Mavis’s Machine Shops (“MMS”) is a fictitious company created by the CMMC Information Institute. Like all of our fictitious companies, MMS is a small business located in Somewheresville, Pennsylvania. Artifacts about Mavis’s Machine Shop can be downloaded below.

Please note: There are intentional inconsistencies in some of the documents, and they are not intended to show the only, or even a possible, path toward CMMC certification. Instead, they were designed to reflect the state of many government contractors, including DoD contractors. The goal was to help start a conversation with students about how to identify and remediate gaps and other inconsistencies.

About MMS:

MMS has been a government contractor for several years and has worked on important projects including manufacturing parts for, and assembling, suspension systems for prototypes of next-generation, high-speed, lightly armored troop transport vehicles that are also intended for use in Mars colonization. MMS has always been a subcontractor (that is, they have never had a direct relationship with the government). MMS has been informed by several of the prime contractors with which they typically work that, although the ultimate projects are likely to be classified, MMS’s portions are expected to only involve Controlled Unclassified Information (“CUI”). Therefore, MMS is in the early stages of preparing for a CMMC 2.0 Level 2 certification.

MMS’s existing MSP, Perpetual Uptime, and MSSP, Absolutely Perfect Cybersecurity, agree that they do not have the experience necessary to carry out a CMMC gap assessment, but they are ready to help with remediation efforts. MMS has, therefore, engaged Lowe Price, a CMMC consulting firm, to assist in the CMMC preparations.

MMS has created some policies and other documents, including a Written Information Security Policy and a Data Breach and Incident Response Policy and Plan. As part of that process, MMS has identified additional resources, including a crisis management team, Cover Your Org, and an incident response and forensics team, Brown Incident, to assist with any potential incidents.

They have two locations, Site 1 and Site 2. As can be seen on the Site 1 Map, Site 1 consists of three buildings (including their headquarters) and a storage shed. Site 2 consists of a single building. We recommend that scenarios involving MMS start with Site 1, and then add Site 2 if/when the students are ready for additional complexity.

MMS uses operating systems provided by Klowidize, and they also use many of the Klowdize Commercial services. MMS’s CIO is aware that Klowdize offers Klowdize GovCon as well and understands the advantages GovCon brings, but the but the costs are significant enough that it is exploring other options as well. Most of the CUI MMS exchanges with its prime contractor, and its subcontractors, are files that are too large to exchange via E-mail.

MMS is, therefore, considering other options for that critical file sharing piece. MMS’s CIO is investigating using’s file sharing platform and adding strict policies and procedures as an alterative to upgrading to Klowdize GovCon.