How to Conduct a CMMC Gap Assessment: A Step-by-Step Guide for Compliance Teams

Why a CMMC Gap Assessment Is Your Most Important First Step

Before you can achieve Cybersecurity Maturity Model Certification, you need to understand exactly where you stand today. A CMMC gap assessment is the structured process of measuring your current cybersecurity practices against the requirements of CMMC 2.0 and the underlying NIST SP 800-171 controls. It tells you what you have, what you are missing, and what it will take to close the distance between the two.

Many defense contractors make the mistake of jumping straight into remediation or hiring a C3PAO assessor before they have done this foundational work. The result is wasted budget, failed assessments, and delayed contract awards. Done correctly, a gap assessment becomes the blueprint for everything that follows. This guide walks your compliance team through the process from start to finish.

Step 1: Define Your Assessment Scope

The first task is to draw a clear boundary around what you are assessing. CMMC applies to the systems, personnel, and processes that touch Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). If you assess everything in your IT environment without defining scope, you will spend months on work that has no bearing on your certification outcome.

Start by answering these questions:

• Which contracts require CMMC certification, and at what level?
• Where does CUI enter your environment, how does it flow, and where does it exit?
• Which systems, networks, cloud services, and physical locations process or store CUI?
• Which employees, contractors, and third-party service providers have access to CUI?

Document your CUI boundary as a formal asset inventory. Every in-scope system becomes part of your System Security Plan (SSP), which is a required artifact for CMMC Level 2. If you are unsure how to define or protect CUI in your environment, our post on What is Controlled Unclassified Information (CUI) is a useful primer.

Step 2: Map Requirements to Your Target CMMC Level

CMMC 2.0 has three certification levels. Most defense contractors in the Defense Industrial Base pursuing DoD prime contracts or subcontracts will be targeting Level 2, which maps directly to the 110 practices in NIST SP 800-171. Level 3 adds requirements drawn from NIST SP 800-172 and is reserved for programs involving the most sensitive CUI.

For each level, gather the authoritative requirements documents:

• CMMC 2.0 Model documentation from the DoD
• NIST SP 800-171 Rev 2 (and Rev 3, which introduces updated control families)
• Any contract-specific requirements in your DFARS clauses

Organize the 110 practices by domain: Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity, and Awareness and Training. This domain structure is your assessment framework. For a deeper look at the underlying standard, see our guide on NIST SP 800-171 Revision 3 and what it means for CUI protection.

Step 3: Collect Evidence of Current Controls

Now comes the fact-finding phase. For each of the 110 practices, you need to determine whether a control is fully implemented, partially implemented, planned, or not implemented at all. Evidence collection typically involves:

• Document review: Policies, procedures, system security plans, network diagrams, access control lists, training records, and incident response plans
• Technical interviews: Conversations with IT administrators, system owners, HR, and facility managers
• System walkthroughs: Live demonstrations of technical controls such as multi-factor authentication, audit logging, and endpoint protection
• Configuration reviews: Examination of firewall rules, Active Directory settings, patch management reports, and encryption configurations

Use a structured workbook or assessment tool that allows you to record the practice ID, your finding, the evidence reference, and the gap status. Consistency in this documentation is critical. Your notes from this phase will feed directly into your Plan of Action and Milestones (POA&M), which is a required deliverable under CMMC.

Step 4: Score and Prioritize the Gaps

Once evidence is collected, assign a status to each practice. A common framework uses three categories: Met, Partially Met, and Not Met. From there, calculate your current SPRS score using the DoD's scoring methodology, which begins at 110 points and deducts points for each unmet or partially met practice based on weighted severity.

Not all gaps carry equal risk. Prioritize remediation based on two factors:

1. Impact on SPRS score: High-weight practices like multi-factor authentication and audit log management have an outsized effect on your numerical score and your ability to win contracts.
2. Ease of implementation: Some gaps, such as missing policy documentation or incomplete training records, can be closed quickly with modest effort. Address these first to generate momentum.

For a closer look at the controls that trip up contractors most often, review our analysis of the 10 most commonly failed CMMC Level 2 controls.

Step 5: Build Your System Security Plan and POA&M

The gap assessment output directly feeds two mandatory CMMC documents. Your System Security Plan (SSP) describes how each of the 110 practices is implemented within your environment. Your Plan of Action and Milestones (POA&M) documents every gap, the remediation steps required, the responsible party, and the target completion date.

These are not one-time artifacts. They are living documents that must be maintained and updated as your environment evolves and remediation progresses. Our detailed post on SSP and POA&M as critical components of a strong security program covers what these documents must contain to satisfy assessors.

Step 6: Develop a Remediation Roadmap

With gaps scored and prioritized, your team needs a realistic remediation plan with timelines, resource requirements, and accountability. Typical remediation activities fall into three categories:

• Policy and procedure development: Drafting or updating written security policies to formalize practices already in place
• Technical implementation: Deploying multi-factor authentication, configuring audit logging, implementing data loss prevention, or migrating to a compliant cloud environment
• Training and awareness: Ensuring all personnel with CUI access understand their responsibilities

Build your roadmap with a formal certification deadline in mind. If you are targeting a specific contract award or renewal date, work backward from that date to set realistic milestones. Organizations that treat the gap assessment as a one-time exercise rather than the start of a continuous compliance cycle consistently struggle when formal assessments begin. Our post on how long CMMC Level 2 compliance realistically takes can help you set expectations with leadership.

Common Mistakes That Undermine a CMMC Gap Assessment

After conducting assessments across dozens of defense contractors, I have seen the same errors repeated. Avoid these pitfalls:

• Scoping too broadly or too narrowly: Including systems outside the CUI boundary wastes time. Excluding in-scope systems creates blind spots that an assessor will find.
• Relying on self-attestation without evidence: Stating that a control is implemented without documentation is not sufficient. Assessors require objective evidence.
• Treating the gap assessment as a checkbox: The goal is not to produce a document. It is to accurately understand your security posture so you can improve it.
• Ignoring subcontractor and vendor risk: If a managed service provider handles any in-scope systems, their controls are part of your assessment surface.

When to Bring in Outside Expertise

Conducting a thorough CMMC gap assessment requires deep familiarity with NIST SP 800-171, technical security controls, and the evidentiary standards that C3PAO assessors apply. Many organizations benefit from engaging an experienced compliance partner to lead or validate their internal assessment, particularly when internal staff lack dedicated security expertise or when a contract timeline creates urgency.

Our CMMC, CUI, and DFARS compliance services are specifically designed to guide defense contractors through the gap assessment process, SSP and POA&M development, and full certification readiness. For organizations that need ongoing security leadership without the cost of a full-time hire, our Regulatory vCISO services provide dedicated expertise throughout your compliance journey.

If you want to understand the difference between a gap assessment and a readiness assessment before you decide which engagement makes sense for your organization, see our comparison post: CMMC Readiness Assessment vs. Gap Assessment.

Take the Next Step Toward CMMC Certification

A well-executed CMMC gap assessment is not just a compliance requirement. It is a strategic investment in your organization's ability to win and retain defense contracts. The earlier you understand your gaps, the more time you have to close them on your own schedule rather than under pressure from a contract deadline. If your team is ready to move from uncertainty to a clear compliance roadmap, request a quote from Cleared Systems today and let us help you build a path to certification that is realistic, documented, and audit-ready.