⚠ This case study is entirely fictitious and created for educational purposes only. Any resemblance to real organizations, contracts, or individuals is coincidental.
Employees
95 Total
DoD Contracts
2 Active
CMMC Gaps
8 Seeded
Annual Revenue
~$22M
Target Level
Level 2
Company Profile
Apex BioDefense Laboratories, Inc. (Apex BioDefense) is a biodefense research contractor specializing in vaccines, therapeutics, antitoxins, and rapid diagnostics for high‑consequence biological threats. The company operates BSL‑2 and BSL‑3 laboratories in Frederick, Maryland, supporting BARDA and DoD‑funded medical countermeasure programs from early discovery through preclinical and early clinical stages.
- • Headquarters: Frederick, MD (near the Fort Detrick biodefense campus)
- • Industry: Biodefense R&D and medical countermeasure development
- • Revenue: ~$22M
- • Employees: 95
- • CAGE Code: 6AB95
- • CMMC Target Level: 2
Facilities
Headquarters & Admin
Functions:
Executive leadership, HR, Finance, IT, Information Security & Compliance, Program Management, Contracts.
IT Assets:
Corporate network core, central domain controller, corporate file server, CUI file server, SIEM, VPN gateway, NGFW, core switches.
Discovery Center (BSL‑2)
Functions:
BSL‑2 labs, vivarium, assay development, early discovery.
IT Assets:
Lab workstations (Windows 10), lab domain controller, LIMS server, research database, lab switches.
High‑Containment Annex (BSL‑3)
Functions:
BSL‑3 labs and a small BSL‑3 animal facility; select agent and high‑risk pathogen work.
IT/OT Assets:
BSL‑3 workstations, high‑containment database server, acquisition systems, environmental/OT control controllers, internal switch and firewall.
Active Federal Contracts
Customer: HHS ASPR/BARDA
Role: Prime contractor
Period: 10/1/2023 – 9/30/2027 (base) + 2‑year options
Value: ~$120M
Scope: MCM platform for novel respiratory pathogens (BSL‑2/3 studies, assays, and early clinical support).
Data context: FCI (plans, budgets); CUI (pathogen strains, preclinical datasets, assay designs, regulatory drafts).
Some early BARDA protocol documents and preclinical datasets were stored on the general corporate file server CORP‑FILE01 in non‑CUI‑labeled folders accessible to a broad “All‑Research” group. These materials were only later migrated into the CUI enclave, and Apex has not yet completed a full review to confirm that all legacy copies were removed.
Customer: DoD medical research program at Fort Detrick
Role: Prime contractor
Period: 1/15/2024 – 1/14/2028
Value: ~$65M
Data context: CUI (threat info, dose-response); EAR (technical data on agents and assays).
CMMC Req: CMMC 2.0 Level 2 target; accurate SPRS scoring required.
An EU‑based analytics partner uses guest accounts in Apex’s GovBio tenant and participates in CUI‑bearing collaboration spaces. Network location and conditional access controls were implemented only after an internal review. Several senior PIs regularly access CUI libraries from unmanaged BYOD laptops and tablets over VPN with historical split tunneling enabled.
Leadership & Roles
4.1 Leadership List
- CEO – Dr. Elena Vargas
- COO – Mark Chen
- CFO – Priya Desai
- CIO – Thomas Gallagher
- CISO – Rachel Alvarez
- VP Discovery Research – Dr. Sanjay Kulkarni
- VP High‑Containment Programs – Dr. Caroline Fischer
- Director Clinical Operations – Maria Lopez
- Director Quality & Regulatory Affairs – Dr. Aaron Cho
- Director HR & Talent – Linda McGrath
4.2 Departments & CUI Exposure
- • HR job title “Senior Scientist – Pathogen Modeling” maps to AD group Resrch-FullAccess, giving broad file share access beyond specific contract needs.
- • A former BSL‑3 researcher now in QA remains in BSL3-Data-Editors group with elevated rights.
Full Technical Infrastructure
1.1 CUI enclave design and segmentation
Apex uses a logical CUI enclave spanning on‑prem and cloud resources, designed to tightly contain CUI while leaving most corporate systems out of scope.
Enclave contents (in‑scope):
- CUI-FS01 (CUI file server) – primary on‑prem CUI repository.
- HC-DB01 (high‑containment DB) – BSL‑3 data and EAR‑controlled data.
- LIMS01 instance – handling sample tracking and some CUI.
- GovBio Cloud Collaboration – CUI‑designated SharePoint libraries and Teams channels.
- Selected BSL‑2/BSL‑3 lab workstations that connect to these systems.
- SIEM01 Log Aggregator (for logs from enclave assets).
Critical Boundary Gap:
BioShare Legacy – marked as out of scope but with residual CUI exposure (unremediated data discovery required).
1.2 VLAN and Subnet Detail
Corporate HQ (10.50.0.0/22)
- 10.50.10.0/24Corp User VLAN
- 10.50.20.0/24CUI Server VLAN
- 10.50.30.0/24Infrastructure VLAN
BSL-2 Lab (10.60.0.0/22)
- 10.60.10.0/24BSL-2 Lab WS Subnet
- 10.60.20.0/24LIMS/Lab Server Subnet
BSL-3 Annex (10.70.0.0/23)
- 10.70.10.0/24BSL-3 WS Subnet
- 10.70.20.0/24BSL-3 DB/Acq Subnet
Full 12-item Asset Inventory
| Hostname | Application / OS | Role / Data Context | IP Address |
|---|---|---|---|
| CORP-DC01 | Win Server 2019 | Corporate Domain Controller | 10.50.30.10 |
| CORP-FILE01 | Win Server 2019 | Corp File Server – ⚠ LEAK RISK | 10.50.20.20 |
| CUI-FS01 | Win Server 2019 | ENCLAVE CUI FILE SERVER | 10.50.20.10 |
| BIO-DC01 | Win Server 2019 | Lab Domain Controller (BIO Domain) | 10.60.20.10 |
| LAB-DB01 | Linux / PostgreSQL | BSL-2 Research Data | 10.60.20.30 |
| LIMS01 | Win Server 2016 | ⚠ LEGACY OS / UNPATCHED >90D | 10.60.20.40 |
| HC-DB01 | Win Server 2019 + SQL | ⚠ BSL-3 DB / CRITICAL VULNS | 10.70.20.10 |
| BIOINF-APP01 | Linux (Hardened) | Bioinformatics Platform (SaaS-like) | 10.50.20.30 |
| SIEM01 | Security Appliance | LogWatch SIEM Aggregator | 10.50.20.40 |
| VPN-GW01 | Virtual NGFW Instance | VPN-GW01 Gateway | 10.50.30.20 |
| ACQ-SYS-01 | LTSC Embedded | BSL-3 Instrument Acquisition | 10.70.20.50 |
| HVAC-CTL-01 | Embedded PLC | BSL-3 Negative Pressure Control | 10.70.20.60 |
1.3 Firewall rules
Rule 1: Only Apex-CUI-Endpoints (identified by certificate and device group) may initiate connections to enclave VLAN segments (10.50.20.0/24, 10.60.20.0/24, 10.70.20.0/24) on defined ports (SMB/445, HTTPS/443, SQL/1433).
Rule 2: All other internal traffic to Enclave VLANs is DENIED BY DEFAULT and triggers a SIEM high‑priority alert.
Rule 3: Enclave servers (CUI‑FS01, HC‑DB01) are restricted from direct internet access; outbound traffic is permitted only to SIEM01, approved internal update mirrors, and authorized GovBio cloud tenant IP ranges.
Rule 4: BSL-3 networks (10.70.0.0/23) are explicitly DENIED access to CORP‑FILE01 to prevent the manual storage of high‑consequence pathogen data on unencrypted corporate file shares.
Infrastructure Diagrams
Figure 1: High‑Level Enterprise Topology
Figure 2: Logical CUI Enclave Architecture
Figure 3: Lab & BSL‑3 Network Detail
Security Posture Dashboard
-42
Feb 2026 SPRS Score
A. Control Implementation Summary
| Family | Implemented | Partial | Not |
|---|---|---|---|
| AC – Access Control | 14 | 5 | 3 |
| AU – Audit & Accountability | 7 | 1 | 1 |
| CM – Configuration Management | 11 | 3 | 1 |
| IA – Identification & Auth | 10 | 1 | 0 |
| IR – Incident Response | 6 | 1 | 0 |
| MP – Media Protection | 5 | 2 | 1 |
| PE – Physical Protection | 5 | 1 | 0 |
| RA – Risk Assessment | 3 | 0 | 0 |
| SC – System & Communications | 11 | 3 | 2 |
| SI – System & Information Integrity | 8 | 1 | 1 |
Compliance Detail
Apex’s strongest families are IA, RA, and IR, where most practices are fully implemented and documented. Weakest areas include AC, MP, and SC due to legacy access models, incomplete media handling, and inconsistent network segmentation between production environments and the CUI enclave.
B. Maturity Indicators (Process vs. Ad‑hoc)
- • Documented but ad‑hoc: Many Apex controls (e.g., account reviews, firewall rule reviews) exist as written procedures but are performed inconsistently or not evidenced for every quarter.
- • Tooling without governance: Security tools (EDR, SIEM, vulnerability scanner) are deployed, but there is no formal process to review dashboards, track tickets, and feed issues into the POA&M.
- • Partial automation: Account provisioning ties into HR for new hires, but de‑provisioning and role change mapping to CUI access are still manual and error‑prone.
- • Evidence gaps: Some controls are implemented technically but lack clear artifacts for assessors (screenshots, change tickets, meeting minutes), which will impact the SAR/assessment.
C. Risk‑Weighted Gap Summary
| Tier | Count | Example issues |
|---|---|---|
| High | 4 | BYOD CUI access, legacy servers with CUI & vulns |
| Med | 8 | Stale access, partial logging, incomplete training |
| Low | 5 | Minor policy mis‑alignments, naming inconsistencies |
High‑tier items must have clear POA&M entries with short‑term milestones before any formal assessment. Medium‑tier items can be scheduled across 6–12 months, provided Apex can show credible planning and progress tracking.
D. Evidence Readiness Checklist
Institutional Policy Repository
2.1 CUI Identification, Marking, and Handling Standard
Apex BioDefense Laboratories, Inc. maintains a Controlled Unclassified Information (CUI) Identification and Handling Standard that applies to all systems and personnel supporting BARDA and DoD contracts. All documents, datasets, and collaboration spaces containing CUI must be clearly designated so that users can distinguish CUI from non‑CUI materials.
At a minimum, electronic and paper documents that contain CUI must be marked with the banner “CUI” in the header and footer and include a designation indicator on the first page, such as “CUI//Apex BioDefense” or “CUI//DoD”. Where relevant, category and limited dissemination markings (for example, “CUI//SP-BIO//NOFORN”) must be applied in accordance with the applicable CUI registry and contractual guidance.
Prior to sharing information with external collaborators, the information owner must ensure that the content has been properly marked, that the recipient is authorized to receive the CUI, and that the information is transmitted using approved channels (for example, the GovBio CUI collaboration tenant). Legacy repositories such as the BioShare Legacy environment are not authorized for CUI and must be fully remediated; any suspected CUI discovered in those locations must be reported to Information Security & Compliance for triage and remediation.
2.2 BYOD & Remote Access Standard (AC.L2‑3.1.18-aligned)
Apex BioDefense permits limited use of personally owned devices (BYOD) to access corporate resources under strict controls. Personally owned devices are never authorized to store CUI locally, and access to CUI must occur only through approved secure applications and remote access mechanisms. BYOD devices that access CUI must, at a minimum, meet the following requirements: enrollment in the corporate mobile/endpoint management solution; full‑disk encryption using FIPS‑validated modules where available; enforced screen lock and inactivity timeout; malware protection; and the ability for Apex to remotely wipe corporate data containers in the event of loss, theft, or compromise. If a device cannot meet these requirements, it may not be used to access CUI.
Access to the GovBio Cloud Collaboration CUI libraries and CUI application portals from BYOD devices must occur through a hardened, containerized workspace or virtual desktop environment that logically separates corporate data from personal data on the device. Split tunneling is prohibited for connections that access CUI; all traffic from the CUI container must be routed through Apex’s VPN gateway or secure access solution for inspection and logging.
2.3 CUI Enclave and Network Security Policy
Apex BioDefense maintains a logically segmented CUI enclave to reduce the scope of its CMMC Level 2 assessment while ensuring robust protection of CUI. The enclave consists of dedicated VLANs, hardened servers, and an associated cloud tenant that collectively host CUI‑bearing systems such as CUI‑FS01, LIMS01, HC‑DB01, selected lab workstations, and GovBio CUI document libraries.
Network segmentation is enforced using firewalls and access control lists that implement a deny‑all, permit‑by‑exception model. Only authorized endpoints and user accounts may communicate with enclave systems, and those communications must use approved protocols and ports. Enclave systems do not host public‑facing services, and all outbound connections are restricted to approved update services, security tooling, and the GovBio tenant.
All enclave systems must be hardened according to Apex’s baseline configuration standards, including timely application of security patches, disabling of unnecessary services, and enforcement of strong authentication mechanisms (such as multifactor authentication for privileged and remote access). Deviations from baseline configurations must be documented, risk‑assessed, and approved through the configuration management process.
Enclave traffic is continuously monitored. System logs, firewall logs, and authentication events from enclave systems are forwarded to SIEM01 for correlation and alerting. Systems that cannot currently forward logs must have documented compensating controls and a remediation plan tracked in the Plan of Action and Milestones (POA&M).
2.4 Access Control & Role Management Policy
Access to Apex BioDefense information systems is granted on the principle of least privilege and is based on job function, project assignment, and required access to CUI. HR, line management, and IT jointly maintain a role catalog that defines which Active Directory groups and application roles correspond to each job role, with special emphasis on roles that work in BSL‑2 and BSL‑3 laboratories.
Users requiring access to CUI systems (for example, CUI‑FS01, LIMS01, HC‑DB01, and CUI libraries in GovBio) must have an approved access request that documents business justification and is authorized by the user’s manager and the system owner. Access requests must reference the specific contract(s) under which CUI will be handled. Administrative and privileged access requires additional approval from Information Security & Compliance.
Access reviews are performed at least semi‑annually for all CUI‑related groups, including BSL3‑Data‑Editors, CUI‑Researchers, and privileged admin groups. Reviews verify that only current, authorized staff retain access, and that users who have changed roles (for example, moving from BSL‑3 research into non‑lab functions) are removed from specialized groups. Any discrepancies identified during reviews must be tracked to closure as part of the POA&M.
2.5 Incident Response Procedures for CUI & EAR Data
Apex BioDefense’s Incident Response Plan (IRP) includes specific procedures for incidents involving CUI and export‑controlled biological data. When a suspected incident involves CUI or EAR‑controlled information, the Incident Response Team (IRT) must quickly assess whether confidentiality, integrity, or availability of the data may have been affected, and whether any unauthorized foreign access has occurred.
The IRT must preserve relevant logs (for example, from SIEM01, GovBio audit logs, VPN‑GW01, endpoint security tools) and capture forensic artifacts as appropriate. If the incident involves data shared with international collaborators, the IRT must review cross‑border data flows and access logs for external accounts, including any guest accounts in the GovBio tenant.
For DoD contracts, the IRT must determine whether the event triggers DFARS‑related reporting requirements and coordinate with Contracts and Legal to notify the appropriate points of contact within required timeframes. For BARDA contracts, the IRT must follow any incident reporting guidance in the contract or associated security addenda. Lessons learned and corrective actions must be documented and linked to POA&M entries.
Personnel & Training
Overall Awareness
92%
CUI Completion
84%
Role-Based (Admin)
100%
Insider Threat
88%
Hire to Train (Avg)
21d
Training Program Overview
Training Types (Mapped to CMMC AT):
- General Security Awareness (AT.L2‑3.2.1): Annual refresher, mandatory for all staff. Covers phishing, passwords, and incident reporting.
- CUI Handling Training: Initial + annual refresher for CUI users. Aligned to DoD Mandatory CUI Training content.
- Role‑Based Security Training (AT.L2‑3.2.2): Targeted paths for IT admins, system owners, and program managers.
- Insider Threat Awareness (AT.L2‑3.2.3): Short annual module on indicators and reporting.
Delivery Methods:
- LMS‑hosted e‑learning modules (SCORM) for awareness and CUI handling.
- Quarterly live sessions / brown‑bags for role‑based content and Q&A.
- Just‑in‑time job aids (PDFs/Teams) for CUI marking and reporting.
Role‑Based Training Matrix
| Role | CUI Exp | Modules | Frequency | Evidence |
|---|---|---|---|---|
| Program Manager | High | Awareness, CUI, Role-Based (PM), Insider | Annual | LMS records, workshops |
| Senior Analyst | High | Awareness, CUI, Insider Threat | Annual | LMS records, quiz scores |
| Junior Analyst | Mod | Awareness, CUI Basics, Insider Threat | Annual | LMS records |
| IT Administrator | High | Awareness, CUI, Role-Based (Admin), IR/Logging | Annual | Certs (Sec+), labs |
| HR / Finance | Low | Awareness, Insider, Targeted CUI | Annual | LMS records, policy ack |
| Executives | Mod | Executive CUI Briefing, Insider Threat | Annual | Briefing slides |
Training‑Related Gaps (Seeded Findings)
- • Access before training: Apex sometimes grants CUI repository access before training is complete; no automated enforcement prevents this.
- • Subcontractor coverage: Records for 1099 consultants are incomplete; some rely on generic briefings.
- • Static content: Core training modules updated infrequently; lack current CMMC 2.0 language or Apex enclave diagrams.
- • Weak linkage to roles: Matrix is not consistently used during annual access reviews or performance planning.
- • Limited metrics: Apex lacks metrics on training effectiveness (e.g., quiz scores by topic).
Physical Security
Apex maintains multiple facilities: headquarters, production/lab sites, and project offices. Each implements layered physical controls consistent with NIST SP 800-171 Physical Protection (PE) requirements.
Physical Controls by Site
| Site | CUI | Access Controls | Monitoring | Media Controls |
|---|---|---|---|---|
| HQ – Main Office | Yes | Badge readers (Bldg/Suite), keys for server room | CCTV, Motion Sensors | Locked cabinets, shred bins |
| Operations / Lab | Ltd | Badge + PIN for lab door, escorted visitors | Corridor cameras, alarms | Locked media cabs, clean-desk |
| Small Project Office | Yes | Landlord badges, mechanical suite lock | Building security | Locked file drawers |
| Remote / Home | Yes | User-managed locks; dedicated workspace policy | N/A | Procedural shredding |
Physical Security Metrics
~180
Daily swipes (HQ)
9
CUI storage bins
5
Tailgating events
42
Visitor entries
Seeded Finding (Gap #12):
Reliance on landlord-managed badge/CCTV at project offices with limited independent visibility into logs or retention. Physical CUI in legacy HQ paper storage not included in current media inventory.Incidents & Risk Register
Recent Security Incidents (Last 24 Months)
| ID | Type | Systems | Impact | Status |
|---|---|---|---|---|
| I-1 | Email Spill | M365 Email | Unencrypted CUI exposed | Remediated |
| I-2 | Phishing | M365 Account | Credentials compromised | MFA Enabled |
| I-3 | Stale Access | AD/M365 Groups | Former employee access | Sign-off Required |
| I-4 | Ransomware | EDR/Endpoint | Blocked by EDR | Restored |
Top Risks Register Snapshot
| ID | Description | Rating | Owner | Mitigations | Status |
|---|---|---|---|---|---|
| R-1 | BYOD CUI Access | High | CISO | MDM, VPN, DLP | In Progress |
| R-2 | Legacy CUI Servers | High | CIO | Migration, Scanning | In Progress |
| R-4 | Incomplete Logging | Med-High | CISO | SIEM expansion | Open |
| R-6 | Unmarked CUI | High | Comp Mgr | Training, Templates | Open |
| R-8 | Infrequent IR Testing | Med | CISO | Tabletops | Planned |
Internal Risk Connection Analysis:
Incidents I‑1 and I‑3 (CUI handling/access) map directly to Risks R‑1, R‑3, and R‑6. Incident I-2 (phishing) is linked to Risks around monitoring and SI, justifying MFA expansions. Incident I-4 (ransomware) reinforces the need for EDR and tested playbooks (R-2/R-4).Supply Chain Management
Key Suppliers Matrix
| Supplier | Role | Data | CMMC Int | Evidence |
|---|---|---|---|---|
| GovCloud Hosting | Cloud GCC High | CUI | Level 2 | FedRAMP High |
| SecureIT MSP | Admin/Support | CUI/FCI | Level 2 | SPRS/Self-Assmt |
| Precision Analytics | Modeling | CUI | Level 2 | Questionnaire |
| Delta Print | Logistics | FCI | Level 1 | Contract Clause |
| Aegis Integrators | Prime | CUI | Level 2 | CMMC Certificate |
24
Total Vendors
5
Handle CUI
4/5
7012 Clauses
3/5
SPRS Verified
Supply‑Chain Gaps (Seeded Findings)
- • Inconsistent DFARS/CMMC flow-down for analytics subs.
- • Over-reliance on self-attestation without requesting formal SPRS scores.
- • SecureIT (MSP) uses shared service accounts with static keys.
- • No formal risk-tiering to distinguish high-value technical CUI vendors.
Audit Documentation & Interactive Tools
Instructor Guide – Apex BioDefense
This instructor guide supports the Apex BioDefense CMMC Level 2 audit training scenario. It provides learning objectives, facilitation steps, expected findings, and debrief questions to help instructors run the exercise effectively.
Scenario Overview
Apex BioDefense Laboratories, Inc. (Apex BioDefense) is a biodefense research contractor specializing in vaccines and diagnostics for high‑consequence biological threats. The company operates BSL‑2 and BSL‑3 laboratories in Frederick, Maryland, supporting BARDA and DoD‑funded programs.
Apex has approximately 95 employees, two active DoD contracts, and annual revenue of about $22M. The company’s CMMC 2.0 target is Level 2, and this case study seeds eight specific CMMC gaps into its environment. Students will examine Apex’s environment to identify and document CMMC‑relevant gaps.
Learning Objectives
- Describe the assessment boundary of a biodefense research contractor undergoing CMMC Level 2.
- Identify where CUI and EAR technical data are handled within the environment.
- Analyze security posture, policies, and incidents to spot seeded control gaps.
- Develop findings and recommendations aligned with CMMC Level 2 requirements.
Facilitation Plan and Timing
Phase 1 – Orientation (15–20 minutes)
▼
Purpose
Introduce the Apex scenario and clarify context.
Instructor Actions
Walk through each tab; highlight scoping regarding CUI and EAR data flows.
Student Tasks
Skim Overview and Facilities; note data locations.
Phase 2 – Scoping (25–30 minutes)
▼
Purpose
Determine reasonable CMMC assessment boundary.
Instructor Actions
Direct to Facilities, IT Env, and Diagrams.
Student Tasks
Create list of in-scope systems/enclaves.
Phase 3 – Evidence Review (40–60 minutes)
▼
Purpose
Identify potential CMMC Level 2 gaps.
Instructor Actions
Point to Posture, Policies, Training, and Risks.
Student Tasks
Document suspected control gaps; prepare concise findings.