A CMMC gap assessment is the starting point for every serious CMMC program. It tells you where you stand against the applicable requirements, what your current SPRS score would be if you submitted today, and what you need to fix before a C3PAO can certify you.
If you have been told you need a gap assessment but are not sure what it actually involves, or if you have received a "gap assessment" from a vendor and are wondering whether it was thorough enough, this article explains what a professional CMMC gap assessment actually covers from start to finish.
What a Gap Assessment Is and Is Not
A CMMC gap assessment is a structured evaluation of your current security posture against the applicable CMMC requirements. For Level 2, that means all 110 NIST SP 800-171 Rev 2 requirements. For Level 1, it means all 15 FAR Clause 52.204-21 practices.
The output is a scored picture of your current state, a list of gaps by requirement with severity and impact, a projected SPRS score, and a prioritized remediation roadmap.
What a gap assessment is not: a CMMC certification. A gap assessment is a readiness tool, not a compliance determination. The official compliance determination happens at a C3PAO assessment or self-assessment. The gap assessment prepares you to succeed in that process.
The Five Phases of a Professional Gap Assessment
Phase 1: Program Kick-Off
The engagement starts with a scoping and kick-off phase. The assessor and the organization align on:
- Which contracts and data types are in scope (FCI, CUI, or both)
- The preliminary CMMC Assessment Boundary (which systems, networks, and people are in scope)
- Key personnel who will participate in the assessment (IT lead, security point of contact, business owner)
- An inventory of systems, cloud services, and third-party providers
- The timeline and format for assessment activities
Getting the scoping right at kick-off is critical. An incomplete boundary definition produces a gap assessment that misses in-scope systems. A boundary that is too broad wastes time assessing systems that do not need to be included.
The kick-off phase also typically includes a brief intake questionnaire covering the organization's current security documentation, existing tools, and any previous NIST 800-171 self-assessments.
Phase 2: Gap Assessment Execution
This is the core of the engagement. For each applicable requirement, the assessor evaluates implementation through three methods:
- Document review: Policies, procedures, system documentation, network diagrams, and any existing SSP drafts are reviewed. Documents confirm that processes exist and are authorized, but they do not confirm technical implementation.
- Technical testing: The assessor verifies that technical controls are actually in place. This includes reviewing system configurations, validating that access control settings match policy, checking patch levels, confirming logging is enabled and working, verifying MFA enforcement, reviewing firewall rule sets, and testing authentication controls. This is where many "gap assessments" fall short — skipping technical testing means missing implementation gaps that would be found in a real C3PAO assessment.
- Interviews: Key personnel are interviewed to confirm understanding and execution of security processes. Assessors speak with system administrators, security personnel, HR representatives (for personnel security controls), and end users. Interview findings can reveal that documented policies are not being followed in practice.
For each requirement, the assessor makes a preliminary determination:
- Met: Fully implemented, evidence available
- Not Met: Not implemented or insufficient implementation
- Partially Met: Implemented for some systems or in some contexts but not fully
- Not Applicable: The requirement does not apply to the environment (with documented justification)
Phase 3: Documentation Review and Quality Assurance
After the field assessment activities are complete, the assessor compiles findings, scores each requirement, and calculates a projected SPRS score. This phase includes:
- Validating that Not Applicable determinations are supportable
- Cross-checking technical findings against documentation findings
- Identifying dependencies (some requirements have prerequisites — for example, audit logging requires knowing what to log, which requires the SSP)
- Scoring the 5-point, 3-point, and 1-point requirements appropriately
The QA step confirms that findings are accurate, properly categorized, and that the projected SPRS score reflects the evidence collected.
Phase 4: Client Outbrief
The outbrief is a structured presentation of findings to the organization's leadership and key stakeholders. It covers:
- Overall projected SPRS score and current CMMC status
- Domain-by-domain results (which domains are strongest, which have the most gaps)
- Critical findings: the 5-point gaps, any prohibited controls that are Not Met, and any findings that create immediate "No Status" risk
- Preliminary remediation priorities
- Timeline estimate for C3PAO readiness
The outbrief is where the organization gets a clear, honest picture of where they stand. For organizations that have assumed they were more compliant than they are, this can be a difficult conversation. For organizations that have underestimated their posture, it can be a relief.
Phase 5: Remediation Program Initiation
The final deliverable is a prioritized remediation roadmap that translates findings into an actionable program:
- High priority (fix first): Any prohibited controls that are Not Met, any 5-point requirements that are Not Met and pushing the score below 88, the SSP if it does not exist or has significant gaps
- Medium priority: 3-point requirements Not Met, documentation gaps (policies, procedures)
- Lower priority: 1-point requirements Not Met, process improvements and documentation enhancements
The remediation roadmap should include estimated timelines, estimated costs, and responsible parties. For organizations engaging an RPO, this roadmap drives the ongoing engagement scope.
What Good Evidence Looks Like
A gap assessment that documents findings without capturing evidence is not useful for assessment preparation. Good evidence collection during the gap assessment phase should produce artifacts that parallel what a C3PAO assessor will request:
- Access control: Screenshots of Active Directory group policies showing password complexity requirements, user account lists with roles, screenshots showing MFA enforcement in identity provider console
- Audit logging: Screenshots of logging configurations in SIEM or individual systems, sample log output demonstrating key event types are captured
- Configuration management: Configuration baseline documentation, screenshots of enforced configurations, patch management console showing patch currency
- Incident response: Current incident response plan document with evidence of review date, tabletop exercise records or drill documentation
- Multi-factor authentication: Screenshots confirming MFA is enforced for privileged access and CUI system access
The DIBCAC Objective Evidence Lists (July 2025) are the definitive reference for what types of evidence DIBCAC assessors and C3PAOs expect per requirement. A professional gap assessment should collect evidence aligned with those lists.
Realistic Timeline to C3PAO Readiness After a Gap Assessment
The time between completing a gap assessment and being C3PAO-ready varies significantly based on starting posture:
Starting PostureEstimated Remediation TimeExisting NIST 800-171 program, mature IT, documentation gaps only3-6 monthsSome controls in place, moderate gaps in documentation and a few technical areas6-12 monthsMinimal existing security program, significant technical and documentation gaps12-18 monthsStarting from scratch, large environment, significant CUI exposure18-24 months
These are realistic estimates. Organizations that try to compress the timeline by fixing only the minimum to reach 88 points frequently find that the work expands when they start addressing specific requirements in depth.
Red Flags in Gap Assessment Vendors
Not all gap assessments are created equal. Watch for these indicators that a gap assessment may not adequately prepare you for a C3PAO:
- No technical testing. A gap assessment conducted entirely through interviews and document review will miss technical implementation gaps. C3PAO assessors conduct technical testing. If your gap assessment did not, your findings are incomplete.
- No projected SPRS score. A gap assessment should produce a specific, calculated projected SPRS score based on the scoring methodology in 32 CFR § 170.24. If you received a qualitative assessment ("you have gaps in these domains") without a score, you do not know where you stand for SPRS purposes.
- No evidence collection. If the gap assessment did not collect screenshots, configurations, and documents as evidence of implementation status, the organization has no head start on evidence preparation for the C3PAO assessment.
- Overly optimistic results. If your first gap assessment came back showing you are close to 100% compliant, get a second opinion. Most organizations have meaningful gaps, particularly in audit logging, configuration management, incident response documentation, and formal risk assessment processes.
- No remediation roadmap. A gap assessment that tells you what is wrong without telling you what to fix first, in what order, and why is incomplete.
Key Takeaways
- A professional CMMC gap assessment covers five phases: kick-off, execution, documentation review, outbrief, and remediation program initiation
- Execution requires document review, technical testing, and interviews, not just one of these
- Output should include a projected SPRS score, domain-by-domain findings, and a prioritized remediation roadmap
- Evidence collected during the gap assessment should align with DIBCAC objective evidence expectations
- Realistic C3PAO readiness timeline is 3-24 months post-gap assessment depending on starting posture
Learn More
For the full CMMC program overview, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Ready for a gap assessment that actually prepares you for C3PAO? NR Labs conducts CMMC gap assessments using the same evidence standards that DIBCAC and C3PAOs apply. You get a real picture of where you stand, not an optimistic one. Contact us to schedule your assessment.
