CMMC gap assessment and NIST 800-171 gap analysis

Gap assessment vs. self-attestation

Submitting a SPRS score is not the same as understanding your gaps. A credible NIST SP 800-171 gap analysis documents how each of the 110 requirements is implemented, who owns it, what evidence exists, and what remains on the POA&M. Gap assessment is where readiness becomes legible to leadership and assessors.

What a structured gap analysis includes

• Assessment scope aligned to CUI boundaries and DFARS 252.204-7012 obligations.
• Practice-level status (MET / NOT MET / PARTIAL) with SPRS point impact (5, 3, or 1).
• Owner assignment per control family — not a single “IT owns security” blanket.
• POA&M entries with milestones, prohibited-control checks, and 180-day closeout awareness.
• SSP alignment — especially CA.L2-3.12.4, the score gate control.

Prioritizing remediation after the gap

Not all gaps are equal. High-weight controls, assessor focus areas, and dependencies between practices should drive sequence — not whichever ticket is loudest. After gap assessment, the next failure mode is remediation without evidence design. Pair gap closure with an evidence collection plan so proof exists when the C3PAO assessment starts.

Where software helps — and where it does not

Spreadsheets collapse at 110 controls with multiple owners and artifact types. Purpose-built CMMC compliance software should maintain a living gap view tied to remediation and evidence — not a static checklist exported once. Sentinel is being built for that operating loop as part of broader CMMC Level 2 readiness.