehouse supervisors, and 8 line leads overdue for CUI refresher.
  • Materials reference "Future CMMC" and lack final 2.0 rule or DLA-specific 2025 timelines.
  • No formal process to remove access for users >60 days overdue on training.

Physical Security

HQ Physical Controls

Multi-tenant building, PFRI occupies 2 floors. Badge access, visitor sign-in, reception, CCTV in hallways, locked server room with restricted access group.

ISSUE: 4 recorded tailgating incidents in last year; no consistent follow-up.

Plant Physical Controls

Standalone fenced facility, guard booth at gates during business hours, exterior badge readers, interior camera coverage in select areas, secure QA lab.

ISSUE:

Document storage room near maintenance shop contains historical QA binders and USBs with test data; not inventoried or processed under media destruction policy.

Distribution Center Controls

Leased warehouse, shared perimeter security with landlord, PFRI interior badge readers, CCTV at dock doors.

ISSUE: Landlord manages badge system; PFRI cannot audit or export access logs independently.

Incidents & Risk Register

Incident History (24-Month Window)

Aug 14, 2025 - Medium Severity

Phishing Credential Compromise (Contract Manager)

Clicked spoofed login; attacker accessed GovCloud email for 45 mins. Mailbox contained CUI attachments. Reported as potential exposure.

Mar 5, 2025 - Near-Miss

Misaddressed Shipment Manifest

Shipping clerk almost emailed manifest with sensitive destination codes to wrong customer; caught by supervisor. Highlights lack of DLP.

Oct 22, 2024 - Low Severity

Malware on Warehouse Workstation

Personal USB usage detected/blocked by endpoint protection. No CUI present on workstation.

Risk Register Snapshot

ID Risk Description Likelihood Impact Mitigation Status
R1 Legacy OS on WMS01 Server Medium High Upgrade scheduled Q4 2026; monitoring only.
R2 Residual CUI on LEGACYSTOR Medium High Discovery/migration in progress (90 days target).
R3 Incomplete Supplier Security Assessments High Medium Checklist drafted; not yet rolled out.
R4 Training Non-compliance (Whse Supervisors) Medium Medium Adding to perf reviews; not yet enforced.

Supply Chain Management

Critical Upstream Suppliers

Frontier Nutripack Solutions, LLC

Freeze-dried components & packaging films.

Status: Level 1 self-attested. No CMMC roadmap.

Shares: Packaging specs for theater-specific menus (CUI).

Liberty Tactical Logistics Services (LTLS)

3PL provider for overflow warehousing.

Status: Claims "CMMC Readiness" but no assessment. No MFA on TMS.

Shares: Routing guides, mission destination codes (CUI).

Policy State

VRM Policy requires initial questionnaires and annual reviews for high-risk suppliers.

SUPPLY CHAIN GAPS:

  • Not all CUI suppliers included in central risk register.
  • No contractual requirement for suppliers to maintain specific CMMC levels.
  • PFRI does not regularly request/review SPRS scores from subcontractors.

Audit Documents & Student Tools

Use the buttons below to access your working audit documents. Re-reference the case narrative tabs to complete them.

System Security Plan (SSP)

Use: Overview, Contracts, IT Env tabs.

POA&M

Use: All Seeded Gaps (14 total).

Asset Inventory

Use: IT Environment Tab.

Access Control Matrix

Use: Organization & Personnel tabs.

Incident Response (IRP)

Use: Incident Narratives.

Audit Log Record (ALMR)

Use: SIEM vs Local details.

Student Workflow Instructions

  • Scoping: Use Overview and IT Environment to define the Level 2 boundary.
  • Gap Analysis: Extract all 14 seeded gaps to build the POA&M.
  • ACM: Map HR roles from Organization to the access types in IT Environment.
  • VSR/CMP: Use patch timelines and WMS/FILEENG01 findings for configuration management reports.

Instructor Guide: Patriot Field Rations Case Study

Learning Objectives

  • Identify CUI and FCI flows in an operational rations environment.
  • Scope a CMMC Level 2 assessment boundary across multiple sites.
  • Translate narrative case information into formal SSP, POA&M, SAR, and IRP documents.
  • Evaluate supply chain and vulnerability management practices using CMMC language.

Suggested Mission Sequence

Mission 1 – Scoping and CUI Identification

Map out facilities, contracts, and systems in-scope for Level 2.

Mission 2 – Assets and Access Control

Build Asset Inventory and Access Control Matrix from IT and Org tabs.

Mission 3 – Gap Analysis & POA&M

Identify all 14 seeded gaps and create POA&M entries.

Mission 4 – Incident Response

Critique and refine the IRP based on the credential compromise and malware events.

Mission 5 – SAR and SPRS Score

Produce a SAR and justify the final -38 score.

Instructor Hints (High-Level)

"Focus on the 'hidden' CUI in Contract 1 and 2. Key findings should revolve around the legacy cloud (LEGACYSTOR), the unpatched engineering file server (FILEENG01), and the WMS system nearing EOL. Ensure students don't miss the logging gaps in the WV and KY facilities where data is stored locally."