The actual PDF you receive in your inbox follows this format with your company's measured findings against the 110-control NIST 800-171 baseline. Cover page, ranked control-gap table, and prioritized 30-day remediation list. Below is the full structure with sample data from a specimen mid-sized DIB manufacturer.
CAGE Code: 8XXXX · Scan Date: March 14, 2026 · CUI Scope: 1 production environment (AWS us-east-1, M365 GCC)
Your self-reported score materially overstates current posture. Recommended actions, in order of priority: (1) Walk this report with compliance counsel within seven (7) days; (2) Surface to your C3PAO before your assessment date is finalized; (3) Begin the 30-day remediation list on Page 3 immediately, the top three items alone recover ~28 SPRS points.
Live read-only configuration metadata was pulled from your connected environments (AWS via SecurityAudit + ReadOnlyAccess IAM role; M365 via Service Principal with Reader + Security Reader scope) on the scan date above. Each finding is mapped to the relevant NIST 800-171 control ID and weighted per the DoD Assessment Methodology v1.2.1. Every finding cites the API response artifact with a SHA-256 hash for chain-of-custody.
Specimen findings shown. The top 10 by impact:
| Control ID | Finding | SPRS −pts | Evidence |
|---|---|---|---|
| 3.5.3 | Privileged-account MFA not enforced. 14 IAM users with AdministratorAccess policy have no MFA device attached. Affects AWS root account + 13 power-user IAM accounts. | −5 | iam-list-users.json sha256:a7f3b8... |
| 3.13.8 | CUI in transit not encrypted with FIPS-validated cryptography. 3 S3 buckets allow non-TLS access via bucket policy. Includes prod-cui-archive bucket. | −5 | s3-get-bucket-policy.json sha256:c14e90... |
| 3.3.5 | Audit-record analysis not integrated. CloudTrail logs delivered to S3 but no SIEM ingestion, no automated alerting on privileged-account activity. | −5 | cloudtrail-describe-trails.json sha256:9ba0c2... |
| 3.4.6 | Least-functionality not configured. 7 EC2 instances expose unnecessary inbound ports (3389 RDP, 22 SSH, 5985 WinRM) to 0.0.0.0/0. | −3 | ec2-describe-security-groups.json sha256:d2f180... |
| 3.13.11 | FIPS-validated cryptography for KMS not enforced. 4 KMS keys configured with non-FIPS HSM. CUI envelope encryption affected. | −3 | kms-list-keys.json sha256:f47a35... |
| 3.1.20 | External connections not verified. No documented review of 3 active cross-account IAM role trusts. Two trusts allow assume-role from accounts outside your CUI boundary. | −1 | iam-list-role-policies.json sha256:8e5230... |
| 3.6.1 | Incident-response capability not exercised. No CloudTrail-based incident-response runbook; no documented tabletop within last 12 months. | −1 | intake-q14 (process control) |
| 3.12.4 | System Security Plan (SSP) lacks current state. Most recent SSP version dates from August 2025; 4 environment changes since (new VPC, expanded user roles, added M365 tenant). | −1 | intake-q07 (process control) |
| 3.14.1 | System flaws not identified and reported in defined timeframes. No automated vulnerability scanning beyond AWS Inspector default; no documented remediation SLA. | −1 | inspector-list-findings.json sha256:b290f7... |
| 3.8.3 | Media sanitization for CUI not documented. No NIST 800-88-aligned media-disposal process for decommissioned EBS volumes. | −1 | intake-q19 (process control) |
The full report lists all 14 control-area gaps identified with their respective SPRS deduction weights, evidence files, and SHA-256 hashes. Findings are cross-referenced to the DoD Assessment Methodology v1.2.1.
Each line: expected point recovery if fully closed. Closing the top three items alone recovers ~28 of the 46-point gap.
Projected SPRS score after 30-day remediation: 88, back at self-reported posture, now with measured evidence behind it.
Plan delivered as a working document. Your team executes; we re-scan and update the score after each remediation block.
$799 one-time. Connect a cloud (read-only, revocable in one click), answer seven short questions, and your PDF arrives in minutes. Async, self-service throughout.
Run my Readiness Snapshot, $799 →