Conducting a CMMC Gap Analysis: A Comprehensive Guide

  1. 01 Conducting A Cmmc Gap Analysis 1

The U.S. Department of Defense (DOD) developed the Cybersecurity Maturity Model Certification (CMMC) to assess and improve the cybersecurity practices of companies that work with the DOD and handle Controlled Unclassified Information (CUI).

As part of the process of becoming CMMC certified, an organization usually conducts a CMMC gap analysis or assessment. Organizations also conduct assessments in response to changes in goals, industry standards, contractual requirements, or the desired level of security resilience.

This guide explains what a gap analysis is, its significance, and the steps to take to conduct an assessment for your organization.

What Is a CMMC Gap Analysis?

A CMMC gap analysis is an internal cybersecurity assessment that helps organizations understand what they need to improve in their policies, procedures, practices and technical abilities to meet the certification standards.  Since the CMMC and NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” share content, organizations often use NIST SP 800-171 and its compliance checklist to perform a CMMC gap analysis.  

Using NIST SP 800-171 to prepare for a CMMC assessment is a great way to start!  The NIST publication covers all of the CMMC requirements, it is free, and it does not require any special knowledge beyond what an internal computer security team probably already has.  In essence, the assessment allows you to determine what gaps exist in your current controls and where your cybersecurity posture needs improvement.

The challenge in moving from a gap analysis based on NIST SP 800-171 to CMMC is not in the content but in the CMMC assessment methodology. CMMC determines compliance differently than the NIST publication. Where as NIST SP 800-171 asks the question “do you have this asset in place?”, CMMC looks for a holistic approach based on organization policy, training, process, consistency and continuity of implementation, and resilience. As organizations aim for higher levels of certification in cybersecurity, meeting certification standards becomes more challenging and CMMC gap analyses become progressively more complex. For example, moving to Level 2 certification is a significant jump from Level 1, as the organization would need to implement almost 100 new controls. As the number of controls grows, organizations may find it difficult to track and analyze them and ensure all aspects are covered without a properly organized system in place. 

What Does a CMMC Gap Analysis Cover?

A CMMC gap analysis covers all your company’s existing and needed CMMC controls, including:

  • Access controls
  • Security controls
  • Risk management
  • Incident response
  • Technical capabilities
  • Training and awareness
  • Policies and procedures
  • Continuous improvement

 Controls vary depending on the certification level you aim to achieve:

  • Level 1 Foundational: This level requires 17 cybersecurity practices and an annual self-assessment submitted to the DOD.
  • Level 2 Advanced: This level adds 110 NIST SP 800-171 security practices and triennial audits from a Certified Third-Party Assessment Organization (C3PAO). 
  • Level 3 Expert: This level requires more than 110 security practices derived from NIST SP 800-172 and triennial government-led audits.  (At the time this article was written, the requirements for Level 3 are not well-defined.)

As you can see, moving between levels involves a large jump in the number of security controls an organization must implement. For organizations moving to a higher level, cross-checking all those practices can be a chaotic, disorganized process requiring proper guidance and rigor. Working with a qualified CMMC consulting firm can help streamline the process resulting in more comprehensive results obtained more quickly.

How Much Does a CMMC Gap Analysis Cost?

The cost of a CMMC gap analysis depends on several factors, including:

  • Preparation costs: You may have to make additional preparations before your assessment, which can add to your overall analysis cost.
  • Organization size: Analyzing a larger organization typically costs more than a smaller one.
  • Certification level: The higher the certification level your company is aiming for, the higher the assessment cost will be.
  • Complexity: More complex CUI systems, networks, policies and processes often cost more to analyze than simpler ones. In particular, handling physical CUI artifacts, such as documents, USB drives, computer hard drives, DVDs, greatly increases complexity. 
  • Assessor: The assessment company you choose to work with will have the biggest impact on the proficiency and price of your analysis. In particular, be sure to choose an assessor based on their experience with the cybersecurity compliance (or risk!) environment applicable to your organization.  For example, if your organization supports the US Intelligence Community (IC), finding an assessor with experience in the IC will serve you best.  Regardless of the cost, you should also choose an assessor that is accredited by the Cyber-AB, which is the organization assigned responsibility by the US government for developing, managing, and enforcing the certification procedures.  Only Cyber-AB accredited assessors can deliver official results.

02 How Long Does A Gap Analysis Take 1

How Long Does a Gap Analysis Take?

Again, the duration of a gap analysis varies depending on the complexity of your system, your company size, the certification level you want to achieve and the C3PAO you work with. Generally speaking, smaller companies with simple, streamlined systems will take significantly less time than large businesses with complex system landscapes.

The C3PAO’s experience is vital when assessing your cybersecurity systems. Look for a C3PAO that prioritizes a systematic process, performance, and overall efficiency when choosing who you will work with, as they will help you achieve your CMMC goals efficiently.  A C3PAO that is familiar with your customers, the cybersecurity risk and threat environment in which your organization functions, and the technical environment (operating systems, applications, cloud environments, etc.) you use will require the least familiarization before getting to work.

One further consideration is the internal security environment of the C3PAO themselves.  Although all C3PAOs must achieve CMMC Level 2 before being eligible to be a C3PAO, that does not mean that the C3PAO is prepared to deal with the cybersecurity environment that your organization exists in:

  • If your organization needs a facility clearance (FCL) to operate, look for a C3PAO that has an equivalent FCL. 
  • If your personnel require US government security clearances, look for a C3PAO whose assessment staff have equivalent security clearances.

Why is this important when CMMC is about assessing handling of CUI? Because a C3PAO who finds a flaw in an organization’s CUI controls may have just discovered revealing information about your organization’s work in a classified domain.  You can reduce this risk by selecting a C3PAO with the right FCL and personnel security clearances.

What’s the Difference Between a CMMC Gap Analysis and a CMMC Audit?

Both audits and gap analyses serve the same purpose — to evaluate your progress toward CMMC compliance. However, there are some important differences between the two. 

Gap Analysis

A gap analysis aims to identify the gaps in your CMMC compliance status. A gap analysis is an off-the-record, unpublished assessment conducted by an experienced evaluator to identify gaps organizations can address and recommend solutions.

Any documentation produced during a gap analysis is intended for your organization only. 

A gap analysis can also help your organization track where you are in the process of moving between CMMC levels. For example, if you plan to upgrade to the next level, your assessor can help you identify aspects of your organization needing improvement and highlight areas where you currently perform well.


A CMMC audit is a formal evaluation of an organization’s cybersecurity practices to determine if it complies with the specific CMMC requirements. A certified CMMC auditor who works for an authorized C3PAO performs audits.

An audit report serves as official proof of your CMMC compliance status. Starting with CMMC Level 2, organizations must undergo a third-party audit every three years with a Cyber-AB accredited assessor. At Level 3, organizations must undergo an audit from a government agency. 

How to Perform a CMMC Gap Assessment

Before you begin your assessment or analysis, determine which CMMC certification level best matches your organization’s future objectives. For example, if you have a Level 1 certification and intend to handle federal CUI, you’ll want to start incorporating Level 2 controls.

Here’s a quick breakdown of the steps you’ll go through in a CMMC gap analysis:

    1. Determine the scope: The scope of the gap analysis depends on the CMMC level you want to achieve.  Also think about whether your CUI systems are all “in the cloud”, which would require only a virtual assessment, or involve physical assets such as a computer in your offices, which may require an in-person assessment.
    2. Identify certification requirements: List the CMMC requirements necessary to achieve certification.
    3. Prepare:

Gather documentation: Document your current controls, processes, training, and policies.  Make sure you include both current and historical records that demonstrate past and ongoing compliance.

Determine how to demonstrate implementation:  An assessor will often ask for a demonstration of a particular control actually being exercised.  Determine who and how you’ll offer this demonstration–and rehearse!

Identify interviewees and practice:  Assessments are based on more than observing a system.  The people in your cybersecurity implementation.  Determine who they, what they can speak to, and how they will speak.  (Too many people being interviewed volunteer information beyond what an auditor asked–and thereby open up new topics for the auditor to explore.

  1. Identify the gaps: Compare where you are with where you need to be./li>
  2. Develop and implement an improvement plan: Map out how you’ll address the gaps you identified, and create a realistic timeline for when you’ll achieve the proper certification requirements.

Once you’ve addressed any gaps, you’re ready to move to the next CMMC level.

03 CTA Let Business Transformation Institute Inc Help You With Your Cmmc Gap Analysis And Roadmap 1

Let Business Transformation Institute, Inc. Help You With Your CMMC Gap Analysis and Roadmap

As a Cyber-AB accredited C3PAO, we at Business Transformation Institute, Inc. (BTI) are dedicated to helping your company navigate the complex landscape of CMMC compliance. We offer both gap analyses and formal audits, so we can assist you at any stage of the process. 

Additionally, our CMMC consulting services help businesses understand their current compliance status and improve their efficiency at the same time. We aim to reduce our clients’ liability so they can enjoy peace of mind knowing they are doing everything possible to protect critical government information. We also offer Cyber-AB CMMC training and certification courses to help businesses increase their cybersecurity while boosting their overall performance.

If you need guidance in evaluating your CMMC compliance level, BTI’s expert team is here to help. Contact us today for more information.

Previous ArticleWhat Is Sprint Velocity and How Do You Calculate It? Next ArticleUnderstanding the 3 Levels of CMMC 2.0 and How to Achieve Each