What Is a CMMC Gap Analysis?
A CMMC gap analysis is a structured, control-by-control review of your environment against the 110 security requirements of NIST SP 800-171 — the foundation of CMMC Level 2. For each requirement, we determine whether it is fully implemented, partially implemented, or not implemented, using the same assessment objectives a C3PAO will apply during your certification assessment.
The result is a clear picture of your actual compliance posture: an accurate SPRS score you can defend, a documented inventory of gaps, and a remediation roadmap ordered by risk, cost, and assessment impact. For most defense contractors, this is the right first step — it turns "we think we're mostly compliant" into a concrete plan with a realistic timeline.
How the Gap Analysis Works
-
Scoping & CUI data flow review
We define your assessment boundary — where CUI lives, how it moves, and which systems, people, and facilities are in scope. Getting scope right early often shrinks the cost of everything that follows.
-
Control-by-control evidence review
Interviews, configuration review, and documentation examination across all 14 control families, evaluated against the NIST SP 800-171A assessment objectives — not just the control text.
-
Scoring & findings
Each requirement is scored using the official DoD assessment methodology, producing a defensible SPRS score and a finding-by-finding gap register.
-
Remediation roadmap
A prioritized plan that sequences fixes by risk and effort, distinguishes quick wins from capital projects, and maps each item to the controls it satisfies.
What You Receive
- Gap assessment report — status of all 110 controls and 320 assessment objectives
- Defensible SPRS score — calculated with the DoD scoring methodology, ready for submission
- CUI scoping diagram — your assessment boundary and data flows, documented
- Prioritized remediation roadmap — sequenced, estimated, and mapped to controls
- POA&M starter — open items framed the way assessors expect to see them
When remediation is complete, a mock assessment validates your readiness before you engage a C3PAO.
Frequently Asked Questions
How long does a CMMC gap analysis take?
For most small to mid-sized contractors, two to four weeks from kickoff to final report, depending on environment complexity and how quickly evidence can be gathered. Larger or multi-site environments take longer.
Is a gap analysis required before a CMMC assessment?
It isn't formally required, but going into a C3PAO assessment without one is risky and expensive. A failed certification assessment costs far more than a readiness review — and an inaccurate SPRS score carries False Claims Act exposure.
Will the gap analysis update our SPRS score?
You'll receive a defensibly calculated score and guidance on submitting it. Many contractors discover their previously self-reported score was optimistic — correcting it early is far better than having an assessor or the DoD discover the discrepancy.