CMMC Gap Assessment Video

Paul and Kyle talk about CMMC Gap Assessment (a/k/a a CMMC Gap Analysis).  And the difference between them and a CMMC Readiness Assessment.

[Paul] Good morning, Kyle how are you doing today?

[Kyle] good morning, Paul how are you?

[Paul] I’m well thanks. So, we’re going to talk today about Gap Assessments, CMMC Gap Assessments. Which is a fairly popular service that we perform for clients. But we get a lot of questions about it. So, I thought it would be good if we talk and explain a little bit about that here in this video today.

[Kyle] yep absolutely.

What is a CMMC Gap Assessment?

[Paul] super so Kyle maybe just a quick overview, what is a CMMC Gap Assessment?

[Kyle] okay yeah Gap Assessment is an Assessment of where you are today based on CMMC level two. And most likely you’re going for the CMMC level two because that’s the one that requires a Gap Assessment. We’ll help you determine how many practices that you have implemented. Because at the end the end result is that you need to meet the CMMC level two controls which is based on NIST 800-171. So, we will help you identify how many controls you have, how many have implemented, and how many controls you need to implement. You know if you have partially implemented controls, we’ll document what else you need to do to complete the controls.

Gaps are areas of non-compliance

[Paul] so essentially those gaps if you will, are areas of non-compliance. Right with a particular control or with a particular assessment objective, is that correct?

[Kyle] that’s correct yep.

[Paul] okay and maybe this would be a good place to talk about the difference let’s say between a Gap Assessment and a Readiness Assessment? So, they seem like they’re similar but maybe if you could explain what the difference is that would be helpful.

Difference between a CMMC Gap Assessment and a CMMC Readiness Assessment

[Kyle] yeah so, some people call it differently. We call it Gap Assessment in the beginning. So, you know how much work it is going to take you to get to CMMC 2.0. A Readiness Assessment is something that we’ll do when you think you are pretty much ready for the actual Assessment. Then we will do a Readiness Assessment. These are the Assessments to see if you are truly ready for the final Assessment with the C3PAO, the Certified Third-Party Assessment Organization.

Right, they will hire a third party to do the Assessment on you. And they will do the Readiness Assessment. Readiness Assessment will consist of reviewing of your policies, procedures, and the system security plan the SSP. If you have any plan of action and milestones, the POAM, any gaps you still can get your CMMC certification right. But we’re going to review that as well, so these are the documentation we’re going to review. And also, we’re going to treat this like a mock Assessment.

Timing of a CMMC Gap Assessment versus a CMMC Readiness Assessment

[Paul] so it’s not clear to me, do people look to get a Gap Assessment early on in their process to figure out where they’re at with their compliance program? And a readiness Assessment later on when they think they’re ready? I think that would be helpful to know.

[Kyle] Yes, now you want to start as early as possible to get a Gap Assessment. Because you really want to know where you are so you can plan out your road map. If you have many practices that still need to be implemented, you can build yourself a road map. You want to do that as early as possible. And a Readiness Assessment is towards the end of your preparation. You want to get a readiness Assessment before the real Assessment.

How long does it take to do a CMMC Gap Assessment?

[Paul] okay that’s good to know. So, I think another helpful question to know the answer to would be how long did they take? If a client were to come to us and say: yeah we’re interested in a Gap Assessment, a CMMC Gap Assessment (or CMMC Gap analysis). What should they be expecting for the duration of that engagement for the Gap Assessment?

[Kyle] It really depends on the complexity of your IT environment. Also, the number of sites. How many sites do you have? Yeah so, some people have more physical sites, and you know multiple cage codes that will take a while. Um so if you have a fairly simple IT environment and uh it’s not too complex right. And only have one site, we can do it as quickly as one month or four weeks. But uh if it’s more complex obviously we’ll have to do an estimate.

[Paul] okay so that would be more on a case-by-case basis?

[Kyle] Exactly.

Can a CMMC Gap Assessment (or a CMMC Readiness Assessment) be done remotely, off-site?

[Paul] Now that that makes sense. What does the process look like maybe that would be helpful to know? So, a client hires us to do a Gap Assessment a CMMC Gap Analysis. What does that process look like? Or the consultation look like? Do we need to go on site? Can we do them all remotely et cetera. Maybe you can just talk about that a little bit please.

[Kyle] We can do this virtually. We don’t have to go on site unless there is a lot of physical security involved. And you know, then if we want to take a look at more on the physical security parts then we might go on site. But otherwise, virtual Assessment is what we normally do.

What’s the process for conducting a CMMC Gap Assessment?

[Paul] okay that’s good. So, Kyle what does the process look like for conducting a CMMC Gap Assessment or CMMC Readiness Assessment?

[Kyle] yeah, we will start with scheduling two or three Zoom calls to go through the process. If the process takes a bit longer, we’ll schedule more. But we will start with two or three zoom calls to go through the scope the practices uh that you have.

Client personnel who should participate in a CMMC Readiness Assessment

[Paul] okay good. And who needs to be present on these calls from the client perspective? Is it just the IT folks? Or who do you recommend?

[Kyle] initially as we go through the scope, I would say it’s better to involve all the people that touch CUI. And the department heads that have the people that touch CUI. Because IT may not know some of the business processes or the reason, some of the purpose of the processes from the other non-IT departments. So, it will be good for the business if some of the HR. If Purchasing and engineering get involved as well.

[Paul] Certainly because of, well especially with manufacturing, right? Manufacturers have all this operational technology. And IoT, internet things as well right. IIoT of things that also becomes or can become part of the scope of CUI, depending on their manufacturing processes, right?

[Kyle] yes right

CMMC Gap Assessment and CMMC Readiness Assessment begin with scoping CUI

[Paul] In terms of where we begin with this Kyle, I think you talked about scoping CUI. And it seems like it’s pretty important to this process overall. Right to get the scope, right? So maybe we could just talk a little bit about that.

[Kyle] right, it is very important. As we are going through the Gap Assessment, we want to make sure that the company has the right scope. And the company might already define the scope. But we will verify the scope. And we will walk through the data flow and the data life cycle for the CUI. All right so we’ll go through the CUI.

KLC scopes CUI using our proprietary CUI Data Lifecycle approach

How does the CUI get into the company’s environment? The input and creation. Then we’ll go through the storage of the CUI. Where it’s stored. Who actually manages the storage? And how it’s actually stored. The usage: the people, processes, and technology. Applications that touch CUI. Sharing of CUI, the vendors, the subcontractors, the prime contractors. How do you share that CUI? Who do you share with? And also, the archiving and the backup of the CUI. Where is it stored? How do you do the backup? And also, at the end of the lifecycle, the last step is how these destroy that data right how do you destroy it and then who’s actually responsible for destroying? Do you outsource it?

So, once we go through that life cycle we will verify to see if you have the right scope that’s where we start and if the scope is a little bit different from the company has defined previously, we will adjust and make sure that company have the right scope.

Commercial Off The Shelf COTS Exemption

[Paul] right okay now that’s good to know. So, we begin with scope you get the scope. Well first of all, I guess we should back up and say: We determine that it’s not COTS. Because that’s part of this process as well. But assuming that this particular client is not a COTS vendor and doesn’t qualify for a COTS exemption. We go through the CUI data lifecycle. And scope CUI first when we do a CMMC Readiness Assessment.

What comes next then? So how do you, how do we then go and proceed after we have the scope clearly defined?

We distinguish CUI and non-CUI assets during a CMMC Gap Assessment

[Kyle] right so once we go through the scope the data lifecycle, one of the reasons is to define the systems and the applications that are in scope. Right the assets that are in scope. So, once we understand these assets, the CUI assets, and the security protection assets, like the firewall, VPN, what kind of security technologies they have? Then we will be able to more clearly, more precisely ask the right questions. How the practices apply to these types of assets. So, we will be able to walk through the practices. We’ll go through each one of them based on the assets that are in scope. So, we don’t have to talk about all the assets that not in scope. And we will go through for example, Access Control. How do you access the assets that are in scope?

Cloud Services and CMMC Gap Assessment

[Paul] okay and so with some of our clients who come to us, they use cloud services. How do cloud services affect or impact a CMMC Gap Assessment?

[Kyle] yeah so as we go through the Gap Assessment, we’re going to define the asset inventory right. We’re going to go through your CUI assets. And identify and list out your assets that are on-prem, and also in the cloud. So, if you have multiple environments, we’re going to take that into consideration. And there are going to be some checks. If you are using cloud, we might look for some Fed Ramp certification for example right. So, there are certain criteria when you are using a third party, the cloud services, we’re going to do some verification on some of the requirements. Some of the cybersecurity requirements: the encryption and requirements right that should be applied to some of these vendors.

MSP services and CMMC Gap Assessment

[Paul] okay so Kyle we talked a little bit about the cloud what about client company MSPs. How does that factor into the Gap Assessment or the overall compliance program?

[Kyle] If your IT is outsourced to some of the managed service providers, then during the interview we will need to have them involved. Because they are more familiar with your IT in terms of some of the configurations. Specific configuration questions, change management, how they manage some of the network security parameters. Security, even the cloud if they manage the cloud for you. They will have the answer so we will need them to get involved during the interview process.

Factors that affect the cost of CMMC Gap Assessment

[Paul] okay now I know we a little bit earlier, we talked about um you know complexity affecting the cost. And the time duration of a CMMC Gap Assessment. But what are some of the other factors there if we were to just elaborate a little bit about those? Let’s spell those out, what would be the factors that would impact both the duration and the cost of a Gap Assessment?

[Kyle] The number of systems involved could be many different directions.

[Paul] okay yeah okay. Kyle some clients are using SaaS, software as a service. Some use cloud service providers. How does that impact the Gap Assessment? Or really their overall compliance program with NIST 800-171 and CMMC?

Cloud services, shared responsibility matrix, and CMMC Gap Assessment

[Kyle] Right, so the cloud service providers, we will look into the shared responsibility matrix. Most likely you will need to request a copy if you don’t already have one. And during our Gap Assessment we are going to identify what responsibility belongs to the cloud service provider. Or the third-party service that you use. And what responsibilities belong to you. Some of them are going to be shared right. They’re going to be some portion taken care by the service provider, and some by you right.

We’ll go through the Shared Responsibility Matrix and identify what your responsibilities are. And see if you fulfill those responsibilities. Also, we are going to do a quick verification to see that based on the implementation does it actually make sense – the shared responsibility matrix? Service providers say they are going to be responsible for those services does it actually make sense? We’re going to take a look at that as well.

KLC evaluates the adequacy of documentation

[Paul] okay Kyle do either the Gap Assessment, the CMMC Gap Assessment or the CMMC Readiness Assessment, do those include an evaluation of the adequacy of the supporting documentation? Documentation that clients need to be able to demonstrate that they’re in compliance with a particular practice.

[Kyle] yes yep absolutely. So, we will look at all the supporting documents the meaning policies procedures any of the SOPs that’s you know, standard operating procedures. Whatever document that you have. Acceptable use policy, incident response plan, whatever plan, the policies, procedures that you have. We will be able to review. We’ll see if they are sufficient. And if there are any gaps, we’ll identify them.

Gap Assessment client deliverable package

[Paul] okay good what does the deliverable package look like? What should a client be expecting with that?

[Kyle] yeah, the deliverables. We’ll give you the system security plan at the high level. An understanding where you are right now. We’re going to give you a POAM, the gaps, and we’re going to help you identify the priority. Give you the roadmap for how you should approach remediating these gaps right. We’ll give you the priority based on the risk as well as the effort. So low risk low effort first right. Because then you can get rid of a lot of the easy tasks what’s your score? And we will give you the SPRS score that you are going to submit based on the DFARS 252.204-7020 right. You are required to submit a score to SPRS. So, we will give you that score. And if you have any questions about submitting the SPRS we’ll help you. But this eventually is our deliverable for our Gap Assessment service.

KLC Consulting is a cleared C3PAO candidate firm

[Paul] okay good okay. So, Kyle to wrap it up, KLC Consulting – we are a cleared candidate C3PAO firm. We have Provisional Assessors and Provisional Instructors, soon to be. This is our niche specialty: Providing compliance solutions for NIST 800-171 and CMMC. In fact, we specialize in providing the most affordable solutions that are available today. So, if you have any questions about Gap Assessments or Readiness Assessments. Or any questions at all about CMMC and NIST 800-171, I highly encourage that you contact us. We’ll have our contact us page link at the end of this video and we look forward to hearing from you! Thank you very much Kyle!

[Kyle] Thank you!

Check out our CMMC Consulting Service Page for the most affordable NIST 800-171 and CMMC compliance consulting service options available today!

Are you in a fog about NIST 800-171 and CMMC Compliance?

Are you ready for your CMMC Assessment by a C3PAO?

Be sure! Gain confidence with our mock C3PAO assessment.


KLC Consulting CMMC YouTube.  CMMC Gap Assessment, CMMC Gap Analysis, CMMC Readiness Assessment
KLC Consulting CMMC LInkedIn.  CMMC Gap Assessment, CMMC Gap Analysis, CMMC Readiness Assessment

Check out our YouTube channel and LinkedIn pages for the latest information and educational resources for Cybersecurity Maturity Model Certification.

latest CMMC video

Cyberattack Prevention Video

Free advice and useful resources


Thank you for visiting our website!