Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
5 min read

CMMC Gap Analysis FAQs

Subscribe

Cybercrime and data theft pose threats in every sector of our lives, and the government and the military are no exception. That is why the Department of Defense (DoD) enacted the Cybersecurity Maturity Model Certification (CMMC) program in January 2020 and refined it over the past five years until the Final Rule went into effect on December 16, 2024.

The CMMC Final Rule requires all organizations in the DoD supply chain to verify their security posture. Whether through self-assessment or third-party audit (depending on the requirement level for your business), DoD suppliers are accountable for protecting the information that they gather and store. Compliance with CMMC will ultimately determine whether or not you are a viable supplier.

three-cmmc-2.0-levels-vc3

Achieving compliance is a formidable task, and a gap analysis remains the best first step forward.

We've been helping many companies work through CMMC compliance and thought we'd share some of the common questions we get related to the gap analysis—and give you some answers.

What is a CMMC Gap Analysis?

A CMMC gap analysis assesses how your company measures up with the security controls detailed in NIST 800-171. Essentially, it identifies the gap between your current cybersecurity level and what you need to improve to achieve CMMC compliance.

The CMMC level that every contractor and subcontractor must attain will be specified in their contract, as will specifics about exactly what is considered Controlled Unclassified Information (CUI).

Without a gap analysis, it is impossible to know the adjustments your company needs to make regarding data security to comply with the CMMC level specified in your contract. Additionally, a gap analysis will help you to limit the scope of compliance.

We have yet to encounter a company that has all of the NIST 800-171 requirements in place. In fact, many companies get a negative score on the first round since some of the requirements are weighted.

But don't worry. You'll be able to take action with the results of your gap analysis. Therefore, your score will improve as you work through your remediation plan.

🔎 Related: 3 Most Common Advanced Technologies Businesses Need For Their CMMC Remediation Plan

What is the gap analysis process and what deliverables can I expect?

A CMMC gap analysis is a collaborative assessment that gives you a clear understanding of how your current cybersecurity practices stack up against CMMC requirements. The process includes both technical and non-technical reviews—so participation from IT, HR, and department leaders is important.

Here’s a quick overview of the gap analysis process:

  1. Discovery & Data Collection
    Detail how your Controlled Unclassified Information (CUI) flows through your systems, review your security policies and past audit findings, and understand your current cybersecurity tools and architecture.
  2. Stakeholder Interviews
    Conduct interviews with your key staff—including IT employees, leadership, and department heads—to gather insights about your security practices, risks, and awareness across your organization.
  3. Security Evaluation
    Evaluate how well your current setup meets CMMC standards by identifying strengths and areas needing improvement.
  4. Gap Analysis
    Compare your current controls against compliance requirements using a structured checklist. From here, the analysis leads to tailored recommendations based on your organization’s goals and risk profile.

Important deliverables include:

  • A System Security Plan (SSP) – An SSP details where you meet or fall short of CMMC controls.
  • A Plan of Action & Milestones (POA&M) – This is a prioritized action plan to close your gaps.
  • An SPRS Score – This is a required self-assessment score for government subcontractors.

How Much Does a CMMC Gap Analysis Cost?

When doing a CMMC gap analysis, you are likely to incur different costs for preparation and for the analysis itself.

Small and medium-sized companies can expect to pay $10,000-$20,000 for a CMMC Level 2 gap analysis. But the cost will vary depending on the size of your company, the CMMC compliance level required, the complexity of your systems in handling Controlled Unclassified Information (CUI), and the number of sites or locations your business has.

Do We Have to Work With a Registered Practitioner Organization (RPO) or Registered Practitioner (RP)?

Although working with an RPO or RP is not mandatory, working with one has several advantages.

Registered Practitioners will help shorten your learning curve since they have been trained on CMMC compliance, and they know the ins and outs to help you avoid and deal with any apparent issues.

What's the Difference Between a CMMC Gap Analysis and a CMMC Audit?

A CMMC gap analysis helps you determine what you need to adjust to comply with your required CMMC compliance level and submit a self-assessment to the DoD.

Unlike a CMMC audit, you don't have to share the specific results of the gap analysis with any government entity or your vendor unless they require it. The gap analysis results are just for your personal use – to guide you on what needs to be remedied before submitting a self-assessment or undergoing a CMMC third-party audit.

Most companies in the DoD supply chain will need to attain CMMC Level 2. Some of these companies will be able to verify compliance by submitting an annual self-assessment.

Within Level 2, some situations will require a third-party audit every third year. A CMMC audit assesses an organization's data security levels by an accredited CMMC third-party assessment company or Certified 3rd Party Audit Organization (C3PAO). It is an official assessment that certifies you as compliant or not.

Work With CMMC Professionals

Cybercrime and theft of sensitive military data prompted the DoD to put in place the CMMC program. The best way for you as a contractor or subcontractor with the DoD to achieve your contract's CMMC compliance level is to do a CMMC gap analysis.

We are a Registered Practitioner Organization with several Registered Practitioners on staff. We've helped countless businesses prepare for successful compliance. Contact us today for a CMMC gap analysis.

Note: This article was originally published in September 2021. It was updated in December 2021 to reflect CMMC 2.0 standards and updated again in May 2025 to account for the Final Rule.
Sep 15, 2021

Courtney Casey

Let's talk about how VC3 can help you AIM higher.