It Takes the Whole Shop · Chapter 7 · The Instrument
The Diagnostic
A two-hour self-assessment you can complete with your quality manager, your IT resource, and your plant manager — before you hire anyone, before you spend a dollar, before you schedule a single meeting with a consultant.
This diagnostic runs on your device. Your responses never leave your shop. No fields, no data, no file downloads. Print directly from your browser and work on paper.
How to Use This Diagnostic
Set aside two hours. Bring your team. The purpose is a team conversation, not a quick survey.
1 · Two hours
Set aside the time
This is a working session, not a quick survey.
2 · The team
Quality · IT · Operations
The people who own discipline, systems, and the floor.
3 · Fourteen families
Work through them together
Three sub-questions per family. Rate each Green, Amber, or Red.
If your shop has no formal quality manager, the person who owns AS9100 or ISO 9001 conformance plays the role. Bigger teams are welcome.
The Three Colors
Green
Already Covered
Your existing QMS processes, documentation, and evidence already address this requirement. You may need to expand the scope of documentation to explicitly reference information protection, but the discipline, the process, and the evidence infrastructure already exist.
Amber
Extension Needed
The quality discipline exists in your organization, but it has not been applied to information systems or CUI protection. The process logic is the same; the scope needs to expand. This is where your quality manager leads the extension with input from your IT resource.
Red
New Capability Required
This requirement demands technical implementation that your organization does not currently practice. This is where your IT resource provides the essential technical input — encryption, network segmentation, vulnerability scanning, intrusion detection, multi-factor authentication.
Or press Ctrl+P (Windows) / ⌘+P (Mac). Opens your browser’s own print dialog. Nothing is sent anywhere. For the cleanest worksheet, uncheck "Headers and footers" in your print options — this page already carries its own running footer.
The Fourteen Families
For each family, rate your organization: Green, Amber, or Red. Use the sub-questions to guide your discussion. You do not need to answer every sub-question with certainty — the purpose is to surface what you know, what you do not know, and where the gaps are.
Access ControlAC
Do you control who can access what in your organization — physical areas, equipment, documents? Can you extend this to information system access?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Do you maintain a current list of who has access to each information system (servers, shared drives, applications)? Note
|
|||
|
2. When someone leaves the organization or changes roles, is their system access revoked within 24 hours? Note
|
|||
|
3. Do you control remote access to your network — who can connect from outside, and how? Note
|
|||
| Family total | |||
Awareness and TrainingAT
Do you train your workforce on quality procedures and verify competency? Can you extend this to information protection training?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Has every person who handles CUI received role-specific training on what CUI is and how to handle it? Note
|
|||
|
2. Do you verify competency after training — not just attendance, but understanding? Note
|
|||
|
3. Do you retrain when procedures change, or only on an annual cycle? Note
|
|||
| Family total | |||
Audit and AccountabilityAU
Do you maintain audit trails for quality activities? Do your IT systems log user activity?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Do your servers, workstations, and network devices generate logs of user login activity, file access, and configuration changes? Note
|
|||
|
2. Are those logs retained for a defined period and protected from modification or deletion? Note
|
|||
|
3. Does anyone review the logs — on a schedule, or only after an incident? Note
|
|||
| Family total | |||
Configuration ManagementCM
Do you control changes to your quality system through a formal process? Can you extend this to IT configuration changes?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Do you maintain a documented baseline of your IT environment — what hardware, what software, what versions are running? Note
|
|||
|
2. Do changes to system configurations (software installs, updates, network changes) go through a review and approval process? Note
|
|||
|
3. Are unauthorized changes detected and addressed? Note
|
|||
| Family total | |||
Identification and AuthenticationIA
Do your information systems require unique user identification and authentication? Is multi-factor authentication implemented?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Does every person who accesses your network have a unique user account — no shared logins, no generic accounts? Note
|
|||
|
2. Is multi-factor authentication enabled for network access and remote access? Note
|
|||
|
3. Do you enforce password complexity and expiration policies across all systems that touch CUI? Note
|
|||
| Family total | |||
Incident ResponseIR
Do you have a nonconformance and corrective action process? Can you extend it to information security incidents?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. If an employee clicked a phishing link or connected an unauthorized device, would they know whom to report it to? Note
|
|||
|
2. Do you have a documented procedure for responding to an information security incident — containment, investigation, corrective action? Note
|
|||
|
3. Have you ever tested the procedure — through a tabletop exercise, a drill, or a real incident? Note
|
|||
| Family total | |||
MaintenanceMA
Do you maintain your production equipment on a schedule? Do you apply the same discipline to IT system maintenance?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Do you schedule and document maintenance on IT systems — patching, updates, hardware replacement — the same way you schedule equipment calibration? Note
|
|||
|
2. When maintenance is performed remotely (by a vendor or contractor), do you control and monitor the session? Note
|
|||
|
3. After maintenance, do you verify the system is functioning correctly before returning it to production use? Note
|
|||
| Family total | |||
Media ProtectionMP
Do you control how documents and media are handled, stored, and destroyed? Can you extend this to digital media and CUI-bearing storage?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Do you have a policy for how USB drives, external hard drives, and portable media are used in your facility? Note
|
|||
|
2. When a hard drive or device that has stored CUI is decommissioned, do you sanitize or destroy it — and document the disposal? Note
|
|||
|
3. Is CUI encrypted when stored on laptops, removable media, or portable devices? Note
|
|||
| Family total | |||
Personnel SecurityPS
Do you screen personnel and manage access based on role? Can you extend this to information access authorization?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Do you conduct background screening before granting access to CUI or CUI-bearing systems? Note
|
|||
|
2. When someone transfers to a different role, do you review and adjust their information access to match the new role? Note
|
|||
|
3. Do you have a documented offboarding process that includes revoking all information system access? Note
|
|||
| Family total | |||
Physical ProtectionPE
Do you control physical access to your facility and sensitive areas? Can you extend this to areas where CUI is processed and stored?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Are the rooms or areas where CUI is processed or stored (server rooms, network closets, designated workstations) physically restricted to authorized personnel? Note
|
|||
|
2. Are visitors escorted in areas where CUI is accessible? Note
|
|||
|
3. Do you maintain access logs for restricted areas — who entered, when? Note
|
|||
| Family total | |||
Risk AssessmentRA
Do you assess risks to quality in your organization? Do you assess risks to information systems?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Have you identified the specific threats to your organization's CUI — who would want it, and how they might try to get it? Note
|
|||
|
2. Have you assessed the vulnerabilities in your current IT environment — unpatched systems, weak configurations, gaps in controls? Note
|
|||
|
3. Do you reassess risk periodically, or only when something goes wrong? Note
|
|||
| Family total | |||
Security AssessmentCA
Do you conduct internal audits of your quality system? Can you extend this to assess your information protection posture?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Have you conducted an internal audit of your information protection controls in the past twelve months? Note
|
|||
|
2. When the audit identifies findings, do the findings enter your corrective action system with assigned owners and due dates? Note
|
|||
|
3. Do you track corrective actions to verified closure — the same way you track quality audit findings? Note
|
|||
| Family total | |||
System and Communications ProtectionSC
Are your network communications encrypted? Is your network segmented to protect CUI?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Is your network segmented so that systems processing CUI are separated from general-purpose systems and guest networks? Note
|
|||
|
2. Is CUI encrypted in transit — email, file transfers, remote access sessions? Note
|
|||
|
3. Do you monitor and control communications at your network boundary — inbound and outbound? Note
|
|||
| Family total | |||
System and Information IntegritySI
Do you run malware protection? Do you scan for vulnerabilities? Do you monitor your systems for anomalies?
| Our rating | |||
|---|---|---|---|
| Sub-question | Green | Amber | Red |
|
1. Is antivirus or endpoint protection installed and current on every system that processes CUI? Note
|
|||
|
2. Do you scan for vulnerabilities on a defined schedule — and remediate findings within a defined timeline? Note
|
|||
|
3. Do you monitor your systems for signs of unauthorized access or anomalous behavior — and who reviews the alerts? Note
|
|||
| Family total | |||
Reading Your Results
Count your colors. Most manufacturing shops running a mature QMS will find:
5–7 Greens. These are the families where your quality system already provides substantial coverage: Access Control, Awareness and Training, Configuration Management, Media Protection, Personnel Security, Physical Protection, and Incident Response. You are not starting from zero. You are extending what you already run.
3–5 Ambers. These are the families where the quality discipline exists but the scope needs to expand: Audit and Accountability, Maintenance, Risk Assessment, Security Assessment. Your quality manager leads the extension.
2–4 Reds. These are the families that require genuinely new technical capability: Identification and Authentication, System and Communications Protection, System and Information Integrity. Your IT resource provides the essential input here. This is where the cybersecurity expertise matters most.
Your diagnostic result is your starting map. Thousands of manufacturers are mapping their quality systems to NIST 800-171 right now. The practitioners who share their maps — which families were Green, where the extension challenges are, what worked for the Red families — learn faster than the ones who work in isolation.
across all 14 families · 42 sub-questions
Safe Handling of Your Results
What Comes Next · Apprentice Steward Standing
When your self-assessment is complete, and your shop is ready to make a public commitment to continuous information-protection practice, the next step is Apprentice Steward standing on the Qualified Capacity Roster.
Apprentice Steward standing requires three artifacts — the body of work you assemble at your shop — that extend your diagnostic into a complete posture:
- 01
- CUI Scope Map. Where Federal Contract Information and Controlled Unclassified Information flow through your shop. Which systems, which people, which physical locations, which sub-processors.
- 02
- Gap Analysis against all fourteen NIST SP 800-171 control families. This diagnostic, extended into specific finding language and extension plans.
- 03
- Analytic Narrative. A plain-English document describing your current posture, your identified extension areas, and your plan for addressing them. Written by your quality manager or Apprentice Steward candidate; readable by your shop manager, your primes, and any assessor who asks.
All three artifacts stay at your shop. They live in your QMS document control. Your shop owns them; your quality manager retains them; the C3PAO assessor sees them at audit if and when an audit happens. Meridian never sees the artifacts.
What travels to Meridian is a signed submission — a structured document that names the artifacts and confirms their existence at your shop. Three signers attest: the Apprentice Steward candidate, the Quality Manager, and the Shop Manager or Shop Owner. The full per-signer detail lives at qualifiedcapacity.com/apprentice. Meridian receives the signed submission, runs completeness review — a structural check that the submission contains what it claims to contain — and adds your practitioner to the Qualified Capacity Roster, a gated registry of shops in standing. Meridian does not see your artifacts at any step.
- The Ladder → Available now
- Ladder Manual Available now
- The Apprentice path Available now
- The Roster Available now
Defense supply-chain partners — primes, higher-tier integrators, OEM strategic sourcing, MEP centers, agencies, and supporting organizations — interested in Roster access may contact network@qualifiedcapacity.com.
About the Monthly Calls
Meridian hosts a free monthly call, sixty minutes, on Microsoft Teams. We teach the 14 families, the CUI scoping methodology, the evidence architecture, and the Apprentice Steward body of work. Waitlist members receive the monthly invitation. First call: Tuesday, 9 June 2026.
Join the waitlist →This diagnostic is a gift. The book is a gift. The monthly calls are a gift. They are given because the defense industrial base deserves better than being told that information protection is a problem only consultants and assessors can solve.
Your shop already knows how to protect information — it lives in your QMS, your people, your practice. The work is extending that discipline to the information that warfighters depend on. You can do this. Thousands of manufacturers are mapping their quality systems to NIST 800-171 right now. You are joining them. The category is being built so you do not have to do it alone.
Instrument
Chapter 7 · It Takes the Whole Shop
by David Kirubi · Qualified Capacity Press
Custodian
Meridian Industrial Partners LLC
custodian of the Qualified Capacity™ mark
The diagnostic is a gift to the defense industrial base. It runs on your device; your responses never leave your shop. Nothing on this page collects, stores, or transmits your ratings or notes. Print from your browser. Work on paper. Keep your worksheet under your shop's document control.
If it's not qualified, it's not capacity.™