1
Company Overview
Background, mission, and data flow context
⚠️
Instructor Note: All company data, personnel, contract numbers, and locations in this case study are entirely fictional and created for classroom training purposes. Do not use in real CMMC assessments.
Company Profile
Legal NameFederal Food Services Incorporated Trade NameFFSI FoundedMarch 14, 1987 OwnershipPrivately held; Calloway Family Trust (majority) HQ4200 Patriot Commerce Blvd, Hartwell, GA 30643 Employees847 (712 full-time, 135 seasonal/contract) NAICS Codes311999, 493110, 541614 DUNS83-741-2290 (fictional) CAGE Code7FF2X (fictional) SAM.govActive — expires March 2026
Business Summary

Federal Food Services Inc. (FFSI) is a mid-tier defense food contractor specializing in the production, packaging, quality assurance, and distribution of field-ready nutrition products for the U.S. military. The company's flagship product is the Meal, Ready-to-Eat (MRE), which it manufactures under long-term contracts with the U.S. Army Contracting Command and Defense Logistics Agency (DLA) Troop Support.

Founded in 1987 by Vernon Calloway, FFSI grew from a regional food-service supplier into a nationally recognized defense contractor following its first Army MRE contract in 1993. Today, FFSI operates four facilities across Georgia and Tennessee and employs 847 people, roughly 60% of whom work in production and quality assurance roles.

Primary Mission: Provide the U.S. Army with nutritionally complete, shelf-stable, and operationally ready meal products that meet or exceed military specifications and contractual requirements under adverse logistical conditions.

Product Lines
  • Standard MRE (24-menu rotation)
  • Cold-Weather Ration Kit (CWR-K)
  • First Strike Ration (FSR) components
  • Humanitarian Daily Ration (HDR)
  • Special Dietary MRE (halal, vegetarian, allergen-free)
  • Field Kitchen Consumables
  • Emergency Nutrition Kits (ENK)
  • Shelf-stable beverages and supplements
Major Federal Customers
  • U.S. Army Contracting Command (ACC)
  • Defense Logistics Agency (DLA) Troop Support
  • U.S. Army Reserve Command (USARC)
  • USAID Office of Food for Peace (subcontract)
  • U.S. Army National Guard Bureau
  • Army Materiel Command (AMC) depots
Subcontractors & Suppliers
  • Highview Packaging Solutions LLC (packaging)
  • Blue Ridge Spice & Ingredient Co. (ingredients)
  • ThermaKit Distribution Inc. (cold-chain logistics)
  • ProSeal Defense Packaging (pouches)
  • SteadyPath IT Services (managed IT support)
ℹ️
FFSI processes both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across multiple systems and locations. Understanding how this data flows is the first step in scoping the CMMC assessment boundary.
FCI at FFSI

FCI includes contract performance data, delivery schedules, Army food specification documents, packaging standards, and procurement correspondence. This information flows through FFSI's ERP system (ProvisionEdge ERP), Microsoft 365 tenant, shared file server (CORP-FS-01), and the contract management module used by the contracts department.

CUI at FFSI

CUI includes Defense Logistics Agency delivery order details with unit pricing, Army logistics node identifiers, controlled technical data for MRE packaging specifications, supplier security questionnaire responses, personnel records related to cleared employees, and certain export-adjacent shipping documentation. CUI is designated under categories: CONTROLLED TECHNICAL INFORMATION, PROCUREMENT & ACQUISITION, and LOGISTICS.

CUI Data Flow Summary
[Army ACC / DLA] ──SFTP/Gov Portal──► [FFSI Contracts Dept]
                                              │
                    ┌─────────────────────────┤
                    ▼                         ▼
           [CUI Enclave — VLAN 20]   [ProvisionEdge ERP]
           (Contract Mgmt Module)    (Delivery scheduling)
                    │                         │
                    ▼                         ▼
           [CORP-FS-02 CUI Share]    [Logistics Team PCs]
           (Encrypted, ACL-gated)    (VLAN 50)
                    │
                    ▼
           [M365 Compliance tenant]  ← Email/Teams w/ DLP
           [Backup — FFSI-BKP-01]   ← Encrypted nightly
2
Locations
4 facilities — scope determination required
🏢
Corporate Headquarters
LOC-01 — Administrative & Contracts Hub
Address4200 Patriot Commerce Blvd, Hartwell, GA 30643 Employees142 FunctionExecutive leadership, contracts, finance, HR, IT administration, compliance CUI Processed?YES — CUI FCI Processed?YES — FCI NetworkPrimary domain, CUI VLAN 20, corporate VLAN 10
Physical Security Concerns
  • Public-facing lobby with unescorted visitor incidents on record
  • Server room accessed via shared badge group — not individually logged
  • Executive suite has open-plan layout with shared whiteboards
Network Connectivity

Primary 1Gbps fiber ISP (ComState Business). Secondary 500Mbps failover (LibertyNet). Palo Alto PA-3420 firewall. Cisco Catalyst switching. FortiGate SSL VPN endpoint. Connects to AWS GovCloud tenant via AWS Direct Connect.

🏭
Primary MRE Production Plant
LOC-02 — High-Volume Manufacturing
Address1800 Ration Way, Hartwell, GA 30643 (adjacent to HQ) Employees463 FunctionMRE production, packaging, labeling, initial QA, pallet staging CUI Processed?YES — CUI (Tech Data) FCI Processed?YES — FCI NetworkOT VLAN 80, Production VLAN 30, isolated MES segment
Physical Security Concerns
  • OT network (production line controllers) not fully segmented from corporate LAN — known gap
  • Contractor maintenance personnel access unsupervised during overnight shifts
  • Production-floor tablets used to view MRE specs have no MDM enrollment
Network Connectivity

Connected to HQ via private fiber (500Mbps). Manufacturing Execution System (FoodTrack MES) server on VLAN 80. Production-line tablets on isolated SSID. No direct internet egress from production floor — routed through HQ firewall.

🏗️
Cold/Dry Warehouse & Logistics Hub
LOC-03 — Distribution & Inventory
Address7750 Depot Road, Elberton, GA 30635 Employees187 FunctionFinished goods storage, order fulfillment, Army depot shipping, cold-chain management CUI Processed?LIMITED — Shipping data FCI Processed?YES — Delivery orders NetworkWarehouse VLAN 50, IoT VLAN 60 (temp sensors), guest VLAN 70
Physical Security Concerns
  • Delivery drivers enter staging area without formal check-in process — audit finding
  • Cold storage temperature monitoring system uses legacy firmware (unpatched)
  • Shared shipping workstations with generic "warehouse" login accounts
Network Connectivity

50Mbps MPLS link to HQ. Cisco Meraki switching and wireless. Cold-storage monitoring system on isolated VLAN 60 (IoT). Shipping workstations on VLAN 50. FortiGate remote VPN for warehouse supervisors to access ERP.

🔬
Quality Assurance & Testing Laboratory
LOC-04 — Food Science & Compliance Testing
Address300 Science Park Dr, Suite 210, Lavonia, GA 30553 Employees55 FunctionMicrobiological testing, shelf-life studies, nutritional analysis, packaging spec validation, USDA/FDA compliance CUI Processed?YES — Proprietary specs FCI Processed?YES NetworkQA VLAN 40, lab instruments on isolated segment
Physical Security Concerns
  • Lab instruments connected to workstations via USB — no media control policy enforced
  • QA database server (QA-DB-01) runs end-of-support Windows Server 2012 R2
  • Lab leased from Science Park LLC — shared HVAC, no dedicated server room; rack is in unlocked closet
Network Connectivity

100Mbps fiber to HQ via IPsec VPN tunnel. Lab instruments interface via RS-232 to QA workstations. QA-DB-01 server on VLAN 40. Staff use M365 for email and lab report sharing. No direct ERP access from lab facility.

3
Active Federal Contracts
6 active contracts — review DFARS clauses and CUI categories
4
Personnel & CMMC Role Assignment
Assign CMMC roles using the dropdowns — saved to session
💡
Student Exercise: Use the dropdown on each person's card to assign the appropriate CMMC security role. Your selections are saved during your browser session. Multiple people may share roles; some roles may remain unassigned.
5
IT Infrastructure
Network diagram — click nodes for details
ℹ️
Click any network node to view additional details. Color coding: ■ Firewall · ■ Server/Endpoint · ■ Cloud · ■ CUI Enclave · ■ OT/Production
🌐 InternetExternal
▼ ISP / Gov SFTP portal
🔥 PA-3420 FWHQ Primary Firewall
🔥 FortiGate 60FWarehouse FW
🔥 FG IPsec VPNLab Tunnel
▼ Internal network / VPN tunnels
🖥 DC-01 / DC-02Active Directory
📦 ProvisionEdge ERPCORP-ERP-01
📁 CORP-FS-01Corporate File Server
🔐 CUI EnclaveVLAN 20 / FS-02
📊 Splunk SIEMCORP-SIEM-01
▼ Production plant fiber link / OT segment
⚙ FoodTrack MESPROD-MES-01
🏭 PLC NetworkOT VLAN 80
🔬 QA-DB-01QA Database
💾 FFSI-BKP-01Backup Server
▼ AWS Direct Connect / M365 Cloud
☁ AWS GovCloudus-gov-east-1
📧 M365 GCCTeams / SharePoint / Exchange
🆔 Entra IDIdentity / SSO
📱 IntuneEndpoint Mgmt (partial)
── VLAN Segments ──
VLAN 10Corporate Admin
VLAN 20CUI Contracts
VLAN 30Production Ops
VLAN 40QA Lab
VLAN 50Warehouse Logistics
VLAN 60Security/IoT
VLAN 70Guest Wi-Fi
VLAN 80OT / MFG Equipment
VLAN 99Network Mgmt
VLANNameSubnetCUIDevicesIsolationNotes
10Corporate Admin10.10.10.0/24FCIAll HQ office PCs, printersACL via PA-3420General corporate user traffic
20CUI Contracts10.10.20.0/24CUIContracts staff PCs, CORP-FS-02Strict ACL — no VLAN 10 lateralIn-scope enclave — CMMC boundary
30Production Ops10.20.30.0/24FCIProduction supervisor PCs, MES terminalsPartial — GapLimited segmentation from VLAN 80 — audit finding
40QA Lab10.30.40.0/24CUIQA workstations, QA-DB-01, lab instrumentsIPsec tunnel to HQEnd-of-support server on this segment
50Warehouse Logistics10.40.50.0/24FCIShipping workstations, label printers, RF gunsFortiGate ACLShared accounts used — audit finding
60Security Cameras / IoT10.10.60.0/24NCIP cameras, badge readers, cold-storage sensorsIsolated — no routingMilestone NVR on this VLAN
70Guest Wi-Fi192.168.70.0/24NCVisitor devicesInternet-only, no internal accessCaptive portal with disclaimer
80OT / Manufacturing172.16.80.0/24NCPLCs, HMIs, conveyor controllersPartial — GapNo active monitoring; legacy protocols (Modbus)
99Network Management10.10.99.0/24AdminSwitches, APs, network mgmt consoleStrict ACL — admin onlyCisco ISE used for NAC
On-Premises Core Systems
Domain ControllersCORP-DC-01, CORP-DC-02 (Windows Server 2022, AD DS) File ServersCORP-FS-01 (corporate), CORP-FS-02 (CUI, encrypted) ERPProvisionEdge ERP v7.4 — on CORP-ERP-01 (SQL Server 2019) MESFoodTrack MES v3.1 — on PROD-MES-01 (Windows Server 2019) QA DatabaseQA-DB-01 (Windows Server 2012 R2 — EOS) SIEMSplunk Enterprise — CORP-SIEM-01 BackupVeeam B&R v12 — FFSI-BKP-01, offsite to AWS S3 GovCloud EDRCrowdStrike Falcon — deployed on 82% of endpoints VPNFortiGate SSL VPN — 2FA enforced for contracts/IT staff; not enforced for all users Badge SystemLenel OnGuard — CORP-BADGE-01 (separate VLAN 60)
Remote Access & Identity
Identity ProviderMicrosoft Entra ID (Hybrid — synced to on-prem AD) MFAMicrosoft Authenticator — enforced for M365; not enforced for ERP or VPN for all roles SSOEntra ID SSO for M365, CrowdStrike. ERP uses local accounts (gap) PAMNo dedicated PAM solution — shared admin credentials used Endpoint MgmtIntune — 68% enrollment; 32% unmanaged (production tablets, lab PCs) WirelessCisco Meraki MR series — WPA3 at HQ; WPA2 at warehouse (gap) DNS/DHCPWindows DNS/DHCP on DC-01/DC-02 NTPSynced to US NIST time servers via DC-01 Vulnerability ScanTenable Nessus — weekly scans, not covering all OT segments Patch ManagementWSUS — servers; Intune — enrolled endpoints; OT/tablets not covered
Microsoft 365 GCC Tenant
Tenant Nameffsi.onmicrosoft.us LicenseM365 E3 GCC (847 seats) Apps in UseExchange Online, Teams, SharePoint, OneDrive, Defender for Endpoint (P1) DLPDLP policies active — CUI keyword detection; not fully tuned Retention90-day email retention on all mailboxes; legal hold available Conditional AccessEnforced for M365 apps; compliant device requirement not applied to all groups CUI HandlingCUI stored on SharePoint site "ContractsCUI" — restricted permissions Admin Roles3 Global Admins — should be reduced; Global Admin used for routine tasks (gap)
AWS GovCloud Environment
Accountaws-ffsi-prod (us-gov-east-1) Services UsedS3 (backup), RDS (ERP replica), CloudTrail, GuardDuty, Secrets Manager Access ControlIAM roles — MFA enforced for root; service accounts without MFA (gap) Data ClassificationS3 buckets with CUI tagged "CUI-PROD"; encryption at rest (AES-256) LoggingCloudTrail enabled; logs shipped to Splunk via S3 → Lambda NetworkVPC with private subnets; Direct Connect from HQ VulnerabilityAmazon Inspector enabled on EC2 instances Backup Retention30-day S3 versioning; Glacier archive at 90 days
6
IT System Asset Inventory
35 assets — filter by location, CUI status, or criticality
Asset IDAsset NameTypeLocationOS/Platform CUICriticalityAuthLoggingPatchBackup
7
Physical Security Controls
Controls, evidence artifacts, and audit concerns
8
Known Risks & Incidents
10 incidents — identify CMMC domain and evidence needed
9
Current Cybersecurity Audit Gaps
12 findings — filter by severity or CMMC domain
Showing: 12 findings
10
Audit Evidence Library
Check off artifacts as you review them — progress saved to session
📁
Instructions: Check each artifact as you review it. Click the artifact name to see a fictional sample excerpt. Your checklist progress is saved to this browser session.
Progress: 0 / 15 reviewed
11
Student Audit Preparation Tasks
12 guided exercises for classroom use
🎓
Complete these tasks using information from all sections of this case study. Tasks may be completed individually or in audit team groups. Prepare written deliverables as directed by your instructor.