CMMC Gap Assessment: Your First Step to Level 2

Before you spend a dollar on remediation, you need to know where you stand. That's what a gap assessment does. It measures your current security posture against all 110 NIST 800-171 controls and tells you exactly what you've got, what you're missing, and what it's going to take to close the gaps.

Think of it as a diagnostic before the treatment. You wouldn't let a mechanic rebuild your engine without first figuring out what's actually wrong. Same principle here. A gap assessment gives you the honest picture -- your real compliance posture, not what you hope it is or what you put on a self-assessment form two years ago.

It's the starting line. And if you skip it, everything that follows -- your budget, your timeline, your remediation plan -- is based on guesswork. That's how companies end up overspending, missing deadlines, or failing their C3PAO assessment.

A gap assessment isn't a quick checklist or a surface-level scan. It's a thorough evaluation of everything that matters for CMMC Level 2 certification. Here's what we look at:

All 110 NIST 800-171 Controls

Every single control, organized across all 14 control families -- Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, and so on. We evaluate each one against your actual environment, not against what your policies say you do. There's usually a gap between the two, and that's exactly what we're looking for.

Your Real SPRS Score

If you've submitted a SPRS score to the DoD, there's a good chance it doesn't reflect reality. We're not being critical -- it's just what we see. Most companies self-assess optimistically, either because the controls are confusing, because "partially implemented" felt close enough to check the box, or because the person filling it out didn't have the full picture. We calculate your actual score based on what we find during the assessment. For a lot of companies, this is a wake-up call.

CUI Scope and Data Flows

Where does your Controlled Unclassified Information actually live? How does it move through your organization? Who touches it? These questions define your scope -- the boundary of what needs to be protected and assessed. Getting scope wrong is one of the most expensive mistakes in CMMC compliance. Too broad and you're protecting systems that don't need it. Too narrow and you fail the assessment. We map your CUI flows and help you define a scope that makes sense, including enclave recommendations if they can reduce your footprint.

Current Technology Stack

We look at what you're running today. What Microsoft 365 licensing do you have? How are your endpoints managed? What does your network architecture look like? Is your email in the cloud or on-premises? Do you have a firewall that actually does what you think it does? This isn't about judging your IT setup. It's about understanding what needs to change and what can stay.

Existing Documentation

Do you have a System Security Plan? Security policies? Incident response procedures? Configuration management documentation? If you do, we review them against what assessors expect. If you don't -- and most small manufacturers don't -- that's fine. It tells us the documentation workstream needs to start from scratch, and we plan accordingly.

When the assessment is done, you don't get a vague summary or a PowerPoint with red-yellow-green charts. You get a detailed, actionable set of deliverables that you can use immediately -- whether you hire us to remediate, do it yourself, or bring in someone else entirely.

For a small manufacturer with 10 to 100 employees, a gap assessment typically takes 2 to 4 weeks from kickoff to final report delivery. Here's what that looks like in practice:

Week 1: Kickoff and Information Gathering

We start with a kickoff call to align on scope, identify key contacts, and request initial documentation. If you have existing policies, network diagrams, or a previous self-assessment, we review those first to focus our evaluation where it matters most.

Weeks 1-2: Interviews and Technical Evaluation

We interview your key staff -- IT, operations, management, anyone who handles CUI or manages systems that touch it. These aren't interrogations. They're conversations to understand how your organization actually works, because that's what an assessor will want to know too. At the same time, we evaluate your technical environment: network architecture, endpoint configurations, access controls, logging, and encryption.

Weeks 2-3: Documentation Review and Analysis

We review whatever documentation exists and cross-reference it against the 110 controls. We identify where documentation is missing, outdated, or doesn't match actual practice. This is also when we calculate your SPRS score and map your CUI data flows.

Weeks 3-4: Report and Roadmap Delivery

We compile everything into your deliverables and walk you through the findings. This isn't a report we email and disappear. We sit down with you, explain what we found, answer your questions, and make sure you understand the path forward before we're done.

The exact timeline depends on your company's size, complexity, and responsiveness. If your team is available for interviews and can provide documentation quickly, we can often finish in two weeks. If schedules are tight or the environment is complex, it may stretch closer to four.

Once you have your gap assessment report, you have a clear picture and a decision to make. There are three paths forward, and all of them are valid. The right one depends on your budget, timeline, and internal capability.

Path 1: Hire Us to Remediate

This is the fastest path to assessment readiness. We take the roadmap we built during the gap assessment and execute it -- implementing controls, migrating to GCC High if needed, writing your SSP and policies, and preparing you for your C3PAO assessment. Our CMMC consulting for small manufacturers page covers exactly what this looks like.

Path 2: Remediate Internally (DIY with a Map)

If you have a capable IT person and the time to invest, you can use the remediation roadmap to close gaps on your own. The gap assessment gives you the map -- specific controls that need attention, in what order, with what level of effort. You're not guessing anymore. You know exactly what needs to happen. This path takes longer, but it costs less in consulting fees. For a deeper look at when DIY works and when it doesn't, we've written a whole guide on that.

Path 3: The Hybrid Approach

This is what most of our clients end up choosing. You hire us for the hard parts -- the things that require specialized CMMC experience, like GCC High migration, SSP development, enclave architecture, and assessment preparation. Your internal team handles the simpler controls using the roadmap: things like updating password policies, configuring screen locks, running security awareness training, and documenting procedures with our templates.

The hybrid approach typically saves 30 to 50 percent compared to a fully managed engagement while still keeping the high-risk items in experienced hands. It's the best of both worlds for companies that have some internal IT capability but can't afford to get the specialized pieces wrong.