CMMC Gap Assessment

In our work with defense contractors preparing for CMMC certification, the gap assessment is where reality meets expectations. Organizations that believe they are 80 percent compliant often discover they are closer to 40 percent when controls are evaluated with the rigor a C3PAO assessor will apply. The gap assessment is not optional preparation — it is the single most important step in your CMMC certification journey.

A CMMC gap assessment is a systematic, control-by-control evaluation of your organization's cybersecurity posture against the requirements of your target CMMC level. For most defense contractors handling Controlled Unclassified Information (CUI), that means CMMC Level 2, which requires full implementation of all 110 security controls defined in NIST SP 800-171. The gap assessment identifies where your controls fall short, where your evidence is insufficient, and where your documentation needs work — all before you spend the money and reputational capital on a formal C3PAO assessment.

This guide covers what a thorough gap assessment includes, when to conduct one, how to scope it properly, and how to turn the findings into a prioritized remediation plan that gets you to certification.

Why a Gap Assessment Is Non-Negotiable

The formal CMMC assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) is a high-stakes event. Failing the assessment does not just mean you need to try again — it means delays to contract awards, potential loss of existing contracts, and a remediation cycle that can take months. A gap assessment de-risks the formal assessment by identifying and addressing problems in advance.

Consider the practical consequences of skipping a gap assessment:

Risk	Consequence
Unidentified control gaps	Fail C3PAO assessment, requiring remediation and reassessment
Improper CUI scoping	Assessment scope is too broad (expensive) or too narrow (fails)
Insufficient evidence	Assessor cannot verify control implementation, scored as NOT MET
SSP inaccuracies	System Security Plan does not reflect actual environment, triggering findings
POA&M overreliance	Too many controls on Plans of Action & Milestones, exceeding allowable thresholds
Budget surprise	Remediation costs discovered during formal assessment instead of during planning

Organizations that conduct a thorough gap assessment 12 to 18 months before their planned C3PAO assessment pass at significantly higher rates than those who go in cold. The gap assessment is an investment in certainty.

What a Thorough Gap Assessment Includes

A meaningful CMMC gap assessment goes far beyond checking boxes on a spreadsheet. Here is what each component involves:

Control-by-Control Evaluation

The core of the gap assessment is a detailed review of each of the 110 NIST 800-171 controls across 14 control families:

Control Family	Controls	Focus Area
Access Control (AC)	22	Account management, access enforcement, remote access, wireless
Awareness and Training (AT)	3	Security training, insider threat awareness
Audit and Accountability (AU)	9	Audit logging, event correlation, retention, protection
Configuration Management (CM)	9	Baseline configurations, change control, least functionality
Identification and Authentication (IA)	11	Multi-factor authentication, identifier management, password policies
Incident Response (IR)	3	IR capability, reporting, testing
Maintenance (MA)	6	Controlled maintenance, remote maintenance, maintenance personnel
Media Protection (MP)	9	Media access, marking, storage, transport, sanitization
Personnel Security (PS)	2	Screening, personnel actions
Physical Protection (PE)	6	Physical access, monitoring, visitor control
Risk Assessment (RA)	3	Risk assessments, vulnerability scanning
Security Assessment (CA)	4	System security plans, assessments, monitoring
System and Communications Protection (SC)	16	Boundary protection, encryption, session management
System and Information Integrity (SI)	7	Flaw remediation, malicious code protection, monitoring

For each control, the assessor evaluates three dimensions:

1. Implementation status — Is the control implemented, partially implemented, or not implemented?
2. Evidence availability — Can you demonstrate that the control is operating effectively through documentation, screenshots, configurations, logs, or other artifacts?
3. Maturity and sustainability — Is the control operating consistently over time, or was it hastily implemented and may not survive ongoing operations?

CUI Scoping Validation

One of the most consequential decisions in CMMC preparation is defining the boundary of your CUI environment. The scope of your assessment — and therefore the number of systems, networks, and personnel that must comply — depends entirely on where CUI flows through your organization.

A gap assessment includes a thorough review of CUI scoping to ensure:

• All systems that process, store, or transmit CUI are identified and included
• Data flow diagrams accurately reflect how CUI moves through your environment
• The boundary between CUI and non-CUI systems is clearly defined and enforced
• CUI enclave strategies, if used, are properly implemented and documented
• External service providers that handle CUI are identified and have appropriate flow-down requirements

Incorrect scoping is one of the top reasons organizations fail their C3PAO assessment. If you scope too narrowly, the assessor will find CUI flowing through systems outside your documented boundary. If you scope too broadly, you increase the number of controls that must be implemented and verified, inflating cost and complexity.

System Security Plan (SSP) Review

The SSP is the foundational document that describes your security program. The C3PAO assessor will use your SSP as the baseline for their evaluation, comparing what you claim to implement against what they observe in practice.

A gap assessment reviews the SSP for:

• Completeness — Does the SSP address every control in scope?
• Accuracy — Do the described implementations match the actual environment?
• Specificity — Are control implementations described with enough detail for an assessor to verify them?
• Currency — Does the SSP reflect the current state of your environment, or is it a stale document from a prior assessment?

SSP deficiencies are among the easiest to fix but among the most common to overlook. Organizations often write their SSP once and forget to update it as their environment evolves.

Evidence Review

For every control, a C3PAO assessor will request evidence that the control is implemented and operating effectively. A gap assessment evaluates whether that evidence exists, is accessible, and is sufficient. Common evidence types include:

• Configuration screenshots and exports
• Access control lists and role assignments
• Training completion records
• Audit log samples showing monitoring and alerting
• Incident response test results
• Vulnerability scan reports
• Policy and procedure documents with review and approval records
• Network diagrams and data flow diagrams

The gap assessment identifies controls where evidence is missing, outdated, or insufficient — giving you time to generate the necessary artifacts before the formal assessment.

Plan of Action and Milestones (POA&M) Assessment

CMMC allows organizations to have a limited number of controls on a POA&M — a documented plan to remediate specific gaps within a defined timeline. However, there are restrictions on which controls can be on a POA&M and how many.

A gap assessment evaluates:

• Which controls are candidates for POA&M treatment versus which must be fully implemented before assessment
• Whether the total number of POA&M items falls within acceptable thresholds
• Whether proposed remediation timelines are realistic and demonstrate good faith
• Whether existing POA&M items from prior NIST 800-171 self-assessments have been closed

Prioritized Remediation Roadmap

The ultimate deliverable of a gap assessment is not a list of problems — it is a plan to fix them. A well-structured remediation roadmap includes:

Priority tiers based on risk and effort:

Priority	Criteria	Timeline
Critical	Controls that will definitely fail assessment and require significant effort	Months 1–6
High	Controls with partial implementation needing enhancement	Months 3–9
Medium	Evidence and documentation gaps for implemented controls	Months 6–12
Low	Fine-tuning and optimization of controls that are substantially in place	Months 9–15

Each remediation item should include the specific gap, the required action, the responsible party, the estimated cost, and the target completion date. This roadmap becomes the project plan that drives your CMMC preparation from gap assessment through certification.

Timing Your Gap Assessment

The most common question we hear is "when should we start?" The answer depends on your current maturity, but here are general guidelines:

18 months before C3PAO assessment: Ideal for organizations with minimal existing security controls. This provides time for a thorough gap assessment (4 to 8 weeks), comprehensive remediation, evidence collection to demonstrate control operation over time, and a follow-up readiness assessment before the formal evaluation.

12 months before C3PAO assessment: Appropriate for organizations that have been working toward NIST 800-171 compliance and have many controls in place. The gap assessment validates what you have, identifies remaining gaps, and gives you 9 to 10 months for targeted remediation.

6 months before C3PAO assessment: Only viable for organizations that are substantially compliant and primarily need validation and evidence cleanup. This is a tight timeline that leaves little margin for error if significant gaps are discovered.

Starting too late is the most expensive mistake in CMMC preparation. Remediation work that could be done methodically over 12 months becomes a rush job with premium consulting rates, emergency procurement, and corners cut on evidence collection.

Conducting the Gap Assessment: Internal vs. External

Organizations have three approaches to gap assessment:

Internal Self-Assessment

Your own team evaluates compliance against the NIST 800-171 controls. This approach is inexpensive but carries significant risk: internal teams tend to interpret controls favorably, may lack assessment methodology experience, and often do not know how C3PAO assessors actually evaluate specific controls.

External Gap Assessment

An experienced CMMC consultant or firm conducts the evaluation. External assessors bring objectivity, methodology rigor, and knowledge of how formal assessments are actually conducted. Costs vary based on scope and organization complexity — contact providers for current pricing.

Hybrid Approach

The internal team conducts a preliminary self-assessment, identifying obvious gaps and beginning remediation. An external consultant then validates the self-assessment, identifies issues the internal team missed, and provides the prioritized remediation roadmap. This approach balances cost with thoroughness and is what we recommend for most organizations.

Common Gaps We Find in Assessments

Based on the gap assessments we have conducted and reviewed, certain control areas consistently surface as problem areas:

Access control (AC) — Organizations frequently lack automated account management, fail to enforce least privilege consistently, or have insufficient controls around remote access and mobile devices.

Audit and accountability (AU) — Audit logging is often incomplete, lacking correlation across systems, or missing retention policies that meet the required duration. Many organizations log events but do not actively review or alert on them.

Configuration management (CM) — Baseline configurations are either undocumented or not enforced. Change management processes exist on paper but are not followed consistently, and evidence of compliance is scarce.

Identification and authentication (IA) — Multi-factor authentication gaps are common, particularly for non-privileged users accessing CUI systems and for remote access scenarios.

System and communications protection (SC) — Encryption requirements, both at rest and in transit, are frequently underimplemented. Network segmentation between CUI and non-CUI environments is often insufficient.

Media protection (MP) — Organizations handling CUI on portable media or in printed form often lack the marking, tracking, and sanitization controls required by NIST 800-171.

From Gap Assessment to Certification

The gap assessment is the starting point, not the destination. Here is the typical progression from gap assessment through certification:

1. Gap assessment (Weeks 1–6) — Evaluate current state against all 110 controls
2. Remediation planning (Weeks 4–8) — Develop prioritized roadmap with budgets and timelines
3. Remediation execution (Months 2–12) — Implement controls, deploy technology, update policies
4. Evidence collection (Ongoing during remediation) — Document control operation over time
5. SSP update (Months 10–12) — Revise the SSP to accurately reflect the remediated environment
6. Internal readiness review (Month 12–14) — Conduct a mini-assessment to verify readiness
7. C3PAO engagement (Month 14–16) — Schedule and undergo formal assessment
8. POA&M remediation (If needed, months 16–22) — Close any remaining items within the allowable window

The organizations that succeed treat CMMC certification as a continuous program, not a project with a defined end date. The gap assessment establishes the baseline, the remediation builds the program, and ongoing monitoring maintains it.

Key Takeaways

A CMMC gap assessment is the most important pre-certification investment you can make. It reveals the true distance between where you are and where you need to be, converts that distance into a structured remediation plan, and dramatically increases your probability of passing the formal C3PAO assessment on the first attempt. Start early — 12 to 18 months before your target assessment date — and invest in an objective evaluation that matches the rigor your C3PAO assessor will bring. The cost of a thorough gap assessment is a fraction of the cost of failing a formal assessment and starting the cycle over.