What Is a CMMC Gap Analysis?
A gap analysis compares your current state (what you have today) to your target state (CMMC level compliance) and identifies the gaps. For CMMC, this means evaluating each of the 110 (Level 2) or 171 (Level 3) practices, determining which ones you've already implemented, and flagging those that need work.
The output is a prioritized list of remediation tasks with timelines and owners. Without a structured gap analysis, you'll waste resources fixing low-impact gaps while missing critical ones, or you'll discover major gaps during assessment when it's too late to fix them.
Clear Current State
Document which controls you already have in place today
Risk-Based Prioritization
Focus remediation on high-impact, high-risk gaps first
Realistic Roadmap
Build a 6-12 month remediation timeline with clear milestones
Resource Planning
Estimate budget, personnel, and tool requirements for remediation
Need a structured assessment?
Our readiness assessment will identify your gaps and provide remediation prioritization
Start AssessmentWhy Gap Analysis Is Your Critical First Step
Many contractors jump directly to remediation without proper analysis. This leads to:
- Wasted spending: Buying software or hiring consultants for problems you don't have
- Assessment failures: Discovering during the official assessment that critical gaps remain
- Unrealistic timelines: Underestimating how long implementation takes, leading to failed deadlines
- Missed priorities: Fixing minor gaps while leaving high-risk vulnerabilities unaddressed
Gap analysis forces you to understand your baseline before you commit resources. It's the roadmap that prevents detours and false starts.
DIY vs. Consultant-Led Gap Analysis Comparison
| Dimension | DIY Approach | Consultant-Led | Hybrid (Recommended) |
|---|---|---|---|
| Cost | $0-5k (tools only) | $10k-40k | $5k-15k |
| Timeline | 8-12 weeks | 4-6 weeks | 6-8 weeks |
| Expertise Required | High (team must know CMMC) | None (consultant drives) | Medium (internal team + guidance) |
| Objectivity | Low (internal bias) | High (external perspective) | Medium-high |
| Team Buy-In | High (team owns process) | Medium (reliant on external) | High |
| Long-Term Value | High (team learns CMMC) | Low (consultant dependency) | High |
Recommendation: Use a hybrid approach. Partner with a consultant for 3-4 planning sessions, then have your internal team execute gap analysis with consultant guidance. This builds internal capability while leveraging expertise.
Step-by-Step Gap Analysis Process
Step 1: Define Scope (Weeks 1-2)
Identify what systems and data are "in scope" for CMMC. Not everything needs to be CMMC-compliant, only systems handling Controlled Unclassified Information (CUI). Scope definition determines which practices apply.
- Map all systems (servers, applications, databases)
- Identify which ones touch CUI (customer data, technical specs, proposals, pricing)
- Document CUI flows: where data enters, where it's stored, where it exits
- Define network boundary: What's connected? What's isolated?
Step 2: Asset and Control Inventory (Weeks 2-4)
Create a comprehensive list of existing controls. Walk through your network with your IT team and document:
- Hardware: Servers, firewalls, workstations, mobile devices
- Software: OS versions, patch status, antivirus, encryption tools
- Access controls: User directories, authentication methods (local accounts? MFA?), permission structures
- Monitoring: Intrusion detection, antivirus logs, audit logging
- Policies: Written documentation of security practices
- Training: Evidence of security awareness training
Gap analysis typically requires 40-60 hours of effort
Allocate a dedicated internal team (compliance officer, IT lead, operations manager) for 2-3 months part-time.
Step 3: Map Controls to CMMC Practices (Weeks 4-8)
For each CMMC practice, document your current implementation. Use this template for each:
| CMMC Practice | Your Implementation | Evidence Available? | Gap Status |
|---|---|---|---|
| AC-1: Access Control Policy | Written access control policy, signed by leadership | Yes - policy_v3.docx | Implemented |
| AC-2: Account Management | Manual account creation; no automated audit trail | Partial - some email records | Partial |
| AC-3: Access Control Enforcement | File shares use NTFS permissions; no role-based access control | Yes - Active Directory config | Partial |
| AC-6: Privileged Access Management | Privileged users documented; no PAM solution | Partial - spreadsheet | Partial |
Step 4: Identify Gaps and Risk Rate (Weeks 8-10)
For each gap, rate it using a risk matrix:
- Likelihood: How likely is this control to be exploited? (Low/Medium/High)
- Impact: If exploited, how severe? (Low/Medium/High)
- Effort: How hard is this gap to fix? (Low/Medium/High)
Example: MFA not implemented = High likelihood + High impact + Medium effort = HIGH PRIORITY
Example: Policy wording needs refinement = Low likelihood + Low impact + Low effort = LOW PRIORITY
Step 5: Build Remediation Plan & POA&M (Weeks 10-12)
Create your Plan of Action & Milestones (POA&M) listing all gaps, owners, and target completion dates:
| Gap Description | CMMC Practice | Priority | Owner | Target Completion | Estimated Cost |
|---|---|---|---|---|---|
| Implement MFA on all systems | AC-2, AC-3 | High | IT Director | Q2 2026 | $15k |
| Deploy endpoint detection & response (EDR) | SI-2, SI-4 | High | Security Manager | Q3 2026 | $25k |
| Establish incident response procedures | IR-1, IR-4 | High | Compliance Officer | Q2 2026 | $5k |
| Annual security awareness training | AT-1 | Medium | HR Manager | Q1 2026 | $3k |
Ready to create your POA&M?
Use our templates to document gaps and build your remediation roadmap
View CMMC TemplatesCMMC Gap Analysis Checklist by Domain
Use this checklist to ensure you evaluate all 14 CMMC domains systematically:
Access Control (AC)
- ☐ Written access control policy exists and is current
- ☐ User accounts managed with documented procedures
- ☐ Access control lists (ACLs) enforced on all systems
- ☐ Password policies require minimum complexity and length
- ☐ Privileged access (admin accounts) monitored and logged
- ☐ Inactive accounts disabled within 90 days
- ☐ Multi-factor authentication implemented for privileged access
Awareness & Training (AT)
- ☐ Annual security awareness training mandatory for all staff
- ☐ Training completion tracked and documented
- ☐ Specialized training for system admins and security roles
- ☐ Training content covers CMMC, data protection, incident reporting
- ☐ Contractor/temporary staff receive training before access
Audit & Accountability (AU)
- ☐ Audit logging enabled on all systems
- ☐ Critical events logged (login, data access, configuration changes)
- ☐ Logs retained for at least 90 days
- ☐ Log retention policy documented
- ☐ Audit logs reviewed regularly (monthly minimum)
- ☐ Unauthorized access attempts detected and alerted
System & Communications Protection (SC)
- ☐ Firewalls implemented and configured
- ☐ Network segmentation separates CUI systems from others
- ☐ Encryption in transit (TLS) for remote access and data transmission
- ☐ VPN used for remote work access
- ☐ WiFi encrypted (WPA3 or WPA2 minimum)
- ☐ Data at rest encrypted (sensitive servers and laptops)
Incident Response (IR)
- ☐ Incident response policy documented and signed
- ☐ Incident response team identified with named leads
- ☐ Escalation procedures defined (who to notify, when)
- ☐ Investigation procedures documented
- ☐ Evidence preservation procedures documented
- ☐ Post-incident review process defined
- ☐ Incident log maintained with at least last 3 years
System Development Lifecycle (SD) - Level 3 Only
- ☐ Secure coding practices documented
- ☐ Code review process before production
- ☐ Software testing includes security testing
- ☐ Third-party libraries/components tracked and patched
- ☐ Source code repositories protected with access control
How to Prioritize Gaps: Risk-Based Approach
Not all gaps are equal. Some are showstoppers; others are nice-to-have. Use this framework to prioritize:
| Risk Level | Definition | Timeline | Example Gaps |
|---|---|---|---|
| Critical | Control missing that exposes CUI to direct exploitation | Fix before assessment (0-3 months) | No firewall, no antivirus, no MFA for admins, no incident response plan |
| High | Control missing that significantly increases breach risk | Fix in Q1-Q2 (3-6 months) | Weak password policies, no encryption, incomplete audit logs, no training |
| Medium | Control incomplete or needs improvement to meet standard | Fix in Q2-Q3 (6-9 months) | Patch management delays, policy needs updating, logging coverage gaps |
| Low | Minor documentation or procedural refinements | Fix before assessment or as part of normal operations | Policy wording, process improvements, role clarifications |
Common Gaps Found in Defense Contractor Environments
- Weak access controls: Shared admin accounts, no MFA, overly broad file permissions
- Patching delays: Systems running 6+ months behind on security patches
- Missing encryption: Unencrypted laptops with sensitive data, unencrypted data transmission
- Inadequate monitoring: No intrusion detection, minimal audit logging, no automated alerts
- Procedural gaps: No incident response plan, no change control process, no backup verification
- Training deficiencies: Annual training incomplete, no specialized admin training, contractors not trained
- Third-party risks: No vendor assessment process, subcontractors not subject to same controls
Most contractors can address critical gaps in 3-6 months
With dedicated resources and proper planning, average defense contractor can reach Level 1-2 readiness in 6-9 months.
Gap Analysis Cost Breakdown by Approach and Company Size
| Company Size | DIY Cost | Consultant-Guided Cost | Full Consultant Cost | Timeline (DIY) |
|---|---|---|---|---|
| Small (under 50) | $2k (tools) | $5k-8k | $12k-18k | 6-8 weeks |
| Mid-size (50-250) | $5k (tools + training) | $8k-15k | $20k-35k | 8-12 weeks |
| Large (250+) | $10k+ (tools + resources) | $15k-25k | $35k-60k | 12-16 weeks |
From Gap Analysis Results to POA&M to Assessment
Gap analysis feeds into your Plan of Action & Milestones (POA&M):
- Gap Analysis (6-12 weeks): Identify all gaps, prioritize, estimate effort and cost
- POA&M Development (2-4 weeks): Create formal remediation plan with owners, dates, and budgets
- Remediation Execution (6-12 months): Implement fixes, track progress, update POA&M monthly
- SSP Development (4-8 weeks): Document your controls in System Security Plan
- Assessment Readiness (4-6 weeks): Collect evidence, prepare demo systems, brief leadership
- C3PAO Assessment (2-3 weeks): Official CMMC assessment with accredited assessor
Key Takeaways
A rigorous gap analysis is the foundation of successful CMMC compliance. It prevents wasted spending, identifies your true baseline, and creates a realistic remediation roadmap. Whether DIY or consultant-led, the gap analysis process forces you to understand your security posture before you commit resources.
Frequently Asked Questions
How often should I update my gap analysis?
Conduct a full gap analysis annually or whenever you make significant system changes. As you remediate gaps, update your POA&M monthly to track progress.
Can a gap analysis predict assessment results?
A thorough gap analysis is a good predictor, but C3PAOs may find additional gaps during assessment. Gap analysis typically finds 80-90% of issues; plan for surprises.
What's the difference between gap analysis and self-assessment?
Gap analysis identifies what's missing. Self-assessment (SPRS) tests whether your claimed controls actually work. Both are important before C3PAO assessment.
Should I hire a consultant for gap analysis?
Hybrid approach recommended: Internal team with consultant guidance. This costs 40-50% less than full consultant, but gains external expertise and builds internal capability.
What happens if I skip gap analysis?
You risk assessment failure, wasted remediation spending, and timeline delays. Gap analysis is mandatory for disciplined compliance programs.
How do I know which CMMC level to target?
Check your government contracts. CMMC Level 2 is most common. Gap analysis will show effort/cost for each level, helping you make an informed decision.