CMMC gap assessment: what to expect before you certify
A CMMC gap assessment is the difference between knowing you'll pass and hoping you will. Skip it, and the first time you find out where your company stands is when a CMMC Third-Party Assessor Organization (C3PAO) walks in for the real thing — and by then, every gap is a delay, every delay is a missed contract date, and every missed date is revenue you don't get back.
That's the whole point of the gap assessment. It moves the bad news up by ninety days, while you can still do something about it.
This post lays out what actually happens during a CMMC gap assessment, what it costs in time and money, what you should walk away with, and the mistakes most Defense Industrial Base (DIB) companies make before, during, and after. If you're a contracts director, GM, or owner at a small or mid-sized DoD supplier and you're trying to decide whether to schedule one, this is for you.
What a CMMC gap assessment actually is
A CMMC gap assessment is a structured review of your company against the controls you'll be measured on at your target Cybersecurity Maturity Model Certification (CMMC) level — usually Level 2, which maps to the 110 controls in NIST SP 800-171. The output is a written, evidence-backed list of where you meet the standard, where you don't, and what each gap will take to close.
It is not the certification. It is not a C3PAO assessment. It is the dress rehearsal you run before the real assessment, with a consultant or internal team that knows what auditors look for.
Here's the part most companies miss: a gap assessment isn't only about controls. It's about evidence. You can have multi-factor authentication (MFA) deployed across the company and still fail an audit because no one can produce the configuration export, the policy document, and the screenshot proving it was in place on the day in question. The gap assessment surfaces both kinds of gaps — the missing controls and the missing paper trail.
When you should run one
The honest answer: as soon as your contracts touch Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), and at least six to nine months before your target certification date.
Why six to nine? Because the typical Level 2 gap assessment turns up between fifteen and forty open items — some technical (a missing logging configuration), some administrative (no incident response plan), some operational (employees who haven't completed required training). Closing all of them takes time, budget approval, and in many cases, a vendor or two. Six months is the floor. Nine is comfortable. Three months out is too late to do anything except show up and hope.
If you're already inside a ninety-day window and haven't run a gap assessment, the right play is to scope a focused one against the controls most likely to fail rather than skipping it entirely. Schedule a gap assessment call and we'll tell you whether it's still worth running on your timeline or whether the conversation should be about the next contract instead.
What happens during the assessment, step by step
Every consultant scopes their gap assessment a little differently, but a credible one will follow roughly this arc.
Scoping conversation. Before the work starts, you and the consultant agree on the boundary — which subsidiaries, which networks, which cloud tenants, which business units handle FCI or CUI. Get this wrong and you'll either over-pay (assessing systems that don't need it) or under-pay (missing systems that do). Most companies underestimate the boundary on the first pass.
Document review. The consultant pulls your existing System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies, procedures, network diagrams, asset inventories, and incident response plan. If you don't have an SSP yet, that's the first finding — and it's a big one.
Technical review. This is where the consultant looks at the actual configurations: identity and access management, MFA enforcement, logging and monitoring, encryption at rest and in transit, vulnerability management, patch cadence, mobile device management, and the endpoints that touch CUI. Expect to grant read-only access to your tenant or to sit with the consultant while they review screen-shares.
Interviews. A control isn't met because a tool exists. It's met because people use it consistently. The consultant will interview your IT lead, your Chief Information Security Officer (CISO) or equivalent, your HR contact, and often the CEO — yes, even the CEO — to confirm that the policies on paper match the practices in the field.
Findings and remediation roadmap. You walk away with a written report that lists every control, marks it Met / Partially Met / Not Met, cites the evidence (or lack of it), and recommends a specific remediation path with effort estimates. The good ones also prioritize: which gaps will fail you outright, which are scoreable deductions, which are paper-only fixes.
That's the deliverable. If a consultant offers you a green-yellow-red dashboard with no underlying control-by-control narrative, ask for the narrative. Without it, you can't act on the findings and your C3PAO can't trust them.
What it costs
A Level 2 gap assessment for a small to mid-sized DIB company typically runs between $7,500 and $25,000, depending on scope, headcount, number of locations, and how much pre-existing documentation you bring to the table. Companies with no SSP, no policies, and a sprawling cloud footprint anchor the high end. Companies with a tight CUI enclave and existing NIST SP 800-171 self-assessment work anchor the low end.
What does that buy you? At minimum: the written gap report, the remediation roadmap, and a debrief with leadership. The better engagements include a follow-up review thirty to sixty days in to validate that remediation is on track. Anything cheaper than $5,000 is almost certainly a checklist exercise, not an assessment, and you'll find out the difference when the C3PAO arrives.
For comparison, a failed C3PAO assessment costs you the assessment fee (typically $30,000 to $100,000+), the remediation cost you would have paid anyway, and — the line item that actually matters — the contract you didn't win because the cert wasn't ready in time. The gap assessment is the cheapest insurance in the entire CMMC budget.
The mistakes most companies make
Three patterns show up in nearly every engagement. Recognize them now and you'll save yourself a quarter.
They treat the gap assessment as a procurement exercise, not a leadership one. The CISO or IT director runs the request for proposal (RFP), picks the cheapest bid, and never loops the GM or owner in until the report lands. By then, the budget conversation about remediation gets ugly, fast. CMMC compliance is a business decision before it's a technical one — the people who own the contract should own the assessment.
They skip the evidence work. It's tempting to read the report, agree the gaps are real, and assign them to IT to "fix." That gets you controls in place but no evidence file. When the C3PAO asks how you know MFA was enforced on March 14th, "trust me" isn't a passing answer. Build the evidence repository alongside the remediation, not after.
They run the gap assessment once and stop. CMMC isn't a one-and-done project. It's compliance throughout the company's lifecycle. The controls that pass on the day of certification can drift in ninety days if no one is watching them. Treat the gap assessment as the start of an ongoing readiness program, not the finish line for the audit.
That third one is the most expensive mistake of the three, because it doesn't show up until the recertification cycle — by which point your team has moved on and the institutional memory of how you got certified has walked out the door.
What to ask before you sign with a consultant
Five questions separate consultants who know CMMC from consultants who know cybersecurity in general.
First: how many Level 2 gap assessments have you completed in the last twelve months, and can I talk to two of those clients? CMMC is recent enough that real reps matter.
Second: do you use a CMMC-AB-recognized methodology, and will the report be structured to map directly into a C3PAO's evidence review?
Third: who does the actual interviews and technical review — a senior assessor, or a junior body shop?
Fourth: what's your remediation handoff look like, and do you provide remediation services yourself or refer out? (Both are defensible; the conflict-of-interest math is different for each.)
Fifth: if I fail my C3PAO assessment within ninety days of your report, what do you do about it?
Get those answers in writing. The right consultant will welcome the questions; the wrong one will get cagey.
What you should walk away with
A credible CMMC gap assessment leaves you with three things: a clear-eyed understanding of your certification readiness, a prioritized roadmap your team can actually execute, and a defensible budget number you can take to the owner or the board. If you have all three, the C3PAO assessment becomes a verification step, not a discovery exercise. That's the goal.
If you're staring at a CMMC requirement on a contract and you're not sure where you stand, the next step isn't a Google search — it's a thirty-minute scoping conversation. Schedule your CMMC gap assessment call and we'll tell you, on that call, what scope makes sense for your company and what the realistic timeline looks like from where you sit today.
Frequently asked questions
How long does a CMMC gap assessment take?
A typical Level 2 CMMC gap assessment takes two to four weeks from kickoff to final report. Smaller companies with a tight CUI boundary can finish in seven to ten business days. Larger companies, multi-site environments, and companies with limited pre-existing documentation push closer to four weeks. The follow-up validation review, if included, adds another one to two weeks.
What's the difference between a CMMC gap assessment and a CMMC self-assessment?
A self-assessment is your company scoring itself against NIST SP 800-171 and submitting that score to the Supplier Performance Risk System (SPRS). A gap assessment is an independent third-party review that pressure-tests both the controls and the evidence behind them. Self-assessments are required; gap assessments are optional but cheap insurance against a failed C3PAO audit.
Can I do a CMMC gap assessment with internal staff instead of a consultant?
Yes, but with two caveats. Your internal team needs to know what a C3PAO actually looks for, which is different from what NIST SP 800-171 says on paper. And you need a reviewer who can be objective about controls they themselves are responsible for. If your IT director is graded on a control they also implement, the gap assessment loses its independence. For most small- and mid-sized DIB companies, the math favors an outside consultant for the gap assessment and an internal owner for the remediation.
Does a CMMC gap assessment guarantee I'll pass my C3PAO audit?
No. A gap assessment confirms readiness on the day of the assessment. Between then and the C3PAO audit, controls can drift, configurations can change, and personnel can turn over. The gap assessment plus a disciplined remediation and evidence program is what gets you to a passing audit — not the gap assessment alone.
What's a Plan of Action and Milestones (POA&M), and do I need one before the gap assessment?
A POA&M is a formal document listing open security weaknesses, the remediation plan, and the target completion date. You don't need one before the gap assessment — in fact, the gap assessment usually produces or updates your POA&M as one of its outputs. CMMC Level 2 allows a limited POA&M at certification, but only for specific lower-weighted controls and only with a 180-day closeout window.
How much does a CMMC gap assessment cost in 2026?
Expect $7,500 to $25,000 for a Level 2 gap assessment at a small to mid-sized DIB company. Pricing scales with scope, headcount, number of locations, and the maturity of your existing documentation. Anything under $5,000 is usually a checklist tool, not an assessment.