Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!


4 min read

CMMC Gap Analysis FAQs

Cybercrime and data theft pose threats in every sector of our lives, and the government and the military are no exception. That is why the Department of Defense (DOD) enacted the Cybersecurity Maturity Model Certification (CMMC) program in January 2020, which requires all organizations in the supply chain with the DOD to verify their security posture.

In November 2021, the DOD updated CMMC with a 2.0 version. The new version is less complicated, going from five levels of maturity to three. The requirement for third-party audits has also been lessened.


What hasn’t changed is that whether through self-assessment or third-party audit, DOD suppliers are accountable for protecting the information that they gather and store, and compliance with CMMC will ultimately determine whether or not you are a viable supplier.

Despite the new streamlined version of CMMC, achieving compliance is still a formidable task and a gap analysis remains the best first step forward.

We've been helping many companies work through CMMC compliance and thought we'd share some of the common questions we get related to the gap analysis, and the answers to those.

What is a CMMC Gap Analysis?

A CMMC gap analysis assesses how your company measures up with the security controls detailed in NIST 800-171. Essentially, it identifies the gap between your current cybersecurity level and what you need to improve to achieve CMMC compliance.

NIST gap analysisNIST Gap Analysis Discovery Example

The CMMC level that every contractor and subcontractor must attain will be specified in their contract, as will specifics about exactly what is considered Controlled Unclassified Information (CUI).

Without a gap analysis, it is impossible to know the adjustments your company needs to make regarding data security to comply with the CMMC level specified in your contract. Additionally, a gap analysis will help you to limit the scope of compliance.

We have yet to encounter a company that has all of the NIST 800-171 requirements in place. In fact, many companies get a negative score on the first round since some of the requirements are weighted.

But don't worry. You'll be able to take action with the results of your gap analysis, therefore your score will improve as you work through the remediation plan.

How Much Does a CMMC Gap Analysis Cost?

When doing a CMMC gap analysis, you are likely to incur different costs for preparation and for the analysis itself.

Small and medium-sized companies can expect to pay $6,000-$10,000 for a CMMC Level 2 gap analysis. But the cost will vary depending on the size of your company, the CMMC compliance level required, the complexity of your systems in handling Controlled Unclassified Information (CUI), and the number of sites or locations your business has.

Do We Have to Work With a Registered Provider Organization (RPO) or Registered Practitioner (RP)?

Although working with an RPO or RP is not mandatory, working with one has several advantages.

Registered Providers will help shorten your learning curve since they have been trained on CMMC compliance, and they know the ins and outs to help you avoid and deal with any apparent issues.

What's the Difference Between a CMMC Gap Analysis and a CMMC Audit?

A CMMC gap analysis helps you determine what you need to adjust to comply with your required CMMC compliance level and submit a self-assessment to the DOD.

Unlike a CMMC audit, you don't have to share the specific results of the gap analysis with any government entity or your vendor unless they require it. The gap analysis results are just for your personal use – to guide you on what needs to be remedied before submitting a self-assessment or undergoing a CMMC third-party audit.

Most companies in the DOD supply chain will need to attain CMMC Level 2. Some of these companies will be able to verify compliance by submitting an annual self-assessment.

Within Level 2, some situations will require a third-party audit every third year. A CMMC audit assesses an organization's data security levels by an accredited CMMC third-party assessment company or Certified 3rd Party Audit Organization (C3PAO). It is an official assessment that certifies you as compliant or not.

Work With CMMC Professionals

Cybercrime and theft of sensitive military data prompted the DOD to put in place the CMMC program. The best way for you as a contractor or subcontractor with the DOD to achieve your contract's CMMC compliance level is to do a CMMC gap analysis.

We are a Registered Provider Organization with several Registered Practitioners on staff. We've helped countless businesses prepare for successful compliance. Contact us today for a CMMC gap analysis.

Note: This article was originally published in September 2021. It was updated in December 2021 to reflect CMMC 2.0 standards.

Let's talk about how VC3 can help you AIM higher.