Company Profile

Organization Summary

Name: Stratum Defense Systems Inc.

Industry: Defense Industrial Base (DIB) Manufacturer

Headquarters: San Diego, CA

Primary Data Center: Phoenix, AZ

Total Employees: 54 FTE


Operational Focus: Precision manufacturing for aerospace and defense contracts. The organization manages Controlled Unclassified Information (CUI) requiring NIST 800-171 / CMMC compliance.

Site Locations & Connectivity
  • Phoenix, AZ: Main Data Center & Manufacturing. Hub for VPNs.
  • San Diego, CA: Corporate HQ. Connected via Site-to-Site VPN.
  • Seattle, WA: Engineering & Mfg. Connected via Site-to-Site VPN.
  • Norfolk, VA: Engineering & Mfg. Connected via Site-to-Site VPN.
  • AWS (us-west-2): Cloud extension connected via VPN to Phoenix.

Network Architecture

Hub & Spoke Topology Visualization
🏢 San Diego HQ AT&T Fiber (500/500) IPsec VPN
🗄️ Phoenix (DC) Cox Business (1G/1G) HUB
☁️ AWS Cloud us-west-2 VPN (No DX)
🏭 Seattle Lumen Fiber (500/500) IPsec VPN
🚀 Norfolk Verizon Fios (300/300) IPsec VPN

All Site-to-Site tunnels use AES-256 encryption, IKEv2.


VLAN Segmentation

Phoenix Data Center (10.50.x.x)
IDNameSubnet
10Server Infra10.50.10.0/24
20Engineering10.50.20.0/23
30Admin/Office10.50.30.0/23
40Mfg/Shop10.50.40.0/24
50Guest10.50.50.0/24
60IT Mgmt10.50.60.0/24
99Net Mgmt10.50.99.0/28
Branch Offices
SiteVLAN FunctionSubnet Range
San DiegoServer (110)10.51.10.0/26
San DiegoGuest (150)10.51.50.0/25
SeattleEngineering (220)10.52.20.0/25
SeattleMfg/Shop (240)10.52.40.0/24
NorfolkEngineering (320)10.53.20.0/25
NorfolkMfg/Shop (340)10.53.40.0/24

Infrastructure & Cloud

Phoenix Physical Hardware

Rack Configuration (Key Assets)
DeviceRoleSpecs/Notes
Fortinet FortiGate 600EFirewallHA Pair planned (Currently Single?)
Cisco Catalyst 9300Core SwitchesRedundant pair
Dell PowerEdge R750 (x6)ESXi HostsRunning VMware vSphere
Dell EMC Unity 480SAN StoragePrimary Storage Array

AWS Cloud Environment

Configuration Note VPC ID: vpc-0a1b2c3d4e5f6g7h8 | CIDR: 10.100.0.0/16 | Region: us-west-2
EC2 Instances
  • Web Tier (Public): EC2-WEB01, EC2-WEB02 (AL2, t3.large)
  • App Tier (Private): EC2-APP01 thru 04 (Win2019, m5.xlarge)
  • Database (Private): RDS-PROD01 (PostgreSQL 14.7, Multi-AZ)
  • Mgmt: EC2-BASTION01 (10.100.99.10)
S3 Storage Buckets
Bucket NameEncryptionLogging
stratum-cui-documentsSSE-S3Disabled
stratum-engineering-archivesSSE-S3Enabled
stratum-backupsSSE-S3Enabled
stratum-application-logsSSE-S3Disabled

Security Controls

Firewall Logic (FortiGate 600E)

Inbound Rules
  • Allow VPN (UDP 500, 4500)
  • Allow HTTPS (443) to DMZ Web (10.50.10.50)
    *Issue: Server decommissioned, rule remains.
  • Implicit Deny All other traffic.
    *No explicit deny logged for RDP.
Outbound Rules
  • Allow Server/Admin VLAN -> Internet (HTTPS)
  • Allow Engineering -> Internet (HTTP, HTTPS, FTP)
  • Allow Guest -> Internet Only
  • Deny Guest -> Internal VLANs

Wireless & Remote Access

Wireless Networks
SSIDAuthRisk
Stratum-Corporate802.1X (RADIUS)Low
Stratum-ManufacturingWPA2-PSKMedium (PSK)
Stratum-GuestWPA2-PSKMedium (Shared PWD)
VPN (Fortinet SSL)
  • Capacity: 100 Users (Avg 45-60 active)
  • Auth: AD + Duo MFA (63% Adoption)
  • Configuration: Split Tunnel Enabled
  • Critical 17% of users lack MFA (Legacy exemptions)
  • Critical Split tunnel allows local LAN access on remote clients

Controlled Unclassified Information (CUI)

Data Flow Analysis The following flows describe how CUI moves through the environment. Students should map these to CMMC controls.
1. Engineering CUI Flow
CAD Workstation (V20)
PLM01 Server
SQL01 DB
AWS S3 (Cloud)

Also flows from File Share (FILE01) ➔ Veeam Backup ➔ Tape Library (On-site).

2. Contract CUI Flow
Admin PC (V30)
SharePoint (FILE02)
SharePoint Online (M365)

Risk: CUI transmitted to SharePoint Online without encryption verification.

Identified Protection Gaps
  • ❌ No DLP solution to prevent exfiltration.
  • ❌ USB ports are open on workstations with CUI access.
  • ❌ Email attachment scanning does not look for CUI markers.
  • ❌ Local storage of CUI on workstation drives found (Policy Violation).

Manufacturing Operations

Legacy Equipment Warning Shop floor contains isolated but vulnerable equipment.
Equipment Inventory (Phoenix)
  • CNC-HAAS (12 units): 10.50.40.101-112
  • CNC-MAZAK (8 units): 10.50.40.121-128
  • CMM-HEXAGON (3 units): 10.50.40.141-143
  • Industrial Printers (9 units): 10.50.40.151-159
Operational Risks
  • OS EOL CNC machines running Windows 7.
  • Remote Access Vendors use TeamViewer (Always-on).
  • Auth Default passwords on machine controllers.
  • AV No antivirus on manufacturing equipment.
  • Segregation No segmentation between individual machines.

Employee Directory

Staff List (54 FTE)
Name Title Department Location
Robert SterlingChief Executive Officer (CEO)ExecutiveSan Diego
Marcus ThorneChief Operating Officer (COO)ExecutiveSan Diego
Sarah JenkinsChief Financial Officer (CFO)ExecutiveSan Diego
David ChenChief Info Security Officer (CISO)ExecutivePhoenix
James WilsonIT ManagerIT & SecurityPhoenix
Emily RodriguezNetwork EngineerIT & SecurityPhoenix
Michael ChangSystems AdministratorIT & SecurityPhoenix
Lisa KumarSystems AdministratorIT & SecuritySan Diego
Alex FosterSecurity AnalystIT & SecurityPhoenix
Dr. Alan GrantChief EngineerEngineeringNorfolk
Rebecca MooreSr. Mechanical EngineerEngineeringSeattle
Kevin O'ConnorMechanical EngineerEngineeringSeattle
Diana PrinceMechanical EngineerEngineeringNorfolk
Bruce MillerMechanical EngineerEngineeringPhoenix
Gregory HinesMechanical EngineerEngineeringSeattle
Brian HughesElectrical EngineerEngineeringNorfolk
Jessica WuElectrical EngineerEngineeringPhoenix
Samuel JacksonCAD DesignerEngineeringSeattle
Patricia LewisCAD DesignerEngineeringNorfolk
Amanda WallaceQA ManagerQuality AssurancePhoenix
Jennifer WaltersCompliance OfficerQuality AssuranceSan Diego
Peter ParksQuality InspectorQuality AssurancePhoenix
Steven RogersQuality InspectorQuality AssuranceSeattle
Natalie RomanQuality InspectorQuality AssuranceNorfolk
Clinton BarnesQuality InspectorQuality AssurancePhoenix
Mary WatsonHR DirectorHuman ResourcesSan Diego
Piper PottsHR GeneralistHuman ResourcesPhoenix
Harold HoganOffice ManagerAdministrationSan Diego
Edward LeedsAccountantFinanceSan Diego
Frank CastiglionePlant ManagerOperationsPhoenix
Logan HewittShop ForemanOperationsPhoenix
John SmithCNC Machinist IIIOperationsPhoenix
Robert JohnsonCNC Machinist IIIOperationsPhoenix
Michael WilliamsCNC Machinist IIOperationsPhoenix
David BrownCNC Machinist IIOperationsPhoenix
James JonesCNC Machinist IOperationsPhoenix
Arthur CurryShop ForemanOperationsSeattle
Thomas MillerCNC Machinist IIOperationsSeattle
Richard DavisCNC Machinist IOperationsSeattle
Charles GarciaCNC Machinist IOperationsSeattle
Joseph RodriguezAssembly TechOperationsSeattle
Christopher WilsonAssembly TechOperationsSeattle
Barry AllenShop ForemanOperationsNorfolk
Daniel MartinezCNC Machinist IIOperationsNorfolk
Paul AndersonCNC Machinist IOperationsNorfolk
Mark TaylorCNC Machinist IOperationsNorfolk
Donald ThomasAssembly TechOperationsNorfolk
George HernandezAssembly TechOperationsNorfolk
Kenneth WhiteMaintenance TechFacilitiesPhoenix
Steven LopezMaintenance TechFacilitiesSeattle
Edward ScottLogistics CoordinatorLogisticsPhoenix
Brian GreenShipping/ReceivingLogisticsPhoenix
Ronald AdamsShipping/ReceivingLogisticsSeattle
Anthony BakerShipping/ReceivingLogisticsNorfolk

Policies & Governance

Auditor Instructions Review the official corporate policies below. Compare these requirements against the configurations found in the Infrastructure, Security, and Manufacturing tabs to identify compliance gaps.
Access Control Policy (AC-1)
Ref: POL-AC-2024-01 Effective: Jan 1, 2024 Owner: CISO

3.1 Purpose: To establish requirements for granting, monitoring, and revoking access to Stratum Defense Systems information assets.


3.4.2 Multi-Factor Authentication (MFA) MFA is mandatory for all network access originating from outside the corporate physical network. This applies to all employees, contractors, and third-party vendors without exception. No legacy exemptions are permitted after Dec 31, 2023.
3.4.5 Remote Access Logic Split tunneling is strictly prohibited on all corporate VPN connections. All traffic from remote assets must tunnel through the corporate security stack for inspection.
System & Communications Protection (SC-1)
Ref: POL-SC-2024-03 Effective: Mar 15, 2024 Owner: IT Director
5.1.2 Unsupported Software The use of unsupported or End-of-Life (EOL) operating systems (e.g., Windows 7, Server 2008) is prohibited on any network segment connected to the corporate WAN. Isolated "air-gapped" systems are the only exception and require written CISO approval.
5.2.1 Data Loss Prevention (DLP) All egress points, including email, web gateways, and USB interfaces, must have active DLP monitoring configured to detect and block the unauthorized transmission of CUI.
Audit & Accountability Policy (AU-1)
Ref: POL-AU-2024-02 Effective: Feb 1, 2024 Owner: Compliance Officer
4.1.3 Cloud Storage Logging Access logging must be enabled for all cloud storage containers (e.g., AWS S3, Azure Blob) that house CUI or system backups. Logs must be retained for a minimum of 365 days.
4.2.1 Third-Party Access All vendor remote access sessions must be attended (supervised) by internal IT staff. "Always-on" or unattended vendor access is strictly forbidden.