CMMC Gap Analysis FAQs

How close are you to being ready for a Cybersecurity Maturity Model Certification (CMMC) third-party assessment at your required CMMC level? There’s only one way to really know: undertake a thorough CMMC gap analysis, aka a CMMC readiness assessment.

What does a CMMC gap analysis look like, and how can it help your company? Take a look at these FAQs:

What is the purpose of a CMMC gap analysis?

A CMMC gap analysis helps you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoints where your business is not yet fully compliant with CMMC Level 3 and DFARS requirements. For example, you could come up short in areas like:

  • Weak access controls (e.g., no multifactor authentication)
  • Improper data storage and/or backup controls
  • Lack of an incident response plan
  • Insecure storage for data records
  • Insufficient network segmentation
  • Inadequate cybersecurity awareness training for admins or business users
  • Lack of meaningful and objective evidence for some or all of the practices and required controls

The gap analysis results will drive your compliance roadmap or remediation plan. If you don’t do a thorough gap analysis, you won’t know for sure what changes you need to make before scheduling a CMMC assessment with a C3PAO. The CMMC assessment is not a checklist; it is designed to validate OSCs are protecting their CUI in accordance with the U.S. Government’s expectations and your contractual obligations.  And the outcome of the assessment is not something you want to leave in doubt! (or up to chance).

Should we start preparing for CMMC with a Gap Assessment?

A gap assessment is a good approach if you know that you have a very mature information security program that includes the required CMMC artifacts (e.g., Risk Assessment, System Security Plan, etc.). If not, you are better off viewing this as an implementation project, with establishing the scope of your CUI environment as the best first step.  It is critical that you have a clear picture of where you are, and where you need to be, prior to beginning the process of implementing controls. 

How long does a CMMC gap analysis take?

The time and effort your CMMC gap analysis will require depends on multiple factors, like the size and complexity of your environment, your current security posture, the CMMC level you need to comply with, the human resources available to perform the analysis, how much documentation is on-hand to support the analysis, whether subject matter experts are available to help answer questions, you organization’s understanding of where and what information needs protection, and so on.

All that said, here’s a rough guesstimate: If your company is an SMB with a single location and approximately 250 employees, 25% of whom will handle Controlled Unclassified Information (CUI), you need to be compliant with CMMC Level 3, and you are reasonably close to compliance with NIST 800-171 today, a third-party CMMC gap assessment might take 2 to 4 weeks.

What are the benefits of a CMMC gap analysis?

A CMMC gap analysis will tell you exactly what controls you need to implement, extend or modify to comply with CMMC at your required level, along with recommendations for how best to approach mitigating the issues in your environment.

Some of the benefits of having this information include:

  • You will be aware of how close you are to full compliance with NIST 800-171, which is very similar to CMMC Level 3. If you have a DFARS 7012 clause in your current contract, the DoD may ask you to demonstrate NIST 800-171 compliance at any time.
  • You will have greater assurance that you can achieve CMMC compliance in your required timeline.
  • Your team will gain familiarity with an assessment process and the artifacts involved.
  • You will have more “proof” to assure stakeholders that you can keep their sensitive data safe.
  • You will get a jump on CMMC budget planning, which among other things could help you position your compliance efforts as an “allowable cost” that the DoD will reimburse.
  • You will get a head start on CMMC compliance, which could better position you to get new contracts.

 What are the key steps in a CMMC gap analysis?

While any company or security consultant might perform a CMMC gap analysis somewhat differently, here are some of the steps you can probably expect to see in yours:

  • Review of all your current documentation, plans, policies, POA&Ms, etc.
  • Assessments, interviews, exercises, and tests to see how your current security controls compare to those at your desired CMMC level
  • Reporting on your CMMC implementation status, including any deficiencies
  • A wrap-up to share findings and recommendations

Is a CMMC gap analysis important for your company?

A CMMC gap analysis is extremely valuable—if not essential—for businesses with reasonably mature cybersecurity programs that are likely to include most of the required CMMC artifacts, such as a risk assessment and a System Security Plan. If your security program is not yet at that level, you will probably gain more from an implementation planning type of approach that will help you establish the scope of your CUI environment as a first step.

When does your company need to be ready for your CMMC assessment?

If you are providing products and services within the DIB, you want to be CMMC ready as soon as possible.  With the CMMC rollout on a five-year timeframe, many DIB companies have at least a year to get ready for their CMMC assessment. But achieving compliance with CMMC, especially at Level 3 or higher, will be a significant effort for many firms.

Here are some of the steps you can take now to get ready for CMMC:

  • Understand the technical requirements for the CMMC level you will need to comply with. For example, if you will handle CUI you need to attain at least CMMC Level 3, which has about 20 more controls than NIST 800-171.
  • Begin due diligence and start making connections with security vendors and service providers, if you will need third-party expertise/support to achieve CMMC certification.
  • Check out the NIST 800-171 and/or CMMC compliance status of critical services like email/file sharing or cloud services that you are currently using or might use soon.
  • Draft, build, mature your SSP. Begin documenting your cybersecurity policies, procedures, etc. if you know you will be handling CUI. (CMMC Level 3 requires documentation of controls; CMMC Level 1 does not.)
  • Start scheduling your CMMC planning, resourcing the required tools and talents to maintain these, budget and documenting costs that hopefully the DoD will reimburse.
  • Stay current with news and updates on the CMMC rollout.

Next steps

Does your company need to comply with CMMC at Level 3 or above? Are you unsure about your compliance with NIST 800-171 today? Struggling with submitting your self-assessment scores to the SPRS website? Do you lack sufficient resources to implement CMMC and prepare for your CMMC assessment on your own?

If the answer to any of those questions is yes, contact Pivot Point Security to talk with an expert about your unique compliance needs and how we can help.