What Public Sector Cybersecurity Assessments Keep Revealing
After conducting hundreds of federal and SLED risk assessments, our team at Cleared Systems has seen the same compliance failures surface again and again — across defense contractors, federal agencies, state and local governments, and educational institutions. The organizations that struggle most are rarely the ones that ignore security entirely. They are the ones that believe they are further along than they actually are.
A public sector cybersecurity assessment is not a checkbox exercise. It is a structured, evidence-based evaluation of whether your security controls actually work — not just whether they exist on paper. What follows are the seven gaps we uncover most consistently, and what you need to do to close them before they cost you a contract, a certification, or your organization's data integrity.
Gap 1: No Defined System Security Plan or an SSP That Does Not Reflect Reality
The System Security Plan is supposed to be the authoritative description of your environment, your controls, and your risk posture. In practice, we frequently find SSPs that were written once, never updated, and bear almost no resemblance to the actual IT environment being assessed.
When an assessor walks your network and finds systems, users, and data flows that are not documented in the SSP, it raises immediate questions about the integrity of your entire compliance posture. Under NIST SP 800-171 and CMMC Level 2, an outdated or incomplete SSP is not a minor finding — it is a foundational failure.
How to close it: Assign a documented owner for the SSP and establish a review cycle tied to system changes and annual assessments. Your SSP should be a living document, not an artifact from your last audit cycle. Our post on SSP and POA&M as critical security program components outlines what a defensible SSP structure requires.
Gap 2: Inadequate CUI Identification and Boundary Definition
Organizations handling Controlled Unclassified Information consistently underestimate the scope of where CUI actually lives. During assessments, we routinely find CUI on unprotected file shares, in personal email accounts, embedded in collaboration tools that were never scoped into the security boundary, and sitting on endpoints with no encryption or access controls.
You cannot protect data you have not identified. You cannot scope a compliance program around a boundary you have not defined. This gap creates cascading failures across access control, audit logging, incident response, and media protection.
How to close it: Conduct a formal CUI boundary assessment before your next compliance review. Map every system, application, and workflow that touches CUI. If you are unsure where to begin, our guidance on what Controlled Unclassified Information actually is provides a practical foundation. For hands-on support, our CMMC, CUI, and DFARS compliance services include boundary scoping as a core deliverable.
Gap 3: Weak or Inconsistent Access Control Practices
Access control failures are among the most common findings in any public sector cybersecurity assessment. The specific issues vary, but the pattern is consistent: too many users have too much access, privilege reviews are not happening, shared accounts are in use, and multi-factor authentication is either absent or inconsistently enforced.
Least-privilege access is a fundamental requirement under nearly every federal framework — NIST SP 800-171, CMMC, DFARS, and FedRAMP all require it. Yet in practice, organizations often grant broad access during onboarding and never revisit it. Terminated employees retain active credentials. Administrators use elevated accounts for routine tasks.
How to close it: Implement a formal access control policy with documented provisioning and de-provisioning procedures. Conduct quarterly privilege reviews. Enforce MFA for all privileged accounts and any system that touches CUI. Review our guidance on zero trust security principles to understand how a modern access architecture should be structured.
Gap 4: Incident Response Plans That Have Never Been Tested
Nearly every organization we assess has an incident response plan. Very few of those organizations have tested it in the past twelve months. An untested plan is not a plan — it is a document that will fail under pressure at the worst possible moment.
Assessors look for evidence that IR plans are exercised through tabletop exercises or simulations, that roles and responsibilities are clearly assigned and understood, and that escalation paths and reporting timelines — particularly the 72-hour reporting requirement under DFARS 252.204-7012 — are operationally realistic. If your team cannot articulate what they would do in the first hour of a breach, your plan needs work.
How to close it: Schedule a tabletop exercise at least annually and document the results. Update your plan based on what breaks during the exercise. Ensure your IR plan explicitly addresses DFARS 252.204-7012 reporting obligations. If you need structured support, our regulatory vCISO services include incident response planning and exercise facilitation.
Gap 5: Third-Party and Supply Chain Risk Left Unmanaged
In the defense industrial base, your compliance posture is only as strong as the weakest link in your supply chain. Assessments consistently reveal that prime contractors and subcontractors have minimal visibility into the security practices of their vendors, managed service providers, and cloud platform suppliers.
Under CMMC and DFARS, flow-down requirements are explicit: CUI protections must extend to every subcontractor that handles covered data. But most organizations we assess have no formal vendor risk management process, no contractual security requirements flowing down to subs, and no ongoing monitoring of third-party access to sensitive systems.
How to close it: Build a vendor risk management program that includes security questionnaires, contractual data protection clauses, and periodic reviews for any third party with access to CUI or covered defense information. Our post on CUI compliance gaps experienced contractors overlook addresses supply chain exposure in detail.
Gap 6: Security Awareness Training That Does Not Change Behavior
Organizations frequently point to an annual security awareness training completion record as evidence of a mature program. Assessors are not impressed by completion rates alone. The relevant question is whether the training is actually changing employee behavior — and whether it covers the specific threats and obligations relevant to your regulatory environment.
In public sector environments, this means training must address CUI handling requirements, phishing and social engineering, insider threat indicators, and the specific obligations employees carry under frameworks like CMMC and ITAR. Generic, click-through annual training does not satisfy these requirements in any meaningful way.
How to close it: Move from compliance-driven training to behavior-driven training. Incorporate role-specific content, phishing simulations, and documented competency verification. Ensure training is updated when regulatory requirements change. Our compliance program development services include training program design tailored to your specific framework obligations.
Gap 7: No Continuous Monitoring — Only Point-in-Time Snapshots
Perhaps the most systemic gap we uncover is the absence of any continuous monitoring capability. Organizations prepare for assessments, pass them, and then revert to largely static security postures until the next review cycle. This approach is fundamentally incompatible with the threat environment federal contractors and public sector agencies operate in today.
NIST SP 800-171 Revision 3 has made this expectation even more explicit. Regulators and assessors want to see that you have ongoing visibility into your environment — through log monitoring, vulnerability scanning, configuration management, and anomaly detection — not just a clean snapshot taken during assessment week.
How to close it: Implement a continuous monitoring program that covers log aggregation, vulnerability management, and configuration baseline enforcement. Establish a regular cadence for reviewing findings and updating your POA&M. Our detailed breakdown of NIST SP 800-171 Revision 3 requirements explains what the updated standard demands from your monitoring posture.
The Common Thread Across All Seven Gaps
These gaps share a common cause: compliance programs that were built to satisfy a single audit cycle rather than to function as operational security infrastructure. Organizations that close these gaps permanently share a different mindset — they treat cybersecurity as a continuous program, not a periodic project.
For organizations serving the federal and defense sector, the stakes are rising every year. CMMC enforcement is accelerating, DFARS scrutiny is increasing, and the consequences of a failed assessment — lost contracts, reputational damage, potential False Claims Act exposure — are severe enough to warrant sustained investment in getting this right.
Ready to Know Where You Actually Stand?
If your organization is preparing for a public sector cybersecurity assessment or wants to close known gaps before an assessor finds them, Cleared Systems can help. We offer structured gap assessments, compliance program development, and ongoing advisory support tailored to defense contractors, federal agencies, and regulated public sector entities. Request a quote today to speak with our team about where your program stands and what it will take to get assessment-ready — on a timeline that works for your contract schedule.