What a Gap Analysis Actually Is
A CMMC gap analysis is an evaluation of your current security posture against all 110 NIST SP 800-171 controls. Someone — a consultant, an automated tool, or you yourself — reviews each control, determines whether you currently meet it, partially meet it, or don't meet it at all, and tells you what's missing.
The end result is a picture of your starting point: where you are today, where you need to be, and how far apart those two things are. It's not the certification itself — that comes later, from a C3PAO. A gap analysis is the diagnostic that tells you what to fix before you go in for the official assessment.
Think of it like a pre-inspection before putting your house on the market. You're finding the problems yourself so you can fix them before the official inspector shows up and turns them into deal-breakers.
What You Get at the End
A thorough gap analysis produces three deliverables that you'll use throughout your compliance journey:
A document showing each of the 110 NIST 800-171 controls marked as Met, Partially Met, or Not Met. This tells you exactly what's in place, what's partially in place, and what's missing entirely. It's organized by domain — Access Control, Incident Response, Configuration Management — so you can prioritize work by area.
Your estimated Supplier Performance Risk System score, based on your current control status. Each unmet control has a specific point deduction from a maximum of 110. Most companies starting from zero score somewhere between -50 and +50. Knowing your current score helps you set realistic targets and understand how much work the remediation phase represents.
A ranked list of what to fix, in what order. The best gap analysis reports prioritize by impact — which gaps cost you the most SPRS points, which ones are easiest to close, which ones require significant infrastructure changes. This becomes your project plan for the months of remediation work ahead.
Without a gap analysis, you're guessing at what needs to be fixed. And when you guess on cybersecurity remediation, you either spend money on the wrong things or miss the gaps that a C3PAO will find and fail you on.
What the Process Looks Like
A professional gap analysis typically follows this pattern, regardless of whether it's done by a consultant or a tool:
- Scoping interview: Understanding your environment — what systems exist, how data moves, what software you run, who has access to what.
- Network and system review: An examiner or assessor reviews your network diagrams, system inventories, and configurations. They're looking for evidence of controls being implemented, not just claimed.
- Policy and documentation review: Reviewing your existing written policies, procedures, and plans. Many controls require both technical implementation and documentation. Missing documentation fails the control even if the technical piece is in place.
- Staff interviews: Talking to the people who actually use the systems — the IT manager, the shop foreman who plugs in USB drives, the engineer who receives drawings. Real behavior sometimes differs from what the policy says.
- Report preparation: Compiling findings into the deliverables described above — control-by-control status, SPRS estimate, remediation roadmap.
For a 10–30 person company with a relatively contained environment, this process takes 2–4 weeks. For a 50–150 person company with multiple locations or complex data flows, 4–8 weeks is more realistic. Don't rush it — an incomplete gap analysis is worse than none, because it gives you false confidence.
Our readiness assessment gives you a preliminary picture of your gaps in 2 minutes. It's not as detailed as a full consultant engagement — but it tells you your biggest problem areas before you spend anything.
Take the Free Readiness Check →DIY vs Consultant vs MyCMMC
You have three realistic options for conducting your gap analysis. Here's an honest comparison of each:
Red Flags in a Gap Analysis Provider
There's a lot of noise in the CMMC consulting market right now. Before you pay anyone for a gap analysis, watch out for these warning signs:
Impossible for nearly every company. Level 2 certification requires implementing 110 controls, writing documentation, fixing infrastructure, and scheduling a C3PAO assessment. Anyone promising 30-day compliance is either lying or not doing real work.
If someone emails you a spreadsheet and calls it a gap analysis without ever looking at your actual network, systems, or configurations, that's not a gap analysis. It's a survey. A real gap analysis requires someone to actually verify what you have in place, not just take your word for it.
A gap analysis report that happens to recommend the exact security products the assessor sells is a conflict of interest, not independent advice. Your gap analysis should tell you what you need. Procurement is a separate decision.
A gap analysis for a machine shop is different from one for a software firm. If your assessor doesn't know what a DNC server is, doesn't understand ITAR, or has never worked in manufacturing, they're going to miss industry-specific CUI flows and scope your environment wrong. Ask for relevant experience before you engage anyone.
The free readiness assessment gives you a preliminary gap picture in 2 minutes. The CMMC Roadmap ($1,500) gives you a detailed control-by-control report with SPRS score estimate and prioritized remediation plan — for a fraction of what a consultant charges.
Start the Free Readiness Check →What a Gap Analysis Costs
The cost of a gap analysis varies based on who does it and the size/complexity of your environment:
- Self-assessment: Free, but requires significant internal time (typically 40–120 hours) and NIST 800-171 expertise. Results tend to be optimistic.
- MyCMMC free readiness check: Free, 2 minutes, gives you a preliminary picture of your major gaps — a good starting point before deciding on next steps.
- MyCMMC CMMC Roadmap: $1,500 depending on company size — a detailed control-by-control analysis with SPRS score estimate and prioritized remediation plan. Reviewed by a certified practitioner.
- CMMC consultant: $5,000–$25,000 depending on company size and complexity. Includes site visits, system review, and a formal report. Higher cost doesn't always mean higher quality — ask for credentials and references.
- CMMC-accredited Registered Practitioner: Ranges from $3,000–$15,000. An RP has formal CMMC training through the Cyber AB and is often a good middle ground between a generic consultant and a full C3PAO engagement.
The gap analysis is not where you want to cut corners — but it's also not where you need to spend $25,000. A well-structured preliminary assessment followed by a detailed roadmap from a practitioner-reviewed tool gets you most of what a consultant delivers for a fraction of the price. The $25K consultant makes sense for large, complex environments or when you need someone walking your shop floor in person.
For detailed cost information on the full CMMC compliance journey — not just the gap analysis — see the CMMC Cost Guide.
Frequently Asked Questions
A formal gap analysis is not technically required by CMMC — the regulation requires you to meet the controls and get assessed, not to conduct a specific pre-assessment study. But going into a C3PAO assessment without knowing where you stand is risky and expensive. A gap analysis tells you what to fix before you pay for the formal assessment. Skipping it is technically allowed but practically inadvisable.
A gap analysis is an internal or consulting exercise to identify where you stand against the 110 controls — your starting point before remediation. A formal CMMC assessment conducted by a C3PAO is the official certification process that results in a certification status filed with the DoD. Do the gap analysis first, fix your gaps, then schedule the C3PAO assessment.
The SPRS score is a numerical score from -203 to 110 representing your NIST 800-171 compliance. A gap analysis estimates your current score by evaluating which controls you meet. Each unmet control has a specific point deduction from 110. Most companies starting from zero score between -50 and +50. The goal is to close gaps, improve your score, and submit a positive score to SPRS before your C3PAO assessment.
Yes, technically. NIST 800-171 is public and you can work through each control yourself. The challenge is that self-assessments tend to be overly optimistic. The gap between a self-assessed score and a C3PAO-verified score is often 30–60 points — representing real remediation work you missed. If you self-assess, be brutally honest and have someone with cybersecurity expertise review your work.
Watch out for: guaranteed compliance in 30 days (impossible), guaranteed perfect scores before work is done, questionnaire-only assessments with no system review, and consultants who also sell the IT products they recommend. A good gap analysis provider is honest about what they find, even when the news is bad.
For a 10–30 person company with a simple environment, 2–4 weeks from kickoff to final report. For a 50–100 person company with multiple locations or complex data flows, 4–8 weeks is more realistic. Rushing produces unreliable results — and unreliable results produce expensive surprises during your C3PAO assessment.
Start With the Free Readiness Check
Get a preliminary picture of your gaps in 2 minutes. No consultant required. No commitment to anything beyond the next 2 minutes of your time.
Take the Free Readiness Check →Free · 2 minutes · No obligation · Practitioner-reviewed