<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=3018339815089949&amp;ev=PageView&amp;noscript=1">
CMMC Gap Analysis FAQs Blog Feature
Courtney Casey

By: Courtney Casey on September 15th, 2021

Print/Save as PDF

CMMC Gap Analysis FAQs

CMMC Compliance | NIST Compliance

Cybercrime and data theft pose threats in every sector of our lives, and the government and the military are no exception. That is why the Department of Defense (DOD) enacted the Cybersecurity Maturity Model Certification (CMMC) program in January 2020, which requires all organizations in the supply chain with the DOD to have their posture audited by an approved assessor.

Initially, all that was needed was word of mouth on how secure your data is, and you were good to do business with the DOD.

But things have changed.

You now have to prove that your information is secure and to what level (from 1-5). The score your organization receives determines whether or not you are a viable supplier to the DOD.

One way to achieve this is by doing a CMMC gap analysis.

We've helped many companies work through CMMC compliance and thought we'd share some of the common questions we get related to the gap analysis, and the answers to those. Things like: what it is, how much it costs, how it differs from CMMC audit, and best practices.

What is CMMC Gap Analysis?

Since CMMC compliance requires a perfect score, organizations should carry out a gap analysis to determine, in advance, how deficient they might be in terms of securing their data.

A CMMC gap analysis assesses the gap between your current cybersecurity level and what you need to improve to achieve CMMC compliance. CMMC has 171 controls spread through five maturity levels within the model, progressive from 1 to 5. Every contractor and subcontractor with the DOD must comply with the CMMC level specified in his contract.

Without a gap analysis, it is impossible to know the adjustments your company needs to make regarding data security to comply with the CMMC level specified in your contract.

We have yet to encounter a company that has all of the analysis requirements in place. In fact, many companies get a negative score on the first round since some of the requirements are weighted.

But don't worry. You'll be able to take action with the results of your gap analysis, therefore your score will improve as you work through the remediation plan.

🔎 Related: 3 Most Common Advanced Technologies Businesses Need For Their CMMC Remediation Plan

How Much Does a CMMC Gap Analysis Cost?

When doing a CMMC gap analysis, you are likely to incur different costs for preparation and for the analysis itself.

Small and medium-sized companies can expect to pay $6,000-$10,000 for a CMMC Level 3 gap analysis. But the cost will vary depending on the size of your company, the CMMC compliance level required, the complexity of your systems in handling Controlled Unclassified Information (CUI), and the number of sites or locations your business has.

Do We Have to Work With a Registered Provider Organization (RPO) or Registered Practitioner (RP)?

Although working with an RPO or RP is not mandatory, working with one has several advantages.

Registered Providers will help shorten your learning curve since they have been trained on CMMC compliance, and they know the ins and outs to help you avoid and deal with any apparent issues.

What's the Difference Between a CMMC Gap Analysis and a CMMC Audit?

A CMMC gap analysis helps you determine what you need to adjust to comply with your required CMMC compliance level and submit a self-assessment to the DOD.

Unlike a CMMC audit, you don't have to share the specific results of the gap analysis with any government entity or your vendor unless they require it. The gap analysis results are just for your personal use – to guide you on what needs to be remedied before a CMMC audit.

A CMMC audit assesses an organization's data security levels by an accredited CMMC third-party assessment company or Certified 3rd Party Audit Organization (C3PAO). It is an official assessment that certifies you as compliant or not.

Work With CMMC Professionals

Cybercrime and theft of sensitive military data prompted the DOD to put in place the CMMC program. The best way for you as a contractor or subcontractor with the DOD to achieve your contract's CMMC compliance level is to do a CMMC gap analysis.

We are a Registered Provider Organization with several Registered Practitioners on staff. We've helped countless businesses prepare for successful compliance. Contact us today for a CMMC gap analysis.


About Courtney Casey

In an industry dominated by men, Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., is making her mark on the world of information technology. Courtney has been immersed in the IT field most of her life and has been molded into the tech savvy expert she is today. She began working for Accent while earning her Bachelor's degree from California State University, Long Beach. Known in the Inland Empire as the "Tech Girl," Courtney is a regular columnist for the region's newspaper of record, The Press-Enterprise. Her columns address topical news trends, new technology products, and offer advice on how to embrace technology or avoid common IT pitfalls.