PlainAudit
Start assessment

CMMC Gap Analysis: The Step-by-Step Process Before You Hire a Consultant

compliance gap assessmentcmmc level2 nist 800 171remediation planning

A CMMC gap analysis is the difference between spending $138,000 on the right things and spending $138,000 on the wrong things. Most organizations jump straight into buying security tools and hiring consultants before they know exactly which of the 110 NIST 800-171 controls they are actually failing. A structured gap analysis tells you where your money needs to go — before you write any checks.

This guide covers the complete CMMC gap analysis process that compliance consultants follow, adapted so you can run it yourself before hiring anyone. The result: a prioritized gap list, an estimated SPRS score, and a remediation roadmap you can act on.

What a CMMC Gap Analysis Produces

A proper gap analysis delivers four outputs:

  1. Control-by-control status — each of the 110 NIST SP 800-171 Rev 2 requirements rated as Implemented, Partially Implemented, or Not Implemented
  2. Estimated SPRS score — your numeric compliance score (range: -203 to +110), calculated from the gaps identified
  3. Evidence inventory — for each “Implemented” control, the documentation or technical proof that supports the claim
  4. Prioritized remediation roadmap — gaps ranked by SPRS point value, remediation difficulty, and dependency chains

Without all four, you have a checklist, not a gap analysis. The checklist tells you what is wrong. The gap analysis tells you what to fix first and why.

Step 1: Determine Your CMMC Level and CUI Scope

Before assessing any controls, answer two questions:

Do You Handle CUI or Only FCI?

Controlled Unclassified Information (CUI) triggers Level 2 (110 controls). Federal Contract Information (FCI) triggers Level 1 (17 controls). The distinction matters enormously: getting this wrong means assessing against 17 controls when you need 110, or spending money on 110 controls when 17 would suffice.

Check your contracts for DFARS 252.204-7012 (safeguarding CUI and cyber incident reporting) and DFARS 252.204-7021 (the CMMC clause). If 7012 is present, you almost certainly handle CUI and need Level 2.

The Most Consequential Error in CMMC Misidentifying CUI as FCI means applying 17 controls instead of 110. This is not a minor oversight — it is a 93-control gap that a C3PAO assessment will catch immediately. Common CUI types in defense contracts: technical drawings, test results, manufacturing specifications, export-controlled data (ITAR/EAR). If you generate or receive any of these, you handle CUI.

Where Does CUI Live in Your Organization?

Map every system, network, application, and person that touches CUI. This defines your assessment boundary — everything inside the boundary is in scope for all 110 controls. Five asset categories:

  • CUI Assets — systems that directly process, store, or transmit CUI
  • Security Protection Assets — systems that provide security for CUI assets (firewalls, SIEM, directory services)
  • Contractor Risk Managed Assets — systems that can access CUI environments but are not designed to process CUI
  • Specialized Assets — OT/IoT devices, government-furnished equipment, test equipment
  • Out-of-Scope Assets — physically and logically separated from CUI

An enclave strategy — isolating CUI into a dedicated network segment — dramatically reduces scope. Only 5% of organizations have proper microsegmentation, which means 95% are assessing more systems than necessary.

Step 2: Assess Each Control Domain

Walk through all 14 control families systematically. For each requirement, determine its implementation status. The critical distinction: do not ask “do we have a policy?” Ask “can we demonstrate this with evidence?”

Here is what to look for in the domains that produce the most gaps:

Access Control (AC) — 22 Requirements, 58 SPRS Points

The largest domain and the most common source of assessment failures. Key questions:

  • Do you maintain a current list of all authorized users and devices?
  • Are permissions role-based, or do users have more access than their job requires?
  • Is remote access controlled with MFA and encrypted connections?
  • Do you control how CUI flows between systems with documented rules and technical enforcement?
  • Can you demonstrate separation of duties for critical functions?

Common finding: all users have administrator-level access. This alone can cost 5 to 15 SPRS points across multiple AC controls.

System & Communications Protection (SC) — 16 Requirements, 42 SPRS Points

Where encryption and network boundary requirements live. The question that catches most small contractors: is your encryption FIPS 140-2 validated? Standard TLS or AES is not sufficient — the specific cryptographic module must appear on NIST’s validated modules list. Many VPN and email solutions use encryption that is not FIPS-validated.

Configuration Management (CM) — 9 Requirements, 33 SPRS Points

Do you have documented configuration baselines for your systems? Can you track and approve changes to those baselines? Are unnecessary services and ports disabled? Organizations that operate without configuration management tools often lose points across the entire CM domain.

Identification & Authentication (IA) — 11 Requirements, 27 SPRS Points

MFA is the headline requirement, but this domain also covers password management, device identification, and authenticator protection. If your organization does not enforce MFA for all network access — not just VPN, but email, file shares, and administrative interfaces — expect significant deductions here.

Step 3: Document Evidence for Implemented Controls

For every control you rate as “Implemented,” record what evidence supports that claim. A C3PAO assessment uses three methods:

  • Examine — they review your documentation (policies, SSP, configurations, logs)
  • Interview — they ask your people how controls work in practice
  • Test — they verify controls work by testing them directly

A control needs to pass all three methods. If you have a policy document but no technical evidence, mark the control as “Partially Implemented” — and for SPRS scoring purposes, partial means not implemented.

Evidence Types That Assessors Accept

Technical evidence: configuration screenshots, SIEM log samples, firewall rule exports, access control list exports, MFA enrollment reports

Policy evidence: approved policies with review dates, signed by management, distributed to personnel

Process evidence: training completion records, incident response test results, maintenance logs, access review records

Evidence must be in final form. Drafts, working papers, and unapproved documents are not acceptable.

Step 4: Calculate Your SPRS Score

For each unimplemented control, look up its SPRS point value (1, 3, or 5) and subtract from 110. The formula:

SPRS Score $$SPRS = 110 - \sum(\text{point value of each unimplemented control})$$

Compare your result against these thresholds:

  • 110 — full compliance, ready for C3PAO assessment
  • 88–109 — conditional certification possible if remaining gaps are only 1-point controls
  • Below 88 — cannot receive certification; full remediation required for all 3-point and 5-point controls

Professional gap assessments typically find 40 to 70 deficiencies in small defense contractors (15–125 employees). If your self-assessment finds fewer than 20, consider whether you are being rigorous enough — the national average suggests you may be rating controls too generously.

Step 5: Build the Remediation Roadmap

Prioritize remediation in this order:

  1. 5-point controls — highest security impact, highest score recovery per control
  2. Dependency enablers — controls that other controls depend on (network segmentation enables AC controls; directory services enable IA controls)
  3. 3-point controls — only 6 of these, so closing them is fast and high-ROI
  4. 1-point controls above the 88 line — close these to reach full certification
  5. 1-point controls below the 88 line — these can be POA&M candidates (180-day remediation window)

Estimate timelines realistically. Access control overhaul: 2 to 4 months. FIPS-validated encryption deployment: 1 to 3 months. Policy creation and approval: 1 to 2 months. Incident response plan development and testing: 2 to 3 months.

A CMMC readiness assessment can accelerate Steps 2 through 4 by walking you through each control domain with structured questions and producing an estimated SPRS score automatically.

When to Bring in a Consultant

Run the gap analysis yourself first. You will learn more about your compliance posture in one thorough self-assessment than in any number of vendor briefings. Bring in a consultant when:

  • Your SPRS score is below 60 and you need a comprehensive remediation plan
  • You lack in-house expertise for specific technical controls (FIPS encryption, SIEM deployment, network segmentation)
  • You want a mock assessment before engaging a C3PAO ($5,000–$15,000 for a mock, versus $30,000–$55,000 for the real thing)

The gap analysis you ran yourself becomes the starting brief for your consultant. It saves them discovery time and saves you billable hours.

This content is educational and does not constitute legal, audit, or compliance advice. It is not a substitute for a formal gap assessment by a Registered Practitioner Organization (RPO) or Certified Third-Party Assessment Organization (C3PAO). Consult a qualified professional for assessment readiness guidance specific to your organization.

Related tools

CMMC Readiness Quiz

Estimate your SPRS score and CMMC Level 2 readiness across all 14 NIST 800-171 control domains.

CMMC L2 Assessment Kit

The CMMC Level 2 documentation kit for small defense contractors who want to drive their own self-assessment. 14 NIST 800-171 policies, SSP, POA&M, SPRS worksheet, and mapping matrix. $249.

← More cmmc level 2 readiness guides