CMMC Gap Analysis FAQs

How close are you to being ready for a Cybersecurity Maturity Model Certification (CMMC) third-party assessment at your required CMMC level? There’s only one way to really know: undertake a thorough CMMC gap analysis, aka a CMMC readiness assessment.

What does a CMMC gap analysis look like, and how can it help your company? Take a look at these FAQs:

What is the purpose of a CMMC gap analysis?

A CMMC gap analysis helps you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoints where your business is not yet fully compliant with CMMC Level 3 and DFARS requirements. For example, you could come up short in areas like:

  • Weak access controls (e.g., no multifactor authentication)
  • Improper data storage and/or backup controls
  • Lack of an incident response plan
  • Insecure storage for data records
  • Insufficient network segmentation
  • Inadequate cybersecurity awareness training for admins or business users
  • Lack of meaningful and objective evidence for some or all of the practices and required controls

The gap analysis results will drive your compliance roadmap or remediation plan. If you don’t do a thorough gap analysis, you won’t know for sure what changes you need to make before scheduling a CMMC assessment with a C3PAO. The CMMC assessment is not a checklist; it is designed to validate OSCs are protecting their CUI in accordance with the U.S. Government’s expectations and your contractual obligations.  And the outcome of the assessment is not something you want to leave in doubt! (or up to chance).

Should we start preparing for CMMC with a Gap Assessment?

A CMMC gap analysis helps you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoints where your business is not yet fully compliant with CMMC Level 3 and DFARS requirements. For example, you could come up short in areas like:

  • Weak access controls (e.g., no multifactor authentication)
  • Improper data storage and/or backup controls
  • Lack of an incident response plan
  • Insecure storage for data records
  • Insufficient network segmentation
  • Inadequate cybersecurity awareness training for admins or business users
  • Lack of meaningful and objective evidence for some or all of the
  • practices and required controls

The gap analysis results will drive your compliance roadmap or remediation plan. If you don’t do a thorough gap analysis, you won’t know for sure what changes you need to make before scheduling a CMMC assessment with a C3PAO. The CMMC assessment is not a checklist; it is designed to validate OSCs are protecting their CUI in accordance with the U.S. Government’s expectations and your contractual obligations. And the outcome of the assessment is not something you want to leave in doubt! (or up to chance).

How long does a CMMC gap analysis take?

A CMMC gap analysis helps you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoints where your business is not yet fully compliant with CMMC Level 3 and DFARS requirements. For example, you could come up short in areas like:

  • Weak access controls (e.g., no multifactor authentication)
  • Improper data storage and/or backup controls
  • Lack of an incident response plan
  • Insecure storage for data records
  • Insufficient network segmentation
  • Inadequate cybersecurity awareness training for admins or business users
  • Lack of meaningful and objective evidence for some or all of the
  • practices and required controls

The gap analysis results will drive your compliance roadmap or remediation plan. If you don’t do a thorough gap analysis, you won’t know for sure what changes you need to make before scheduling a CMMC assessment with a C3PAO. The CMMC assessment is not a checklist; it is designed to validate OSCs are protecting their CUI in accordance with the U.S. Government’s expectations and your contractual obligations. And the outcome of the assessment is not something you want to leave in doubt! (or up to chance).

What are the benefits of a CMMC gap analysis?

A CMMC gap analysis will tell you exactly what controls you need to implement, extend or modify to comply with CMMC at your required level, along with recommendations for how best to approach mitigating the issues in your environment.

Some of the benefits of having this information include:

  • You will be aware of how close you are to full compliance with NIST 800-171, which is very similar to CMMC Level 3. If you have a DFARS 7012 clause in your current contract, the DoD may ask you to demonstrate NIST 800-171 compliance at any time.
  • You will have greater assurance that you can achieve CMMC compliance in your required timeline.
  • Your team will gain familiarity with an assessment process and the artifacts involved.
  • You will have more “proof” to assure stakeholders that you can keep their sensitive data safe.
  • You will get a jump on CMMC budget planning, which among other things could help you position your compliance efforts as an “allowable cost” that the DoD will reimburse.
  • You will get a head start on CMMC compliance, which could better position you to get new contracts.
What is the purpose of a CMMC gap analysis?

A CMMC gap analysis helps you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoints where your business is not yet fully compliant with CMMC Level 3 and DFARS requirements. For example, you could come up short in areas like:

  • Weak access controls (e.g., no multifactor authentication)
  • Improper data storage and/or backup controls
  • Lack of an incident response plan
  • Insecure storage for data records
  • Insufficient network segmentation
  • Inadequate cybersecurity awareness training for admins or business users
  • Lack of meaningful and objective evidence for some or all of the
  • practices and required controls

The gap analysis results will drive your compliance roadmap or remediation plan. If you don’t do a thorough gap analysis, you won’t know for sure what changes you need to make before scheduling a CMMC assessment with a C3PAO. The CMMC assessment is not a checklist; it is designed to validate OSCs are protecting their CUI in accordance with the U.S. Government’s expectations and your contractual obligations. And the outcome of the assessment is not something you want to leave in doubt! (or up to chance).

What are the key steps in a CMMC gap analysis?

A CMMC gap analysis helps you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoints where your business is not yet fully compliant with CMMC Level 3 and DFARS requirements. For example, you could come up short in areas like:

  • Weak access controls (e.g., no multifactor authentication)
  • Improper data storage and/or backup controls
  • Lack of an incident response plan
  • Insecure storage for data records
  • Insufficient network segmentation
  • Inadequate cybersecurity awareness training for admins or business users
  • Lack of meaningful and objective evidence for some or all of the
  • practices and required controls

The gap analysis results will drive your compliance roadmap or remediation plan. If you don’t do a thorough gap analysis, you won’t know for sure what changes you need to make before scheduling a CMMC assessment with a C3PAO. The CMMC assessment is not a checklist; it is designed to validate OSCs are protecting their CUI in accordance with the U.S. Government’s expectations and your contractual obligations. And the outcome of the assessment is not something you want to leave in doubt! (or up to chance).

Is a CMMC gap analysis important for your company?

A CMMC gap analysis helps you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoints where your business is not yet fully compliant with CMMC Level 3 and DFARS requirements. For example, you could come up short in areas like:

  • Weak access controls (e.g., no multifactor authentication)
  • Improper data storage and/or backup controls
  • Lack of an incident response plan
  • Insecure storage for data records
  • Insufficient network segmentation
  • Inadequate cybersecurity awareness training for admins or business users
  • Lack of meaningful and objective evidence for some or all of the
  • practices and required controls

The gap analysis results will drive your compliance roadmap or remediation plan. If you don’t do a thorough gap analysis, you won’t know for sure what changes you need to make before scheduling a CMMC assessment with a C3PAO. The CMMC assessment is not a checklist; it is designed to validate OSCs are protecting their CUI in accordance with the U.S. Government’s expectations and your contractual obligations. And the outcome of the assessment is not something you want to leave in doubt! (or up to chance).

When does your company need to be ready for your CMMC assessment?

If you are providing products and services within the DIB, you want to be CMMC ready as soon as possible.  With the CMMC rollout on a five-year timeframe, many DIB companies have at least a year to get ready for their CMMC assessment. But achieving compliance with CMMC, especially at Level 3 or higher, will be a significant effort for many firms.

Here are some of the steps you can take now to get ready for CMMC:

  • Understand the technical requirements for the CMMC level you will need to comply with. For example, if you will handle CUI you need to attain at least CMMC Level 3, which has about 20 more controls than NIST 800-171.
  • Begin due diligence and start making connections with security vendors and service providers, if you will need third-party expertise/support to achieve CMMC certification.
  • Check out the NIST 800-171 and/or CMMC compliance status of critical services like email/file sharing or cloud services that you are currently using or might use soon.
  • Draft, build, mature your SSP. Begin documenting your cybersecurity policies, procedures, etc. if you know you will be handling CUI. (CMMC Level 3 requires documentation of controls; CMMC Level 1 does not.)
  • Start scheduling your CMMC planning, resourcing the required tools and talents to maintain these, budget and documenting costs that hopefully the DoD will reimburse.
  • Stay current with news and updates on the CMMC rollout.
Next steps

Does your company need to comply with CMMC at Level 3 or above? Are you unsure about your compliance with NIST 800-171 today? Struggling with submitting your self-assessment scores to the SPRS website? Do you lack sufficient resources to implement CMMC and prepare for your CMMC assessment on your own?

If the answer to any of those questions is yes, contact Pivot Point Security to talk with an expert about your unique compliance needs and how we can help.