CMMC Gap Analysis
Determine Where You Are Today
Harness DoD-authorized C3PAO expertise for your CMMC Gap Analysis. Guaranteed best price – get started today!
You need to attain certification in CMMC. But getting where you need to be requires that you first understand where you are now. Our C3PAO-caliber CMMC Gap Analysis service determines precisely where you are now.
By the way, people use the terms “Gap Analysis” and “Gap Assessment” interchangeably. But within CMMC circles, “assessments” lead to certification, whereas an “analysis” is a form of consulting service to help companies attain compliance and prepare for certification. More on that below.
We begin by scoping your CUI
NIST 800-171 and CMMC are about protecting the CUI you work with. But most companies’ IT systems weren’t designed to neatly separate out specific types of data. That means when CUI is mixed in with everything else, it can be challenging to track how it flows within your organization. This is a major hurdle for CMMC compliance. That’s why our CMMC Gap Analysis begins with a thorough scoping of your CUI: where it exists, how it’s handled, and who works with it.
We use a structured approach that aligns with the official CMMC Scoping Guide. One of the most common mistakes we see is starting a CMMC compliance program without proper CUI scoping. It confuses and complicates compliance, creates more work, and ultimately costs more time and money. Our C3PAO expertise ensures your CMMC compliance program starts out on the right foot.
A CMMC Gap Analysis identifies compliance gaps, while a CMMC Readiness “Mock” Assessment simulates a real assessment. Due to DoD regulations, we are unable to provide both a CMMC Gap Analysis (consulting) and a CMMC Readiness “Mock” Assessment (assessment work) for the same organization. This restriction is designed to prevent conflicts of interest and ensure the impartiality of CMMC assessments.
How Long Does a CMMC Gap Analysis Take?
It takes 4-6 weeks for most small to medium-sized companies. Larger companies take between 12 and 20 weeks, depending on:
- Your staff availability,
- The number of CAGE Code Entities,
- Your IT complexity and the degree of vertical integration among shared IT and other corporate resources.
How Much Does a CMMC Gap Analysis Cost?
Your cost for our CMMC Gap Analysis depends on these variables:
- The nature and size of your business, and your industry type
- The nature of your IT system : on-premises, cloud, or hybrid, number of systems in scope
- The number of CAGE Code Entities you created to contract DoD business
- The number of SSPs required to organize your CMMC compliance program
We know you face budgetary constraints. We provide flexible, tailored CMMC compliance consulting solutions and take you all the way through your CMMC Level 2 certification assessment.
Our experience as an approved C3PAO aligns with the Department of Defense (DoD) — Companies’ CMMC compliance scores are 100 points lower than they determined through their NIST 800-171 self-assessments — for several reasons:
- Smaller Companies: Don’t fully understand where CUI touches people, processes, and technology,
- Larger Companies: Growth through merger and acquisition creates inconsistent vertical IT and personnel resource integration. CAGE Code Entities are incorrectly grouped into a common SSP(s),
- CMMC scoping guide requirements weren’t considered or were misapplied,
- The 320 assessment objectives that inform NIST 800-171’s 110 security practices weren’t evaluated.
What’s involved in CMMC Gap Analysis?
Four Scoping and Interview Calls
We begin with four (2.5-hour) video conference meetings during the first 2 weeks of our CMMC Gap Analysis engagement. On the first call, we include all your department or division managers who handle CUI. This ensures the correct identification of all your touchpoints as CUI flows through your business. The subsequent three meetings are IT-focused to identify all systems “in-scope” for CMMC.
Diagram your IT Asset Types required by CMMC
In successive weeks, we diagram your IT assets into the 5 categories required by the CMMC Scoping Guide.
110 Security Practices? Actually, it’s 320
Next, we determine where you’re at in CMMC by evaluating the 320 underlying assessment objectives that inform the 110 security practices of NIST 800-171.
Determine your true SPRS score
We calculate your true SPRS score according to DoD scoring methodology and guide your submission if you need help. And even if you began our CMMC Gap Analysis without a complete System Security Plan (SSP), our deliverable report satisfies the DoD’s “minimum viable product” requirement. When you enable your DoD Incident Response reporting capability (we help with that too), you’ll be able to report “in compliance” to the DoD and your prime customers even if you don’t yet have a perfect score of 110.
Prioritized POA&M Recommendations
Our CMMC Gap Analysis deliverable report provides you prioritized recommendations for POA&M items, focusing on high-impact risks and ease of implementation. This enables you to improve your SPRS score quickly and demonstrate to the DoD and your prime customers that you’re working diligently toward compliance.
Your CMMC Gap Analysis FAQ’s Answered
Below are some of the most frequently asked questions we get regarding a CMMC Gap Analysis, CMMC and NIST 800-171 compliance.
If you have any other questions please contact us.
We have DoD contracts with DFARS 252.204-7012 requirements, but we’re unsure about what constitutes CUI? +
We understand your concern. CUI identification and marking practices are still evolving, leading to potential inconsistencies. Here’s the key point:
The DoD defines what constitutes CUI. If you suspect you’re handling unlabeled CUI, the safest course of action is to always clarify with your contracting officer. It demonstrates your proactive approach towards protecting sensitive information.
Is there a penalty or fine for non-compliance? +
It’s fair to say that the recent DoD directive (DFARS 252.204-7024) that requires Contracting Officers to evaluate SPRS submittals (or lack thereof) arose because of the inadequate response to meet requirements.
So, you risk losing your DoD contract work opportunities. (The DoD’s Memo on June 16, 2022) states that failure to have or to make progress on a plan to implement NIST 800-171 requirements may be considered a material breach of contract requirements.
DoD penalties & fines include:
- Withhold progress payments,
- Forego remaining contract options, and
- Contract termination in part or in whole.
False Claim Act (FCA) Prosecution:
If you falsely state you comply with DFARS 7012, the Department of Justice (DoJ) could charge you under the FCA. The most egregious non-compliance penalties include litigation and financial penalties that exceed $2 billion in fiscal year 2022.
How can I know where I stand in CMMC? +
If you’re just starting with NIST 800-171 and CMMC, contract a Gap Analysis with a reputable, authorized C3PAO Company. You’ll know with certainty where you’re at and what you need to do to become compliant. Don’t waste time filling out a prefabbed NIST 800-171 template. It won’t fit your business, and you’ll go astray.
Many Defense Industrial Base companies have implemented cybersecurity protections but haven’t developed the depth and documentation required to pass an independent CMMC assessment. Our CMMC Gap Analysis service identifies your deficiencies in the 320 assessment objectives of NIST 800-171’s practices. We provide recommendations and offer additional assistance with the best and most cost-effective way to achieve full compliance.
If you’re close to full compliance, consider a mock assessment or a Joint Surveillance Voluntary Assessment to elevate your status as a trusted business partner in the eyes of the DoD and prime customers.
How much will a CMMC Gap Analysis cost? +
Your cost for a CMMC Gap Analysis depends on the size and complexity of your company. Factors include:
- Industry Type
- Company size
- Number of CAGE Codes
- CMMC Level Requirement
- IT Environment: Cloud, on-Prem, hybrid
- Number of employees that need to handle defense information
- Current state of compliance
If you’re unsure that you have enough DoD contract opportunities to justify investing in a CMMC compliance program, we can help you develop a cost-benefit analysis.Are you looking for help with NIST 800-171 and CMMC compliance? Let’s talk. We provide no-cost initial consultations.
Have a Different Question?
We knew we were close [to being fully compliant] but found it well worth
hiring you to do a CMMC Gap Analysis to identify our deficiencies on some of our
internal procedures and supporting documents. And thank you for noting
in your report where we’ve done a good job!
– Director of a Minnesota-based technology company
Do I need a CMMC Gap Analysis or Readiness Assessment?
We recommend our CMMC Gap Analysis for companies in the beginning or early stages of CMMC. Conversely, we recommend our CMMC Readiness Assessment (a/k/a Mock Assessment) for companies at or near completion.
Both identify what’s missing. But our CMMC Gap Analysis is a consulting service, and the first step in idenfitying and remediating POA&M deficiencies.
Our CMMC Readiness Assessment also identifies what’s missing. But it is a true “assessment” (audit) service. It helps clients create a final punch list to get to the finish line and creates the opportunity for cost savings.
We’re a CMMC Consultant who provides Gap Analysis for DIB companies. Our CMMC Gap Analysis Video features the latest information about down requirements, COTS, Incident Response Reporting, and DFARS requirements. Read transcript of our CMMC Gap Analysis Discussion Video
What is a CMMC Gap Assessment?
[Paul] super so Kyle maybe just a quick overview, what is a CMMC Gap Assessment? [Kyle] okay yeah Gap Assessment is an Assessment of where you are today based on CMMC level two. And most likely you’re going for the CMMC level two because that’s the one that requires a Gap Assessment. We’ll help you determine how many practices that you have implemented. Because at the end the end result is that you need to meet the CMMC level two controls which is based on NIST 800-171. So, we will help you identify how many controls you have, how many have implemented, and how many controls you need to implement. You know if you have partially implemented controls, we’ll document what else you need to do to complete the controls.Gaps are areas of non-compliance
[Paul] so essentially those gaps if you will, are areas of non-compliance. Right with a particular control or with a particular assessment objective, is that correct? [Kyle] that’s correct yep. [Paul] okay and maybe this would be a good place in our NIST 800-171 / SPRS / CMMC Gap Assessment Video to talk about the difference let’s say between a Gap Assessment and a Readiness Assessment? So, they seem like they’re similar but maybe if you could explain what the difference is that would be helpful.Difference between a CMMC Gap Assessment and a CMMC Readiness Assessment
[Kyle] yeah so, some people call it differently. In this CMMC Readiness Assessment / SPRS Video we’ll call it Gap Assessment in the beginning. So, you know how much work it is going to take you to get to CMMC 2.0. A Readiness Assessment is something that we’ll do when you think you are pretty much ready for the actual Assessment. Then we will do a Readiness Assessment. These are the Assessments to see if you are truly ready for the final Assessment with the C3PAO, the Certified Third-Party Assessment Organization.Right, they will hire a third party to do the Assessment on you. And they will do the Readiness Assessment. Readiness Assessment will consist of reviewing of your policies, procedures, and the system security plan the SSP. If you have any plan of action and milestones, the POAM, any gaps you still can get your CMMC certification right. But we’re going to review that as well, so these are the documentation we’re going to review. And also, we’re going to treat this like a mock Assessment.
Timing of a CMMC Gap Assessment versus a CMMC Readiness Assessment
[Paul] so it’s not clear to me, do people look to get a Gap Assessment early on in their process to figure out where they’re at with their compliance program? And a readiness Assessment later on when they think they’re ready? I think that would be helpful to know for our audience in this CMMC Readiness Assessment / SPRS Video. [Kyle] Yes, now you want to start as early as possible to get a Gap Assessment. Because you really want to know where you are so you can plan out your road map. If you have many practices that still need to be implemented, you can build yourself a road map. You want to do that as early as possible. And a Readiness Assessment is towards the end of your preparation. You want to get a readiness Assessment before the real Assessment.How long does it take to do a CMMC Gap Assessment?
[Paul] okay that’s good to know. So, I think another helpful question to know in this CMMC NIST 800-171 Gap Assessment Video the answer to would be how long did they take? If a client were to come to us and say: yeah we’re interested in a Gap Assessment, a CMMC Gap Assessment (or CMMC Gap analysis). What should they be expecting for the duration of that engagement for the Gap Assessment? [Kyle] It really depends on the complexity of your IT environment. Also, the number of sites. How many sites do you have? Yeah so, some people have more physical sites, and you know multiple cage codes that will take a while. Um so if you have a fairly simple IT environment and uh it’s not too complex right. And only have one site, we can do it as quickly as one month or four weeks. But uh if it’s more complex obviously we’ll have to do an estimate. [Paul] okay so that would be more on a case-by-case basis? [Kyle] Exactly.Can a CMMC Gap Assessment (or a CMMC Readiness Assessment) be done remotely, off-site?
[Paul] Now that that makes sense. What does the process look like maybe that would be helpful to know in this CMMC Gap Assessment Video? So, a client hires us to do a SPRS / Gap Assessment a CMMC Gap Analysis. What does that process look like? Or the consultation look like? Do we need to go on site? Can we do them all remotely et cetera. Maybe you can just talk about that a little bit please for this CMMC Readiness Assessment Video [Kyle] We can do this virtually. We don’t have to go on site unless there is a lot of physical security involved. And you know, then if we want to take a look at more on the physical security parts then we might go on site. But otherwise, virtual Assessment is what we normally do.What’s the process for conducting a CMMC Gap Assessment?
[Paul] okay that’s good. So, Kyle what does the process look like for conducting a SPRS / CMMC Gap Assessment or CMMC Readiness Assessment? [Kyle] yeah, we will start with scheduling two or three Zoom calls to go through the process. If the process takes a bit longer, we’ll schedule more. But we will start with two or three zoom calls to go through the scope the practices uh that you have.Client personnel who should participate in a CMMC Readiness Assessment
[Paul] okay good. And who needs to be present on these calls from the client perspective? Is it just the IT folks? Or who do you recommend? [Kyle] initially as we go through the scope, I would say it’s better to involve all the people that touch CUI. And the department heads that have the people that touch CUI. Because IT may not know some of the business processes or the reason, some of the purpose of the processes from the other non-IT departments. So, it will be good for the business if some of the HR. If Purchasing and engineering get involved as well. [Paul] Certainly because of, well especially with manufacturing, right? Manufacturers have all this operational technology. And IoT, internet things as well right. IIoT of things that also becomes or can become part of the scope of CUI, depending on their manufacturing processes, right? [Kyle] yes rightCMMC Gap Assessment and CMMC Readiness Assessment begin with scoping CUI
[Paul] In terms of where we begin with this SPRS / CMMC Gap Assessment Video Kyle, I think you talked about scoping CUI. And it seems like it’s pretty important to this process overall. Right to get the scope, right? So maybe we could just talk a little bit about that. [Kyle] right, it is very important. As we are going through the Gap Assessment, we want to make sure that the company has the right scope. And the company might already define the scope. But we will verify the scope. And we will walk through the data flow and the data life cycle for the CUI. All right so we’ll go through the CUI.KLC scopes CUI using our proprietary CUI Data Lifecycle approach
How does the CUI get into the company’s environment? The input and creation. Then we’ll go through the storage of the CUI. Where it’s stored. Who actually manages the storage? And how it’s actually stored. The usage: the people, processes, and technology. Applications that touch CUI. Sharing of CUI, the vendors, the subcontractors, the prime contractors. How do you share that CUI? Who do you share with? And also, the archiving and the backup of the CUI. Where is it stored? How do you do the backup? And also, at the end of the lifecycle, the last step is how these destroy that data right how do you destroy it and then who’s actually responsible for destroying? Do you outsource it?
So, once we go through that life cycle we will verify to see if you have the right scope that’s where we start and if the scope is a little bit different from the company has defined previously, we will adjust and make sure that company have the right scope.
Commercial Off The Shelf COTS Exemption
[Paul] right okay now that’s good to know for this SPRS / CMMC Gap Assessment Video. So, we begin with scope you get the scope. Well first of all, I guess we should back up and say: We determine that it’s not COTS. Because that’s part of this process as well. But assuming that this particular client is not a COTS vendor and doesn’t qualify for a COTS exemption. We go through the CUI data lifecycle. And scope CUI first when we do a CMMC Readiness Assessment.What comes next then? So how do you, how do we then go and proceed after we have the scope clearly defined?
We distinguish CUI and non-CUI assets during a CMMC Gap Assessment
[Kyle] right so once we go through the scope the data lifecycle, one of the reasons is to define the systems and the applications that are in scope. Right the assets that are in scope. So, once we understand these assets, the CUI assets, and the security protection assets, like the firewall, VPN, what kind of security technologies they have? Then we will be able to more clearly, more precisely ask the right questions. How the practices apply to these types of assets. So, we will be able to walk through the practices. We’ll go through each one of them based on the assets that are in scope. So, we don’t have to talk about all the assets that not in scope. And we will go through for example, Access Control. How do you access the assets that are in scope?Cloud Services and CMMC Gap Assessment
[Paul] okay and so with some of our clients who come to us, they use cloud services. How do cloud services affect or impact a SPRS / CMMC Gap Assessment? [Kyle] yeah so as we go through the Gap Assessment, we’re going to define the asset inventory right. We’re going to go through your CUI assets. And identify and list out your assets that are on-prem, and also in the cloud. So, if you have multiple environments, we’re going to take that into consideration. And there are going to be some checks. If you are using cloud, we might look for some Fed Ramp certification for example right. So, there are certain criteria when you are using a third party, the cloud services, we’re going to do some verification on some of the requirements. Some of the cybersecurity requirements: the encryption and requirements right that should be applied to some of these vendors.MSP services and CMMC Gap Assessment
[Paul] okay so Kyle we talked a little bit about the cloud what about client company MSPs in this CMMC Readiness Assessment / SPRS Video. How does that factor into the Gap Assessment or the overall compliance program? [Kyle] If your IT is outsourced to some of the managed service providers, then during the interview we will need to have them involved. Because they are more familiar with your IT in terms of some of the configurations. Specific configuration questions, change management, how they manage some of the network security parameters. Security, even the cloud if they manage the cloud for you. They will have the answer so we will need them to get involved during the interview process.Factors that affect the cost of CMMC Gap Assessment
[Paul] okay now I know we a little bit earlier in this SPRS / CMMC Readiness Assessment Video, we talked about um you know complexity affecting the cost. And the time duration of a CMMC Gap Assessment. But what are some of the other factors there if we were to just elaborate a little bit about those? Let’s spell those out, what would be the factors that would impact both the duration and the cost of a Gap Assessment? [Kyle] The number of systems involved could be many different directions. [Paul] okay yeah okay. Kyle some clients are using SaaS, software as a service. Some use cloud service providers. How does that impact the Gap Assessment? Or really their overall compliance program with NIST 800-171 and CMMC?Cloud services, shared responsibility matrix, and CMMC Gap Assessment
[Kyle] Right, so the cloud service providers, we will look into the shared responsibility matrix. Most likely you will need to request a copy if you don’t already have one. And during our SPRS / Gap Assessment we are going to identify what responsibility belongs to the cloud service provider. Or the third-party service that you use. And what responsibilities belong to you. Some of them are going to be shared right. They’re going to be some portion taken care by the service provider, and some by you right.We’ll go through the Shared Responsibility Matrix and identify what your responsibilities are. And see if you fulfill those responsibilities. Also, we are going to do a quick verification to see that based on the implementation does it actually make sense – the shared responsibility matrix? Service providers say they are going to be responsible for those services does it actually make sense? We’re going to take a look at that as well.
KLC evaluates the adequacy of documentation
[Paul] okay Kyle do either the SPRS Gap Assessment, the CMMC Gap Assessment or the CMMC Readiness Assessment, do those include an evaluation of the adequacy of the supporting documentation? Documentation that clients need to be able to demonstrate that they’re in compliance with a particular practice. [Kyle] yes yep absolutely. So, we will look at all the supporting documents the meaning policies procedures any of the SOPs that’s you know, standard operating procedures. Whatever document that you have. Acceptable use policy, incident response plan, whatever plan, the policies, procedures that you have. We will be able to review. We’ll see if they are sufficient. And if there are any gaps, we’ll identify them.Gap Assessment client deliverable package
[Paul] okay good what does the deliverable package look like? What should a client be expecting with that? [Kyle] yeah, the deliverables. We’ll give you the system security plan at the high level. An understanding where you are right now. We’re going to give you a POAM, the SPRS gaps, and we’re going to help you identify the priority. Give you the roadmap for how you should approach remediating these gaps right. We’ll give you the priority based on the risk as well as the effort. So low risk low effort first right. Because then you can get rid of a lot of the easy tasks what’s your score? And we will give you the SPRS score that you are going to submit based on the DFARS 252.204-7020 right. You are required to submit a score to SPRS. So, we will give you that score. And if you have any questions about submitting the SPRS we’ll help you. But this eventually is our deliverable for our Gap Assessment service.KLC Consulting is a DoD / Cyber AB authorized C3PAO firm
[Paul] okay good okay. So, Kyle to wrap it up, KLC Consulting – we are a DoD authorized C3PAO firm. We have Provisional Assessors and Provisional Instructors, soon to be. This is our niche specialty: Providing compliance solutions for NIST 800-171 and CMMC. In fact, we specialize in providing the most affordable solutions that are available today. So, if you have any questions about Gap Assessments or Readiness Assessments. Or any questions at all about CMMC and NIST 800-171, I highly encourage that you contact us. We’ll have our contact us page link at the end of this video and we look forward to hearing from you! Thank you very much Kyle! [Kyle] Thank you for checking out our CMMC Readiness Assessment Video!click here to close
Our Guarantee of the Best Price
C3PAO authorization distinguishes the experts from the wannabes. KLC Consulting will beat the fair market price offered by any other authorized C3PAO for the same consulting or assessment service. Let’s talk.
"*" indicates required fields
Secure Your CMMC
C3PAO Assessment
Don’t Get Left on the Ground. With limited C3PAOs and a growing number of DIB companies requiring CMMC Level 2 certification, securing your assessment spot is crucial. Reserve your assessment with KLC Consulting today and avoid delays.