What a CMMC Gap Assessment Really Reveals
After working with defense contractors across the supply chain, I can tell you that the first formal CMMC gap assessment is almost always a humbling experience. It doesn't matter whether your organization has been self-attesting under DFARS 252.204-7012 for years or whether your IT team believes everything is under control. When an experienced assessor begins methodically testing your controls against the 110 practices in NIST SP 800-171, the gaps tend to surface quickly—and they tend to cluster around the same five areas, time and time again.
This post breaks down those five critical gaps, explains why they're so pervasive, and tells you what to do about each one before a C3PAO shows up at your door.
Gap 1: Poorly Defined or Uncontrolled CUI Boundaries
The single most common finding in a CMMC gap assessment is that contractors have not accurately scoped where Controlled Unclassified Information lives, flows, and rests within their environment. Many organizations assume CUI only exists in a handful of shared drives or email folders. In practice, it has typically spread to personal devices, collaboration tools, cloud storage platforms, and even archival systems that haven't been reviewed in years.
When your CUI boundary is poorly defined, every technical control you implement is built on a faulty foundation. Access controls, encryption policies, and audit logging all become unreliable because you're not certain what you're actually protecting.
What to do: Conduct a thorough data discovery exercise before your formal assessment. Map every system that stores, processes, or transmits CUI—including third-party tools and subcontractor connections. Our resource on Controlled Unclassified Information is a good starting point if your team needs a refresher on what qualifies as CUI and what doesn't.
If you need structured support scoping your environment, our CMMC, CUI & DFARS compliance services are specifically designed to help contractors define and protect their CUI boundaries from the ground up.
Gap 2: An Incomplete or Outdated System Security Plan
CMMC assessors will request your System Security Plan (SSP) on day one. What they typically receive is a document that was drafted once, filed, and never meaningfully updated. In many cases, the SSP describes a network architecture that no longer exists, references tools the organization stopped using two years ago, and omits several systems that were added without going through a formal change management process.
An SSP is not a one-time deliverable. It is a living document that must reflect your environment as it actually exists at the moment of assessment—not as you intended it to exist when you first wrote the plan.
What to do: Schedule a dedicated SSP review at least once per year, and trigger an immediate update any time a significant system change occurs. Your SSP should accurately describe every system component in scope, the controls applied to each, and your rationale for any controls you've deemed not applicable. For a deeper look at the relationship between your SSP and your Plan of Action and Milestones, read our post on SSP and POA&M as critical components of a strong security program.
Gap 3: Inadequate Access Control and Least Privilege Enforcement
Access control failures are among the most frequently cited findings in assessments across the defense industrial base. The issue usually isn't that contractors have no access controls—most have Active Directory, basic role assignments, and password policies in place. The problem is that those controls have drifted. Former employees still have active accounts. Service accounts carry excessive privileges that were granted during a system deployment and never walked back. Administrators log into workstations with privileged credentials as a matter of routine, rather than using dedicated administrative accounts for elevated tasks.
CMMC Level 2 requires strict enforcement of least privilege, separation of duties, and controlled access to CUI systems. Assessors will test these controls directly, and configuration drift will be visible in your Active Directory, your cloud environment, and your endpoint management platform.
What to do: Run a full access review before your assessment. Disable or remove stale accounts. Audit privileged access and enforce the use of dedicated administrative accounts. Review your multi-factor authentication (MFA) deployment to ensure it covers all CUI-accessible systems—not just your primary email platform. For manufacturers dealing with access control challenges on production networks, our post on protecting and managing CUI on shop floors addresses some of the unique access challenges in industrial environments.
Gap 4: Gaps in Incident Response Planning and Execution
Most defense contractors have some version of an incident response plan. What assessors consistently find, however, is that the plan exists as a document but has never been tested, that staff responsible for executing it don't know it exists, and that the reporting timelines required under DFARS 252.204-7012—72 hours to report a cyber incident to DoD—are not reflected anywhere in the documented procedures.
A CMMC assessment doesn't just ask to see your incident response policy. Assessors want evidence that the plan has been exercised, that personnel understand their roles, and that your organization can actually execute the process under pressure. Tabletop exercises, documented test results, and training records are the artifacts that support this requirement.
What to do: Conduct a tabletop exercise at least annually and document the results. Update your plan to explicitly address the DoD reporting requirements in DFARS 252.204-7012. Ensure that every employee who touches CUI systems understands what constitutes a reportable incident and who to notify. If you want to understand the regulatory underpinnings of this requirement, our post on DFARS 252.204-7012 compliance covers the obligation in detail.
Organizations that lack the internal expertise to maintain and test a robust incident response program may benefit from a Regulatory vCISO who can own this function on an ongoing basis.
Gap 5: Deficiencies in Configuration Management and Patch Hygiene
Configuration management is one of the most technically demanding CMMC domains, and it is routinely underdeveloped at small and mid-sized defense contractors. The gap typically takes one of three forms: there is no established baseline configuration for servers and workstations; baseline configurations exist but have never been enforced consistently; or patch management is handled reactively rather than through a documented, scheduled process.
Assessors will examine your patch cadence, your configuration baselines, and your change management records. They will look for evidence that unauthorized software cannot run on CUI-processing systems and that your environment is being actively monitored for configuration drift. If your endpoints have been running months behind on critical patches—or if your change management log is essentially nonexistent—this domain will generate multiple findings.
What to do: Establish documented configuration baselines for all system types in your CUI environment. Implement a patch management schedule that addresses critical vulnerabilities within defined timeframes. Deploy endpoint management tooling that gives you visibility into configuration compliance across your fleet. Our post on endpoint security fundamentals is a useful reference for organizations building out this capability.
For organizations that need a broader view of where their technical controls stand, our federal risk assessment services can provide an independent evaluation of your security posture before a formal CMMC assessment.
The Common Thread Across All Five Gaps
Looking across these five findings, a clear pattern emerges: the gaps are rarely the result of malicious neglect. They are the result of organizations that have grown operationally while their compliance and security programs failed to keep pace. Policies were written but not operationalized. Controls were implemented but never verified. Documentation was created but never maintained.
That is precisely why a structured gap assessment conducted well in advance of your C3PAO audit is not optional—it is the only reliable way to understand where you actually stand. Our post on how to prepare for your CMMC audit walks through the broader preparation process if you're ready to start building your remediation roadmap.
The contractors who perform well in CMMC assessments are the ones who treated the gap assessment as a genuine diagnostic tool, built a prioritized remediation plan, and followed through on execution with accountability and documentation at every step. That process is repeatable, and it starts with an honest look at where the gaps are.
Ready to Identify and Close Your CMMC Gaps?
At Cleared Systems, we specialize in helping defense contractors across the industrial base understand their true compliance posture and build a credible path to certification. Whether you need a thorough gap assessment, hands-on remediation support, or an experienced compliance partner to guide you through the full CMMC journey, we're ready to help. Request a quote today to start a conversation about where your program stands and what it will take to get you assessment-ready.