The CMMC gap assessment checklist: seven steps before your C3PAO shows up

What a CMMC gap assessment actually measures

A gap assessment is not an audit and it is not a certification. It is a control-by-control readiness picture against NIST SP 800-171 Rev 2 — the 110-control framework that CMMC Level 2 sits on top of. The output is a list of what is fully implemented, what is partially implemented, and what is not implemented at all, with a SPRS score attached to each gap.

Vendors sometimes pitch gap assessments as the first step toward "compliance." That framing is technically correct and practically misleading. The gap assessment does not make you compliant. It shows you how far away you are, and gives you enough information to sequence the remediation without guessing. That is its job.

Before you start: thirty minutes of prep that saves weeks

Pull three things before you touch a single control. Your current SPRS score from SPRS.mil — log in, find your most recent self-assessment entry, and write down the number. Your most recent SSP — or an honest acknowledgment that one does not exist yet. And a list of every system in your environment that touches, stores, processes, or transmits CUI.

Sixty percent of gap assessments stall in the first week because nobody had these ready. The scoping conversation turns into a documentation hunt, and the gap review does not actually start until week three.

Step 1 — Define your CUI boundary first

Scope is the single biggest cost lever in CMMC. Every system you include adds controls, evidence requirements, and remediation work. Every system you correctly exclude removes all of that. Run the scope conversation before you open the control spreadsheet.

The practical rule of thumb: if a system does not touch CUI and is not networked to something that does, it is out of scope. "Networked to something that does" is the part most teams undercount. A server that has no CUI on it but sits on the same network segment as your CUI-handling systems is in scope. A completely isolated guest wifi network is not.

For teams newer to CMMC Level 2 scope decisions, the Level 2 readiness guide covers the scoping criteria in more depth. Getting this wrong in either direction is expensive — over-scoping adds unnecessary remediation work, under-scoping surfaces problems at assessment day.

Step 2 — Pull your current SPRS score

Before you score a single control, log into SPRS.mil and record your current self-assessment score. This is your baseline. Whatever the gap assessment finds, you want a clear before/after picture when the remediation is complete.

SPRS scores are not static. A subcontractor we worked with logged in one week and found a score they did not recognize. Lower than what they had been reporting. They had been self-attesting against an old version of their assessment, and the prime's flow-down had updated requirements they never picked up. The lesson is not that SPRS is broken. The lesson is that your score reflects your last self-assessment — and if that assessment was done against the wrong version of the requirements, or against a scope that has since changed, the number is wrong.

Pull the number. Write it down. Then run the gap assessment against the current 110 NIST SP 800-171 Rev 2 controls. DFARS 252.204-7019 requires you to have a current, accurate SPRS score on file. That means the score needs to reflect your actual current state — not last year's optimistic read.

Step 3 — Work through all 110 controls: met, partial, or not met

Three columns per control: the control ID, your current status (met, partial, or not met), and whatever evidence exists right now. Work domain by domain, not randomly. The 17 domains in NIST SP 800-171 Rev 2 give you a natural grouping that maps to how your organization is actually structured.

"Partial" is the most important status to define clearly before you start. Partial means the control is in progress or implemented in some but not all required contexts — not that the intent is good but the documentation is thin. If you have MFA on your email but not on your VPN, AC.L2-3.1.12 is partial. If you have a password policy but it has never been enforced, that is not met.

The table below shows where SMBs in the DIB most commonly accumulate gaps. These are practitioner observations from DIB programs — not sourced statistics — but they are consistent enough to be useful as a prioritization guide.

The Access Control domain has 22 controls and high gap rates for a consistent reason: it requires documented processes for account provisioning, deprovisioning, least privilege, and remote access — and most small DIB teams have implemented the technical controls informally without the documentation to prove it. The documentation gap is as real as the technical gap when an assessor shows up.

Step 4 — Score the SPRS impact for each open gap

Not all gaps hurt equally. NIST SP 800-171 Rev 2 assigns a point value to each of the 110 controls — 1, 3, or 5 points depending on severity. When you add up the point values of your open controls and subtract from 110, you get your estimated SPRS score. (The DoD SPRS documentation has the full scoring methodology.)

This step matters because it tells you which gaps to close first. A missing AC.L2-3.1.1 (limiting system access to authorized users) is a 5-point hit. A missing AU control might be 1 point. If your program has 30 days before an assessment and a list of 15 open gaps, you want to close the high-point-value gaps first — even if the low-point ones are technically easier.

(If your SPRS score after this exercise is deeply negative, that is uncomfortable but not unusual for a first gap assessment. The programs that go into C3PAO assessment with clean scores did not skip this step — they ran it earlier and had more time to close gaps.)

Step 5 — Build your POA&M from the gap list

A POA&M is a tool, not a hiding place. It exists so you can enter an assessment with known gaps under a credible remediation plan — not so you can park 40 open controls with "in progress" as the status and hope nobody looks closely. Assessors look closely.

Each POA&M entry needs five things: the control ID, the owner (one person, not "IT"), the specific remediation action, the target close date, and the evidence you will produce when the action is complete. If the entry says "implement MFA" with no system name, no responsible person, and no date, that is not a POA&M entry — it is a to-do item in a spreadsheet.

For evidence design, the evidence collection guide covers what assessors look for by control family and how to structure your artifact repository so it is navigable without you in the room. Start that process alongside the POA&M build, not after it.

Step 6 — Assign one owner per gap. In writing. With a date.

Nine out of ten "we are behind on CMMC" calls trace back to the same problem: nobody owns the controls. The SSP says "IT." IT says "Compliance." Compliance says "the consultant." The consultant left in March. The assessor shows up in September.

We mapped a 120-person DIB shop's controls against their org chart once. About 40 percent of controls had no clear owner. Another 25 percent had two owners who each thought the other one was driving it. By the time the C3PAO assessment was scheduled, three months of remediation work had to be redone because nothing had been moving.

The fix is not sophisticated. Name a single owner per control — not a team, not a role, a specific person — in writing, with a date they agreed to. Put it in the SSP. Put it in the POA&M. Ownership without documentation is the same as no ownership when an assessor asks who is responsible for a control gap that has been open for six months.

If you are running CMMC on Sentinel or purpose-built CMMC compliance software, owner assignment should be in the tool — not in a separate spreadsheet that only one person can find.

Step 7 — Pressure-test your evidence for controls you marked met

This is where most gap assessments find the most uncomfortable surprises. A control is marked met. It has been met for eighteen months. The assessor asks for the evidence. Someone opens a folder and finds files named Screenshot 2024-08-12 at 9.43.07 AM.png. No control reference. No owner. No date stamp tied to the artifact. The screenshot is of a policy page in an internal wiki that has since been restructured.

That is not evidence. That is a screenshot with a helpful filename.

The pressure-test question is simple: can the assessor follow this evidence trail without me in the room? If the answer is "only if I explain it," it is not assessor-ready. Pull the source system log, not the screenshot. Link it to the control ID. Date it. Put the owner's name on it.

A gap assessment that only reviews open controls is half a gap assessment. The evidence review on your "met" controls often surfaces more remediation work than the gaps themselves. This is normal. Build the time for it.

What most gap assessments get wrong

Most CMMC consultants are good at gap assessments and bad at handoff. They build a detailed Day-1 picture — control statuses, SPRS scores, POA&M entries in a spreadsheet. Then they deliver a 300-row spreadsheet, close the engagement, and leave the program to the client's team to drive.

Three months later, the program has not moved. The spreadsheet has not been updated. The owners listed in the POA&M do not know they are listed. The spreadsheet looked comprehensive. The controls had no owners. By month three it was a very well-formatted list of things nobody was doing.

This is not a consultant problem — it is a tooling and operating rhythm problem. A gap assessment without a clear handoff to an ongoing operational process is a snapshot that starts going stale the day it is delivered. The fix is building the ownership, evidence, and remediation tracking into a system your team actually uses week to week — not a spreadsheet that nobody opens between consultant calls.

Honest numbers: how long this actually takes

For a 25–200 person DIB company with existing documentation and an IT team that knows the environment:

• Scoping and prep: 1–2 days
• Working through all 110 controls: 3–5 days for a focused team
• Scoring SPRS impact: 1 day
• Building the initial POA&M: 1–2 days

Total for a first gap assessment done properly: two to three weeks. Done ad hoc, with interruptions and without the prep work: six to eight weeks.

If your SSP does not exist yet, add two to four weeks to write one before the gap assessment is meaningful. The SSP is the document the assessor reads — if it does not exist, the gap assessment is describing a program that has not been written down anywhere.

The typical CMMC readiness window between starting a gap assessment and walking into a C3PAO assessment is 9 to 18 months. That number varies significantly based on how many gaps you find and how complex your environment is. The contractors who hit the low end of that range started the gap assessment early and treated it as an operating activity, not a one-time project.

Ready to run yours?

If you have been through this checklist and the gap list is longer than expected, that is not unusual. Most first-time gap assessments surface more than the team expected — especially in Access Control and Configuration Management.

The CMMC gap assessment advisory covers how we structure the assessment, what the deliverables look like, and what happens after the gap list exists. No spreadsheet-and-goodbye. The program has to keep moving after the assessment — that is what the advisory is built around.

Straight answers

How long does a CMMC gap assessment take?

For a 25–200 person DIB company with existing documentation, a focused gap assessment takes two to three weeks. If your SSP does not exist yet, add another month. The 110 controls take roughly three to five days to work through systematically. Most programs take longer because nobody owns the calendar.

Can I run a CMMC gap assessment myself or do I need a consultant?

You can run a gap assessment yourself — NIST SP 800-171 and the CMMC assessment guide are public documents. The risk is that you mark controls as met when the evidence would not hold up under C3PAO scrutiny. A consultant adds external pressure-testing. If you are doing your first assessment, getting an outside read on your evidence is worth the cost.

What is the difference between a gap assessment and a C3PAO assessment?

A gap assessment is internal — you or a consultant reviewing your controls against NIST SP 800-171 before a formal assessment. A C3PAO assessment is the third-party certification assessment required for most Level 2 contractors under CMMC Phase 2. Gap assessment first, C3PAO second.

What should my SPRS score be before scheduling a C3PAO assessment?

There is no minimum SPRS score required to schedule a C3PAO assessment. But if your score is significantly negative, the C3PAO will find the same gaps, and you will pay assessment fees to document problems you already knew about. Run a mock assessment 90 days out. Not 30. Ninety.

What happens to controls I cannot close before assessment day?

They go into your POA&M with a documented remediation plan and target date. CMMC allows assessors to certify programs with open POA&M items under specific conditions. The POA&M needs to be credible — real owners, real timelines, real evidence of progress. A POA&M that lists 40 open controls with "in progress" as the status is not going to hold.