StealthTech
Most defense contractors approaching CMMC certification for the first time make the same mistake: they start building before they know what needs to be built. They implement security tools, draft policies, and begin SSP documentation — and only discover the real shape of their compliance gaps when an assessor arrives and finds controls that were documented but not implemented, or implemented but not documented, or simply absent.
A CMMC gap analysis prevents that outcome. It’s the diagnostic exercise that establishes what you actually have versus what CMMC requires, before you commit resources to fixing things in the wrong order, at the wrong depth, or in the wrong places. Done correctly, it’s the foundation of every other decision in the compliance program. Done poorly — or skipped entirely — it’s the reason organizations spend twice as long and twice as much reaching certification as they needed to.
This guide covers what a CMMC gap analysis involves, how to structure and execute one, what the output should look like, and how to use the findings to build a compliance program that reaches certification efficiently.
What a CMMC Gap Analysis Is and What It Isn’t
A CMMC gap analysis is a systematic evaluation of an organization’s current security posture against the specific requirements of the applicable CMMC level. For the vast majority of defense contractors, that means evaluating against all 110 practices in CMMC Level 2, which map directly to NIST SP 800-171 Revision 2. For each practice, the gap analysis determines whether the requirement is fully met, partially met, or not met — and documents the specific basis for that determination.
What a gap analysis is not is a paper review. This distinction is where the quality variation across gap analysis providers is most significant, and where the consequences of choosing the wrong provider are most painful. A gap analysis conducted through document review and stakeholder interviews produces a picture of what the organization believes about its own compliance posture. A gap analysis that combines document review and interviews with direct technical examination of systems, configurations, and processes produces a picture of what an assessor would actually find. These are different products with very different downstream value.
The difference shows up most clearly during the formal CMMC certification assessment. Organizations whose gap analyses were limited to documentation and self-reported status routinely discover during C3PAO assessments that controls they considered implemented don’t produce the evidence assessors require, or that implementations they considered complete have gaps that only became visible when someone actually looked at the system configurations. A gap analysis that finds these gaps early — when there’s time and budget to fix them — is worth many times its cost. One that misses them provides false confidence that’s worth less than nothing.
Why the Gap Analysis Comes Before Everything Else
The sequencing of a gap analysis at the beginning of the compliance program rather than partway through it is not arbitrary. The gap analysis output directly determines what gets built, in what order, and at what investment level. Starting implementation before that picture is clear produces three specific problems that recur consistently across defense contractors who skip or defer the gap analysis.
The first is misplaced resource allocation. Security tools get purchased and deployed for control areas that were already in reasonable shape, while fundamental gaps in higher-priority areas go unaddressed because no one had a complete picture of where the gaps actually were. The result is a compliance program that has invested heavily in incrementally improving something adequate while leaving something critical broken.
The second is incorrect prioritization. CMMC’s 110 practices don’t carry equal weight from an assessment standpoint. Some practices — particularly in the Access Control, Identification and Authentication, and Audit and Accountability domains — generate findings more frequently and carry more immediate assessment risk than others. Without a gap analysis that identifies where the organization actually stands, the prioritization that drives remediation sequencing is based on guesswork rather than evidence.
The third is timeline compression. Organizations that discover their real compliance gaps during assessment preparation — rather than at the beginning of the program — are always working under time pressure. Remediation efforts get rushed, evidence documentation gets assembled hastily, and the quality of both reflects it. A gap analysis conducted at program inception allows remediation to happen at the pace the work actually requires.
The Components of a Thorough CMMC Gap Analysis
A gap analysis that produces a genuinely reliable baseline covers four interconnected areas. Missing any one of them produces a picture with blind spots.
The first is scope verification. Before evaluating controls, the gap analysis needs to confirm that the assessment boundary is correctly defined — that the universe of systems, users, data flows, and vendor relationships being evaluated actually encompasses all the CUI-relevant infrastructure. A gap analysis conducted against an incomplete scope produces an incomplete gap picture. Systems that should be in scope but aren’t assessed will be found by the assessor, creating findings that weren’t on the remediation roadmap. The scoping work that precedes a gap analysis is itself a form of gap identification, and it’s one of the most valuable services a qualified compliance advisor provides. Our guide on how to scope your CMMC environment correctly covers this in full.
The second is documentation review. Existing security policies, procedures, the System Security Plan if one exists, network diagrams, system inventories, prior security assessments, and vendor contracts are all sources of information about the documented state of security controls. Documentation review tells you what the organization has formally described about its security posture — and comparing that to what the systems actually show is one of the most revealing exercises in the gap analysis.
The third is technical examination. This is where a gap analysis that actually functions as an assessment preview differs from one that doesn’t. Direct examination of system configurations, directory service settings, firewall rules, logging configurations, patch levels, vulnerability scan results, and access control implementations reveals what’s actually deployed rather than what’s described. When the technical examination and the documentation are consistent with each other, the gap analysis confirms that the control is genuinely implemented. When they diverge — policies that describe controls the technical configuration doesn’t enforce, configurations that implement controls the documentation doesn’t describe — the gap analysis surfaces exactly the discrepancies that a C3PAO assessor would find.
The fourth is personnel interviews. The interview component of a gap analysis evaluates whether the people responsible for security controls understand those responsibilities and can describe how they execute them. A well-configured MFA system administered by a person who doesn’t understand what accounts are covered, or what the exception process is, or what would happen if MFA failed — that’s an operational gap even if the technical implementation is correct. CMMC assessors probe personnel understanding in interviews, and a gap analysis that includes interview components reveals interview readiness alongside technical and documentation readiness.
How to Structure the Gap Analysis Against the 14 NIST SP 800-171 Domains
Organizing the gap analysis around the 14 NIST SP 800-171 control families provides a structure that maps directly to how assessors evaluate compliance and how the System Security Plan is organized. Working through each family systematically ensures coverage and produces output that’s immediately usable for remediation planning and SSP development.
Access Control is the right place to start, both because it contains the most practices — 22 of the 110 — and because access control findings are among the most frequent in formal CMMC assessments. The gap analysis in this domain examines how user access to CUI systems is provisioned and authorized, how least privilege is enforced in practice, how MFA is implemented and whether it covers all accounts including service accounts and privileged users, how remote access is controlled and monitored, and how access is revoked when users leave or change roles. The technical examination here involves directly querying directory services, reviewing conditional access policies, and examining privileged account configurations — because access control gaps that are invisible in documentation become immediately visible in the directory.
Identification and Authentication closely follows Access Control in assessment priority and gap frequency. The technical examination verifies that authentication mechanisms are implemented at the strength the requirements demand — that MFA is enforced at the system level rather than just made available, that password policies are configured to CMMC standards, and that authentication for network access to CUI systems meets the replay-resistance and complexity requirements the framework specifies.
Audit and Accountability is where organizations most consistently show the gap between having logging infrastructure and having a monitoring program. The gap analysis verifies not just that logs are being generated, but that they cover the events and systems required, that they’re protected against unauthorized modification and deletion, that they’re retained for the required period, and that there’s a documented, operational review process with records showing it actually happens. The last element — operational evidence of log review — is where most partial implementations fall short. The detailed controls breakdown in our guide on CMMC and NIST 800-171 critical controls covers each domain’s assessment focus areas.
Configuration Management examines whether in-scope systems are configured to documented baselines, whether those baselines meet security standards, and whether the change management process that governs system modifications is operational rather than theoretical. The technical examination compares deployed configurations against documented baselines system by system — and the discrepancies found in this comparison are frequently more numerous than organizations anticipate, particularly in environments where systems have been in production for years and accumulated undocumented configuration changes.
Incident Response gap analysis evaluates whether the organization has a functional incident response capability — not just a plan document, but the personnel assignments, communication procedures, containment and recovery procedures, and tested capability to execute the response when an incident actually occurs. The DoD’s 72-hour cyber incident reporting requirement under DFARS 252.204-7012 is specifically evaluated — whether the organization knows what triggers reporting, who makes the report, and how the report is submitted.
Risk Assessment examines whether periodic risk assessments are actually conducted on a documented schedule, whether vulnerability scanning covers all in-scope systems with the frequency required, and whether findings from both activities connect to a remediation process with defined SLAs. Vulnerability scan results are among the most revealing technical artifacts in a gap analysis — they immediately surface unpatched systems, misconfigured services, and exposed vulnerabilities that represent both security risk and compliance findings.
The remaining eight domains — Physical Protection, Personnel Security, System and Communications Protection, System and Information Integrity, Maintenance, Media Protection, Awareness and Training, and Security Assessment — each receive proportional examination based on the complexity of their requirements in the specific environment. Smaller organizations with simple physical environments may have most Physical Protection requirements already met without formal investment. More complex environments with multiple facilities, government-furnished equipment, or operational technology will have more to examine in those domains.
What the Gap Analysis Output Should Contain
A gap analysis that produces genuinely useful output for compliance program planning contains several specific elements that lower-quality analyses omit.
A practice-by-practice status determination is the core output — for each of the 110 practices, a clear status: fully implemented, partially implemented, or not implemented. The not implemented and partially implemented categories need to be further described: what specifically is missing, what evidence would be needed to demonstrate the control, and what the implementation would require in terms of technology, process, or documentation.
An evidence adequacy assessment goes beyond implementation status to evaluate whether current implementations produce the documentation and evidence that would satisfy assessor scrutiny. A control can be technically implemented and still generate a finding if the evidence of implementation doesn’t meet assessor standards. Identifying this gap — the difference between having a control and being able to prove you have it — is one of the most valuable outputs a gap analysis provides, and one that self-conducted assessments most often miss.
A prioritized remediation roadmap organizes gap findings by risk priority and implementation dependency. Some gaps carry immediate assessment risk — they’re practices where a Not Met determination doesn’t qualify for POA&M treatment and would prevent certification. These need to be remediated before the assessment. Other gaps are significant but can be addressed through a POA&M for conditional certification. Still others are documentation gaps rather than implementation gaps, requiring less time and cost to close. A useful remediation roadmap sequences work based on these distinctions rather than addressing gaps in arbitrary order.
A resource and timeline estimate connects the remediation roadmap to the practical planning questions leadership needs to answer: how long will this take, and what will it cost? Estimates at the domain level — technology investment required, staffing or consulting time required, expected remediation timeline for each significant gap — provide the inputs for compliance program budgeting and timeline planning. Our piece on how long it actually takes to become CMMC compliant provides context for how these estimates typically translate into overall program timelines.
A vendor and third-party assessment supplements the internal gap analysis with an evaluation of the vendor relationships within the CUI environment — MSPs with privileged access, cloud providers hosting CUI, software tools handling sensitive data — and the compliance implications of those relationships. Gaps in vendor security posture, vendor access controls, and vendor contract terms are gaps in the organization’s compliance posture, and they need to appear in the gap analysis output to be addressable in the remediation plan. Our guide on how third-party vendors affect your CMMC compliance covers the vendor dimension of gap analysis in detail.
Conducting the Gap Analysis: Internal vs. External
Organizations approaching their first CMMC gap analysis face a decision about whether to conduct it internally or engage an external provider. Both approaches have legitimate use cases, but the limitations of the internal approach are specific and worth understanding.
An internal gap analysis conducted by IT or security staff who know the environment can move quickly and cheaply. Staff familiarity with the environment means less time is needed to understand the architecture, identify the relevant systems, and locate the documentation that describes current controls. For organizations that want a preliminary picture of their compliance posture before engaging external resources, an internal gap analysis provides a useful starting point.
The limitation of the internal approach is the same in every organization: the people who know the environment also have assumptions about it that an external evaluator doesn’t share. They know what controls were intended when systems were configured, and those intentions color how they interpret what they see. They’re accustomed to the inconsistencies in the environment and have stopped noticing them. And critically, they don’t know what an assessor would look for when evaluating each control — so they can’t calibrate whether current implementations would satisfy assessor standards.
A vCIO or qualified external compliance advisor brings the outsider perspective and assessment experience that internal teams lack. The combination of an internal preliminary review for environmental orientation and an external gap analysis for assessor-calibrated evaluation often produces the most efficient path — the internal review orients the external evaluator quickly, and the external evaluator brings the assessment lens that calibrates findings against the standard that ultimately matters.
For organizations using managed IT services providers, the gap analysis also needs to include an evaluation of the managed provider’s activities within the CUI environment — whether their configurations meet the documented baselines, whether their access controls meet the requirements applicable to vendors with CUI system access, and whether their documentation of in-scope activities feeds the organization’s compliance program appropriately.
Common Gap Analysis Findings Across the Defense Industrial Base
Certain findings appear so consistently across defense contractor gap analyses that anticipating them allows organizations to investigate these areas with particular attention before the formal gap analysis begins.
MFA enforcement gaps are the most universal finding. Organizations have MFA deployed but not enforced for service accounts, shared accounts, or privileged users. The policy says MFA is required; the directory service shows accounts without it. The gap analysis technical examination surfaces the difference.
Audit log review operates as an aspiration rather than a practice. Logs are generated and stored, but the documented review process doesn’t have records showing it’s been executed. The gap analysis asks for those records and they either don’t exist or are so sporadic they don’t establish the continuous operation the requirement expects.
Vulnerability remediation lacks defined SLAs and tracking. Scans happen, findings are reported, but there’s no documented SLA governing how quickly findings at different severity levels need to be remediated, and no evidence that the SLA is being followed even informally.
Vendor access is inadequately controlled. MSPs have broader access than their service function requires. Vendor accounts aren’t subject to the same MFA requirements as internal users. Vendor access isn’t reviewed on a defined schedule or revoked when projects complete.
The SSP, if one exists, doesn’t match the environment. It was accurate when written and hasn’t been updated as the environment evolved. Systems described in the SSP have been replaced. New systems not in the SSP are in production. Configurations the SSP describes have been changed.
These findings aren’t surprises — they’re the predictable output of environments that have been managed for operational efficiency rather than compliance continuity. The gap analysis that finds them early gives the compliance program the information it needs to address them before they become assessment findings.
Conclusion: The Gap Analysis Is the Investment That Makes Every Other Investment More Effective
A CMMC gap analysis done well is not an expense — it’s the decision that determines whether every subsequent compliance investment goes toward the right things at the right depth in the right sequence. Organizations that skip it spend more, take longer, and encounter more assessment findings than those that invest in an accurate, technically rigorous baseline before building their remediation program.
The output of a quality gap analysis — specific findings, evidence adequacy assessments, prioritized remediation roadmap, resource and timeline estimates — is the planning foundation that turns CMMC compliance from an overwhelming framework into a manageable program with a clear path to certification.
If your organization is planning its CMMC compliance journey, contact Stealth Technology Group today at (617) 903-5559 or visit the website to learn how modern cybersecurity infrastructure can accelerate your path toward certification readiness.
