Research Reference Implementation — This project demonstrates technical control configuration for educational purposes. OpenSCAP scan results do not constitute CMMC certification or operational compliance. See limitations.

Exploring Affordable Compliance Infrastructure

A Research Project in Open-Source Security Tools

Helping Very Small Businesses meet FAR/DFARS cybersecurity requirements using cost-effective open-source tools

110 Controls Addressed
14 Control Families
1750 Software Packages

Technical configuration documented. Operational compliance requires expertise, policies, and third-party assessment.

Understanding This Project

The CyberHygiene Project is an academic research initiative exploring whether technical infrastructure for NIST 800-171 compliance can be built affordably using open-source tools. This website documents a reference implementation for educational purposes. It is not a product, service, or turnkey solution. Successful real-world compliance requires cybersecurity expertise, documented policies and procedures, operational security programs, and formal assessment by an authorized C3PAO. The author does not provide cybersecurity consulting services.

Open Source Documentation

Configuration guides, policies, and documentation shared for educational purposes.
Provided "as-is" without warranty. Implementation requires cybersecurity expertise.

View Documentation on GitHub

About The Project

The Research Question

Very Small Businesses (VSBs) in the Defense Industrial Base face significant compliance cost barriers that can make government contracting impractical.

This research project explores whether the technical infrastructure for compliance can be built more affordably using open-source tools and commodity hardware.

Important: Demonstrating that technical controls can be configured is different from demonstrating that an organization is compliant. The latter requires operational maturity, documented policies, trained personnel, and third-party validation.

What This Project Is

  • An academic research initiative
  • A reference implementation for study
  • A proof-of-concept for technical feasibility
  • Educational documentation for the community
  • A starting point for informed discussions

What This Project Is NOT

  • A certified or validated compliant system
  • A turnkey deployable solution
  • A substitute for professional cybersecurity services
  • A guarantee of CMMC certification
  • A consulting service or product for sale

Future Direction

The project explores whether, through collaboration with qualified cybersecurity professionals and strategic partners, reference implementations like this could eventually evolve into more accessible compliance pathways—while maintaining the expertise requirements that genuine security demands.

Project Timeline

  • 2023-2024: Initial research and feasibility study published in NCMA Journal
  • September 2025: Project initiated with Rocky Linux 9.7 deployment
  • October 2025: Core infrastructure completed; OpenSCAP CUI profile scans passing
  • November 2025: Email server deployed, additional services configured
  • December 2025: AI infrastructure added; monitoring expanded to 6 systems
  • January 2026: Documentation completed; preparing for Nexus 2026 presentation
  • February 8-10, 2026: Project presentation at NCMA Nexus, Atlanta GA
  • Current Status: Initial design and construction complete; testing and validation await
  • Next: Turnover to strategic partner

System Architecture

Reference Implementation Overview

This architecture demonstrates one approach to building infrastructure for handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Many valid alternative architectures exist.

Installation scripts to replicate this reference build are available on GitHub.

Network Infrastructure

  • pfSense firewall/router
  • Managed network switch
  • Segmented VLANs
  • IDS/IPS (Suricata)
  • DNS filtering (Cloudflare)

Domain Controller

  • Rocky Linux 9.7 (RHEL-compatible)
  • FreeIPA (Identity Management)
  • Kerberos authentication
  • LDAP directory services
  • Integrated Certificate Authority
  • Email server (Postfix/Dovecot)

Security & Monitoring Platform

  • Wazuh SIEM/XDR
  • File Integrity Monitoring
  • Vulnerability scanning
  • YARA malware detection
  • VirusTotal integration
  • Automated security updates
  • Prometheus + Grafana monitoring

Design Principles

Security-Focused Configuration

  • FIPS 140-2 cryptographic mode enabled
  • Full-disk encryption (LUKS2)
  • SELinux enforcing mode
  • Layered security architecture

Cost Considerations

  • Enterprise open-source software (no licensing fees)
  • Commercial off-the-shelf hardware
  • Significant expertise/labor required
  • Ongoing maintenance commitment needed

Compliance Status

Important Context: The status indicators below reflect technical control configuration as validated by OpenSCAP automated scanning. They do not represent operational maturity, policy implementation, or third-party assessment results. Automated scans are a starting point, not a finish line.

NIST SP 800-171 Rev 2

110/110

Technical Controls Configured*

*OpenSCAP CUI profile scan passing as of January 2026. Validates technical configuration only.

DFARS 252.204-7012

Addressed

Technical safeguarding controls configured; incident response procedures documented

Full compliance requires operational implementation and testing.

CMMC Level 2

Not Assessed

Technical controls deployed; no C3PAO assessment conducted

CMMC certification requires formal third-party assessment.

NIST 800-171 Control Families Addressed

Technical configurations have been applied for each control family. Operational effectiveness varies and has not been independently validated.

Access Control (AC)
Awareness & Training (AT)
Audit & Accountability (AU)
Configuration Management (CM)
Identification & Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
System & Comm Protection (SC)
System & Info Integrity (SI)

Ongoing Compliance Activities

Maintaining compliance requires continuous effort:

  • Automated security patching (dnf-automatic)
  • Periodic OpenSCAP compliance scans
  • Vulnerability assessment (Wazuh) - requires regular human review
  • File integrity monitoring - requires alert investigation
  • Audit log review - requires dedicated time commitment
  • Encrypted backups - requires periodic restore testing

Note: Automated tools generate data. Without human analysis and response, they provide limited security value.

Operational Management Tools

Custom dashboards and tracking systems developed for this reference implementation. These tools support compliance monitoring but do not replace the expertise needed to interpret and act on the information they present.

CPM System Dashboard

Centralized Compliance & Performance Monitoring

Capabilities

  • System health status aggregation
  • Security alert summary (Wazuh, FIM, IDS/IPS)
  • Service availability monitoring
  • Storage and backup status
  • Links to security tools and logs

Cybersecurity Policy Index

Requirements Traceability & Evidence Management

Capabilities

  • NIST 800-171 requirements indexed
  • Policy documents linked to controls
  • Implementation evidence references
  • Configuration baseline documentation
  • Status tracking and review dates

Workstation Monitoring

Prometheus and Node Exporter deployed across systems with TLS encryption

Configuration

  • 6 systems monitored
  • TLS 1.2+ encryption for metrics transport
  • 144+ metrics per system
  • Cross-platform (Rocky Linux + macOS)

Capabilities

  • System health metrics collection
  • Historical trend data (15-day retention)
  • Grafana dashboard visualization
  • Alerting configuration available

Tool Perspective

These dashboards were built to support this research project. They demonstrate that custom compliance tools can be developed without expensive commercial platforms. However:

  • Tools are only as valuable as the expertise of those using them
  • Dashboards present data; humans must analyze and respond
  • Automation reduces some effort but doesn't eliminate the need for qualified personnel
  • Commercial tools may provide better support, updates, and integration for production environments

AI-Assisted System Administration

January 2026: AI infrastructure added using Llama 3.3 70B Instruct on Mac Mini M4 Pro. The SysAdmin Agent Dashboard provides natural language system administration capabilities. Important: AI tools assist but do not replace cybersecurity expertise. See "AI Competency Paradox" in Risks.

SysAdmin Agent Dashboard

SysAdmin Agent Dashboard - AI assistance for system administration tasks

Implementation Details

  • AI Model: Llama 3.3 70B Instruct (locally hosted)
  • Hardware: Mac Mini M4 Pro, 64GB RAM
  • Network: Internal only, TLS-encrypted (port 11443)
  • Backend: Flask API with command whitelist
  • Security: Human approval required for system changes

Capabilities & Limitations

  • Can: Analyze logs, suggest troubleshooting steps, answer questions
  • Can: Execute whitelisted read-only commands
  • Cannot: Replace security expertise or judgment
  • Cannot: Guarantee correct or secure recommendations
  • Requires: Human review of all suggestions

AI Competency Paradox

AI tools can accelerate work for those who already understand what they're doing. For those who don't, AI can produce convincing-looking results that contain subtle errors or security gaps. AI assistance does not substitute for foundational cybersecurity knowledge. If you cannot evaluate whether an AI suggestion is correct, you should not implement it.

Why Local AI?

Running AI locally on the internal network provides:

  • Data Control: Queries and responses stay within the environment
  • No External Dependencies: Functions without internet connectivity
  • Cost Structure: One-time hardware cost vs. ongoing API fees

Trade-offs: Local models may be less capable than cloud APIs; requires hardware investment; model updates require manual intervention.

Technology Stack

All software components are enterprise-grade, open-source solutions with zero licensing costs. Automated installation scripts and AI-assisted administration tools are included to reduce implementation complexity, though some additional expertise through a managed service partner may be required for production deployments.

Server (Domain Controller)

Can leverage existing hardware or inexpensive commercial systems

  • 64-bit x86 processor (Intel/AMD)
  • 32GB RAM minimum
  • 500GB SSD (boot/OS)
  • 1TB+ storage (data/backups)

AI Server (Optional)

Enables AI-assisted administration features

  • Apple Silicon or NVIDIA GPU
  • 64GB unified/system memory
  • 256GB+ storage
  • Internal network connection

Operating System & Core

  • Rocky Linux 9.7 - RHEL-compatible, enterprise support available
  • FIPS 140-2 Mode - Cryptographically validated modules
  • SELinux - Mandatory access control
  • OpenSCAP - Compliance scanning and validation

Identity & Access Management

  • FreeIPA - Centralized identity management
  • MIT Kerberos - Strong authentication
  • 389 Directory Server - LDAP directory
  • Dogtag PKI - Certificate authority

Security Monitoring

  • Wazuh 4.14.2 - SIEM, XDR, FIM, vulnerability detection
  • Prometheus 2.48.1 - Metrics collection
  • Node Exporter 1.7.0 - System metrics
  • Grafana - Visualization
  • Suricata - Network IDS/IPS
  • YARA - Malware pattern detection
  • Auditd - Audit logging

Infrastructure Services

  • Postfix - SMTP mail transfer agent
  • Dovecot - IMAP/POP3 mail server
  • Apache HTTP Server - Web services
  • ReaR - Disaster recovery and backup

Storage & Encryption

  • LUKS2 - Full-disk encryption (AES-256)
  • LVM - Logical volume management
  • XFS/ext4 - Enterprise filesystems
  • Automated Backups - Encrypted backup scripts

AI Infrastructure

  • Ollama - Local AI model server
  • Llama 3.3 70B Instruct - AI language model
  • Flask API - Command execution backend
  • Python 3.9 - Runtime environment

Exact hardware and the complete Software Bill of Materials (SBOM) are available in the GitHub repository.

Project Observations

What We Observed

After several months of development (October 2025 - January 2026), we documented the following observations about building this reference implementation:

Technical Observations

  • Core services configured and operational
  • OpenSCAP CUI profile scans passing
  • Automated patching and backups functional
  • Monitoring infrastructure collecting data
  • No security incidents during development period

Note: Development environment with limited exposure. Production environments face different threat profiles.

Effort Required

  • Significant Linux administration expertise needed
  • Extensive troubleshooting for FIPS compatibility
  • Documentation creation was time-intensive
  • Ongoing maintenance requires regular attention
  • Learning curve for security tool interpretation

This was not a quick or simple project.

Cost Factors

  • Hardware: ~$5,000-6,000 (server + AI system)
  • Software licensing: $0
  • Labor: Substantial (not quantified)
  • Expertise: Required significant prior knowledge
  • Ongoing: Estimated 5-10+ hrs/month maintenance

Labor and expertise costs may exceed hardware savings for many organizations.

Lessons Observed

  • Open-source tools are capable: Modern open-source security tools can implement required technical controls
  • FIPS compliance adds complexity: Numerous compatibility issues with FIPS 140-2 mode drove selection of alternate tools and configurations
  • Documentation is substantial work: Templates and examples are available on GitHub, and AI tools can help tailor them to expedite implementation
  • Tools generate data, not security: AI tools included in the reference system pre-process monitoring data, but human analysis and response remain essential
  • AI accelerates but doesn't replace expertise: Claude and AI-assisted development played a huge role in building this system, but human involvement remained essential to direct, review, and validate the effort

Risks

Important considerations for anyone exploring similar implementations

  • Checkbox vs. Defense-in-Depth — Compliance requires integrated security, not just installed tools
  • Configuration vs. Operation — Deploying tools is not the same as running a security program
  • Technical vs. Administrative Controls — Automated scans address only technical configurations
  • Static Scans vs. Dynamic Security — Passing scans today doesn't ensure security tomorrow
  • AI Competency Paradox — AI amplifies both competence and incompetence

Phase II: Exploring Deployment Automation

Investigating whether deployment complexity can be reduced through automation

Research Direction

Phase II explores whether scripted deployment can reduce the technical barrier while maintaining security.

  • Portable demonstration system for educational presentations (Q1 2026)
  • Testing and assessment of reference implementation (Q2 - Q3 2026)

Important Caveats

  • Automation reduces deployment time, not expertise requirements
  • Scripted deployment still requires understanding to operate securely
  • Professional guidance recommended for production use

Compliance Documentation

Policy framework and documentation developed for this reference implementation

Documentation Package

Example documentation created for research purposes. Actual compliance requires policies tailored to your organization and actually implemented in practice.

  • Policy documents covering NIST control families
  • NIST 800-171 control mapping examples
  • System Security Plan (SSP) template
  • Technical configuration documentation
  • Software Bill of Materials (SBOM)
  • Plan of Action & Milestones (POA&M) tracking

Note: Documentation templates are starting points. Effective policies must reflect your actual operations and be actively followed by personnel.

Request Information

Questions about the CyberHygiene Project research, the Nexus 2026 presentation, or general inquiries about the approach documented here? Contact us using the form below.

Please note: The author does not provide cybersecurity consulting services. This is an academic research project shared for educational purposes.

* Required fields. Your information will not be shared with third parties.

About The Contract Coach

Business Overview

The Contract Coach (Donald E. Shannon LLC) is a contract management and project management consulting firm specializing in federal government contracts.

Focus Area

Emerging small businesses seeking to acquire government contracts and develop compliant business systems.

Core Services

  • Project Management
  • Proposal Management
  • Contract Management

Note: The Contract Coach does not provide cybersecurity consulting services. The CyberHygiene Project is an independent academic research initiative.

Professional Credentials

  • PMP - Project Management Professional (PMI)
  • CFCM - Certified Federal Contract Manager (NCMA)
  • CPCM - Certified Professional Contract Manager (NCMA)
  • CCT - Certified Cost Technician (AACEI)
  • DML - Demonstrated Master Logistician (SOLE)
  • Security: Active DoD Top-Secret Clearance

Recognition

2021 NCMA Outstanding Fellow Award

Identifiers

CAGE Code: 5QHR9
DUNS: 832123793

Contact Information

Business

The Contract Coach
Donald E. Shannon LLC

Email

Don@Contract-coach.com

Website

contract-coach.com

Phone

505.259.8485

Project Background

The CyberHygiene Project has been presented to:

  • National Contract Management Association (NCMA) - National leadership briefed
  • National Apex Accelerator Alliance (NAPEX) - Project presented to national leadership
  • Published research in NCMA Journal of Contract Management (2024)
  • Companion whitepaper prepared for Nexus 2026