Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!


4 min read

Facilitated vs DIY CMMC Gap Analysis: Which is Better?

facilitated vs diy cmmc analysis

When you get started on your journey to Cybersecurity Maturity Model Compliance (CMMC), one of the first things that you’ll need to do is to perform a gap analysis.

A CMMC gap analysis lets you know where your security controls are good and where you have, well… gaps.

If you have expertise with NIST 800-171 security regulations along with a lot of extra time, then there’s no reason why you can’t do a DIY gap analysis, but many companies are finding that a facilitated gap analysis is more efficient and actually saves money in the long run.

Why Get Help With a CMMC Gap Analysis?

Imagine that you’re about to embark on a jungle trek. You’re an experienced hiker and you’ve got all the gear but… you’ve never been to the jungle before. You know that along the way you could encounter seen and unseen hazards – dangerous animals, treacherous paths, poisonous plants, insects carrying disease.

What will help immensely is a guide to show you the way.

A guide who knows the path, the pitfalls, and the shortcuts, and can get you where you want to go. Consider these reasons having a CMMC guide facilitate your gap analysis might be better in the long run than doing it yourself.

1. CMMC Isn’t Just About IT (Security Isn't Either)

In CMMC – and any comprehensive security strategy for that matter – there are both technical and non-technical controls. It’s easy to think about the “cyber” part of cyber security and the hardware and software tools that are used to put up barriers, monitor activity, and respond to potential incidents. Cyber security, however, is just as much about people and how they access networks and data, as it is about technology.

When you do your CMMC gap analysis, you’re going to need to delve into HR, training, and operations. That means that other people will be involved, and a facilitator can bring every person and each piece of the plan together. That takes the pressure off your internal team and gives you someone by your side who will bring expertise in both the technical and non-technical parts of security to the table.

2. Avoid the IT Management vs Security Conflict

It might not have occurred to you that the goals of IT management and security sometimes fight against each other.

IT management is concerned with keeping everything running and giving people easy access to the programs and data they need. When security wants to add extra steps or more structure to place limits on access, that’s when the conflict happens.

Related: 17 Foundational Cyber Security Measures Businesses Need

It’s unrealistic to expect your IT manager to forsake management for security. And if your IT department is small, they may not have the bandwidth or expertise needed to balance security and IT management.

Better to bring in a neutral facilitator who can lay all the options on the table, and call a spade a spade if there’s a practice or process that isn’t going to stand up to CMMC requirements or ongoing maintenance.

3. More Options and Objective Recommendations

Strategic cybersecurity isn’t accomplished with a checklist, and neither is CMMC compliance.

There’s going to be more than one way that you can carry out a security control. Add to that the need to provide two ways to validate that the control is in place and it becomes clear that more heads are better than one when it comes to thinking about all the options you have available.

Getting a list of options for security controls is one step -- choosing what’s best for your situation is next.

When you work with a CMMC consultant to facilitate your gap analysis, they’ll be able to give you recommendations that will best fit your IT environment so that you can create a Remediation Plan along with a realistic timeline for its implementation.

4. Put Boundaries Around Compliance

The first part of a gap analysis is determining where the Controlled Unclassified Information (CUI) is stored and how it’s transmitted. There isn’t anything to stop you from making your whole IT system and your entire organization CMMC compliant (and there isn’t anything bad about having a high level of security), but your whole organization may not be exposed to the same level of risk.

A facilitated gap analysis process can include recommendations on how you can focus compliance on just the data and people who are handling the CUI. These recommendations could include segmenting your network, encrypting email for communications, or setting up a secure file transfer system that eliminates the need for email at all.

5. Travel a Straight Path

There’s always a learning curve when you’re starting something new, and it’s going to be that way when you start down your path to CMMC compliance. The question is, can you afford the time it takes to learn and the inevitable missteps that may happen along the way?

When you have a CMMC consultant facilitate your gap analysis, it won’t be their first rodeo. They know what to do and can help you avoid taking any wrong turns that could result in putting your DoD contracts – and your business – in jeopardy.

📖 Related: Cybersecurity Maturity Model Certification (CMMC) Explained: How to Prepare for Successful CMMC Compliance

Have a CMMC Registered Practitioner Facilitate Your Gap Analysis

VC3 is a Registered Provider Organization for CMMC compliance. Our Registered Practitioners work with companies in the DoD supply chain to help them evaluate their current security status and guide them towards successful compliance.

Contact us to talk to a CMMC consultant today.

Let's talk about how VC3 can help you AIM higher.