ComplianceCMMC 2.0

CMMC 2.0 Level 1 Compliance – Web App Security

Auditor·Feb – March 2024

Overview

A compliance assessment of a web application against CMMC 2.0 Level 1 requirements — the baseline required for DoD contractor certification. The engagement identified gaps across access control, data protection, and external connection management, then produced a prioritized remediation roadmap.

The Challenge

CMMC 2.0 Level 1 covers 17 practices across 6 domains. The target web application was not built with DoD compliance in mind — shared accounts, unvalidated file uploads, and missing audit logging were not edge cases but baseline conditions of the system.

The Solution

Audited the application against all 17 CMMC Level 1 practices using the NIST SP 800-171 control mapping. Performed manual testing for access control (shared credentials, no MFA), file upload handling (no MIME validation, arbitrary extension upload), and external connection logging (no egress monitoring). Produced a gap report with practice-by-practice findings and a tiered remediation roadmap.

Tech Stack

CMMC 2.0 Framework17-practice Level 1 assessment structure

NIST SP 800-171Control mapping for CMMC practice requirements

Burp SuiteFile upload testing and request interception

Manual Code ReviewAccess control and session management analysis

Outcomes

▸17 CMMC Level 1 practices assessed across 6 domains
▸8 compliance gaps identified including shared accounts, missing MFA, unvalidated uploads
▸Remediation roadmap tiered by criticality and implementation effort
▸Report structured for direct use in DoD contractor compliance review

← Back to all projects View Artifact ↗