CMMC Gap Assessment

CMMC Gap Assessment Services for Defense Contractors

A CMMC gap assessment is the critical first step toward certification — revealing exactly where your organization stands against the 110 NIST SP 800-171 security requirements and what must be fixed before your C3PAO arrives. Petronella Technology Group, Inc. delivers comprehensive gap assessments that produce accurate SPRS scores, risk-prioritized remediation roadmaps, and actionable plans that transform compliance gaps into a clear path to CMMC Level 2 certification.

Schedule Gap Assessment 919-348-4912

BBB A+ Accredited Since 2003 | Founded 2002 | 2,500+ Clients | CMMC Registered Practitioner Organization

110-Control Analysis

Every NIST SP 800-171 requirement evaluated individually with objective evidence review, configuration inspection, and personnel interviews to determine implementation status and identify specific deficiencies.

Accurate SPRS Score

A validated Supplier Performance Risk System score calculated using the DoD's official methodology, replacing guesswork and inflated self-assessments with a defensible number you can submit with confidence.

Prioritized Roadmap

A risk-ranked remediation plan that addresses the most critical and exploitable gaps first, providing clear timelines, cost estimates, and resource requirements for achieving full CMMC Level 2 compliance.

4-6 Week Delivery

Comprehensive gap assessment completed within 4-6 weeks including CUI scoping, technical evaluation, policy review, personnel interviews, and delivery of the final gap report with remediation roadmap.

Why a CMMC Gap Assessment Is the Foundation of Certification Success

A CMMC gap assessment is not merely a compliance exercise — it is the diagnostic foundation upon which your entire certification strategy is built. Without an accurate, thorough assessment of your current security posture against the 110 NIST SP 800-171 requirements, organizations make costly mistakes: they over-invest in areas that are already compliant while neglecting critical deficiencies that will cause C3PAO assessment failures, they submit inaccurate SPRS scores that expose them to False Claims Act liability under the Department of Justice's Civil Cyber-Fraud Initiative, and they underestimate the time and budget required for remediation, leaving them unprepared when CMMC requirements appear in contract solicitations. Petronella Technology Group, Inc. has conducted hundreds of cybersecurity assessments for defense contractors throughout the Raleigh-Durham Research Triangle and across North Carolina, and our CMMC Registered Practitioners bring the specialized expertise required to evaluate your environment against the specific requirements and assessment methodology that C3PAO assessors will use during your formal certification evaluation.

The gap assessment begins with CUI scoping — identifying exactly which systems, networks, applications, personnel, and facilities handle Controlled Unclassified Information. This scoping exercise defines your assessment boundary, which is the perimeter within which all 110 NIST SP 800-171 requirements must be satisfied. Scoping errors are among the most expensive mistakes in CMMC preparation. Define the boundary too broadly, and you inflate remediation costs by bringing systems into scope that do not actually handle CUI. Define it too narrowly, and your C3PAO will identify CUI-handling systems outside your documented boundary, resulting in assessment findings and potential failure. Our scoping methodology follows the Cyber AB's assessment guidance and traces CUI from the point it enters your environment through every system, network segment, application, and storage location it touches, documenting the complete data lifecycle from receipt through processing, storage, transmission, and eventual destruction or return.

Once the assessment boundary is established, our CMMC Registered Practitioners evaluate each of the 110 security requirements through a combination of technical inspection, documentation review, and personnel interviews. For each requirement, we determine whether the control is fully implemented and operating effectively (MET), partially implemented with documented deficiencies (NOT MET with partial implementation), or not implemented (NOT MET). This three-tier classification provides far more actionable information than a simple pass/fail determination, because it allows us to distinguish between controls that need minor remediation and controls that require ground-up implementation. Technical evaluations include reviewing firewall configurations, testing multi-factor authentication enforcement, inspecting endpoint protection deployments, validating encryption implementations against FIPS 140-2 requirements, examining audit log collection and retention, and verifying network segmentation between CUI and non-CUI environments. Documentation reviews cover your existing policies, procedures, system security plans, and incident response plans. Personnel interviews confirm that staff understand their security responsibilities and can articulate how controls operate in practice — a critical element because C3PAO assessors routinely interview personnel as part of the formal assessment.

The gap assessment produces your accurate SPRS score, calculated using the DoD's official scoring methodology. Each of the 110 NIST SP 800-171 requirements carries a weighted value based on its security impact, and unimplemented requirements reduce your score by their assigned weight. A perfect score of 110 indicates full implementation of all requirements. A score of -203, the lowest possible, indicates no controls are implemented. Most organizations we assess fall somewhere between 20 and 80 on initial evaluation, with the score heavily influenced by whether the organization has previously invested in security infrastructure, formal policies, and NIST SP 800-171 compliance. Your SPRS score must be submitted to the Supplier Performance Risk System per DFARS clause 252.204-7019, and contracting officers review these scores during source selection. Under the Civil Cyber-Fraud Initiative, submitting a score that does not accurately reflect your actual implementation status constitutes a false claim and can trigger penalties including treble damages. Our gap assessment eliminates this risk by producing a rigorously validated score backed by documented evidence for every requirement.

Beyond the score, the gap assessment deliverable that drives your certification timeline is the risk-prioritized remediation roadmap. Not all gaps carry equal risk or require equal effort to close. Some deficiencies — such as the absence of multi-factor authentication or a failure to encrypt CUI in transit — represent critical vulnerabilities that are both highly exploitable and likely to result in assessment failure. Others, such as incomplete documentation of maintenance procedures or gaps in physical access logging, may be lower risk and faster to remediate. Our roadmap ranks every gap by risk severity and remediation complexity, groups related gaps into logical implementation phases, estimates the timeline and cost for each phase, and identifies dependencies between remediation activities. This structured approach allows organizations to begin closing the most critical gaps immediately while planning and budgeting for longer-term improvements. For organizations operating under budget constraints, the roadmap enables informed decisions about where to invest limited resources for maximum compliance impact. Organizations that have completed our gap assessment consistently report that the roadmap saved them months of wasted effort and tens of thousands of dollars in misdirected remediation spending compared to self-directed compliance efforts.

What Our CMMC Gap Assessment Covers

CUI Scoping & Data Flow Mapping

We identify every point where CUI enters your environment — email, file transfers, cloud platforms, removable media, physical documents — and trace its flow through your systems to every location where it is processed, stored, or transmitted. Data flow diagrams document CUI pathways across network segments, applications, and storage systems. We identify all personnel with CUI access, catalog external service providers that process CUI on your behalf, and document the physical facilities where CUI is accessed or stored. This comprehensive scoping exercise produces the assessment boundary documentation that C3PAO assessors require and ensures that no CUI-handling systems are inadvertently excluded from your compliance program.

Access Control (AC) Family — 22 Requirements

Access Control is the largest control family with 22 requirements governing who can access CUI systems and what they can do. We evaluate your implementation of account management, privilege restriction, remote access controls, wireless access restrictions, mobile device management, session controls, and information flow enforcement. Common gaps include excessive administrative privileges, lack of session timeout enforcement, absence of account lockout policies, failure to restrict remote access connections, and missing controls for CUI sharing with external parties. Our assessment examines Active Directory configurations, firewall rules, VPN settings, cloud access policies, mobile device management profiles, and physical access control systems to determine whether your access controls satisfy each requirement.

Identification & Authentication (IA) — 11 Requirements

Identification and Authentication requirements ensure that users and devices are verified before gaining access to CUI systems. We assess your multi-factor authentication deployment, password policies, device authentication mechanisms, and identifier management procedures. MFA is one of the most commonly deficient areas — many organizations have MFA for cloud applications but lack it for on-premises systems, VPN connections, or administrative access. We test every authentication pathway to CUI systems, verify that MFA is enforced (not just available), confirm password complexity and rotation policies meet NIST guidelines, and validate that service accounts and system identifiers are managed according to documented procedures. Replay-resistant authentication and cryptographic authentication for network access are also evaluated.

Audit & Accountability (AU) — 9 Requirements

Audit requirements mandate creating, protecting, retaining, and reviewing system audit records. We evaluate whether your systems generate audit logs for all required events including login attempts, file access, privilege changes, and configuration modifications. We verify that logs are protected from tampering and unauthorized deletion, retained for the required period, correlated across systems for comprehensive monitoring, and regularly reviewed by qualified personnel. Many organizations collect logs but fail to review them, or they lack centralized SIEM (Security Information and Event Management) solutions that correlate events across their environment. We also assess your alert and response procedures — whether anomalous events trigger notifications and whether your team has documented procedures for investigating alerts.

System & Communications Protection (SC) — 16 Requirements

System and Communications Protection covers network security, encryption, and data transmission controls. We evaluate boundary protection, network segmentation between CUI and non-CUI environments, encrypted communications, FIPS 140-2 validated cryptography for CUI at rest and in transit, denial-of-service protection, and session authenticity. This family frequently reveals significant gaps because many organizations have not implemented FIPS-validated encryption or have not properly segmented their CUI processing environment from their general corporate network. We test firewall configurations, VPN encryption settings, TLS implementations, disk and database encryption, email encryption for CUI transmission, and network architecture to determine whether CUI systems are adequately isolated. Cloud service configurations for GCC High and other FedRAMP environments are also assessed.

Policy, Procedure & Administrative Control Review

Technical controls alone are insufficient for CMMC Level 2 — C3PAO assessors expect documented policies and procedures that govern every control family. We review your existing policy library against NIST SP 800-171 requirements to identify missing, incomplete, or outdated documentation. Common deficiencies include absent incident response plans, incomplete configuration management procedures, missing media protection policies, inadequate personnel security screening procedures, and security awareness training programs that lack CMMC-specific content. We also evaluate whether your policies are actively enforced rather than merely documented — a critical distinction because assessors will verify that employees follow documented procedures in practice. For organizations lacking formal security policies, our assessment report includes a policy development checklist mapped to each control family, providing the template for building a complete policy library.

Physical Security & Facility Assessment

Physical Protection (PE) requirements mandate restricting physical access to CUI systems, equipment, and facilities. We assess badge access systems, visitor management procedures, server room access controls, security camera coverage, clean desk policies, and physical controls for removable media. For organizations with employees working remotely, we evaluate home office security measures and remote work policies related to CUI handling. Physical security is often overlooked in CMMC preparation efforts that focus primarily on technology, but C3PAO assessors dedicate time to physical facility inspection and will cite deficiencies in visitor logging, unauthorized access to server rooms, or inadequate destruction procedures for physical media containing CUI.

SPRS Score Calculation & Validation

Using the DoD's official NIST SP 800-171 Assessment Methodology, we calculate your accurate SPRS score based on the results of our gap analysis. Each unimplemented requirement reduces your score by its assigned weight — values of 1, 3, or 5 depending on the requirement's security significance. We compare our calculated score against any score you have previously submitted to SPRS and identify discrepancies. If your current submitted score is higher than our validated assessment, you face potential False Claims Act exposure that must be addressed. We provide detailed documentation supporting every scoring determination so you can update your SPRS submission with confidence and demonstrate to contracting officers that your score reflects genuine compliance effort rather than aspirational self-reporting.

Our CMMC Gap Assessment Process

Kickoff & CUI Scoping

We meet with your leadership and IT team to understand your business operations, identify where CUI enters and flows through your environment, and define the assessment boundary. We review your existing documentation including any prior self-assessments, SSP drafts, and current SPRS submissions. This phase establishes the scope and sets expectations for the assessment timeline.

Technical Evaluation & Evidence Collection

Our CMMC Registered Practitioners conduct hands-on technical evaluation of your systems, networks, and configurations. We inspect firewall rules, MFA enforcement, encryption implementations, endpoint protection, audit logging, network segmentation, and every other technical control within the assessment boundary. We collect objective evidence including screenshots, configuration exports, and test results for each requirement.

Policy Review & Personnel Interviews

We review your security policy library, procedures, training records, incident response plans, and administrative documentation against each control family's requirements. We interview key personnel including system administrators, security officers, HR, and management to verify that documented controls are understood and followed in practice — the same personnel who will face questions during your C3PAO assessment.

Gap Report & Remediation Roadmap Delivery

We compile our findings into a comprehensive gap report detailing the status of every requirement, your validated SPRS score, and a risk-prioritized remediation roadmap with timelines and cost estimates. We present the results to your leadership team, answer questions, and discuss remediation options including CUI enclave deployment, managed security services, and phased implementation approaches that align with your budget and contract timeline.

Why Choose Petronella Technology Group, Inc. for Your CMMC Gap Assessment

CMMC Registered Practitioners

Our assessments are conducted by CMMC Registered Practitioners who have completed the Cyber AB's training and credentialing requirements. They understand the assessment methodology, scoring criteria, and evidence standards that C3PAO assessors will apply during your formal certification evaluation, ensuring our gap analysis mirrors the real assessment experience.

Actionable, Not Academic

We do not deliver theoretical compliance reports that gather dust on a shelf. Every gap identified comes with a specific, actionable remediation recommendation including the technology, configuration, policy, or process change needed to close it. Our roadmaps include implementation effort estimates, cost ranges, and dependencies so you can plan and budget your remediation project with precision.

Deep NIST 800-171 Expertise

Our team has been implementing NIST SP 800-171 controls for defense contractors since the DFARS clause 252.204-7012 was first published. We understand not just what the requirements say, but what C3PAO assessors expect to see in practice. This nuanced understanding of assessment expectations means our gap analysis identifies deficiencies that less experienced firms would miss.

False Claims Act Protection

An inaccurate SPRS score exposes your organization to False Claims Act liability under the DoJ's Civil Cyber-Fraud Initiative. Our gap assessment produces a rigorously validated score with documented evidence supporting every determination, giving you confidence that your SPRS submission accurately reflects your compliance status and protecting your organization from legal exposure.

Seamless Remediation Path

When you are ready to move from assessment to remediation, Petronella Technology Group, Inc. provides the implementation services to close every gap — from technical control deployment and policy development to CUI enclave solutions and managed security services. One partner from assessment through certification eliminates handoff delays and knowledge loss between assessment and remediation teams.

Research Triangle Defense Focus

Headquartered in Raleigh and serving the Triangle's defense industrial base, we understand the unique needs of contractors operating near Fort Liberty, Research Triangle Park, and the NC defense corridor. Our local presence means on-site assessments with in-person facility inspections, not remote evaluations that miss physical security gaps your C3PAO will catch.

CMMC Gap Assessment FAQs

What is a CMMC gap assessment?

A CMMC gap assessment is a comprehensive evaluation of your organization's cybersecurity posture against the 110 NIST SP 800-171 security requirements that CMMC Level 2 demands. The assessment identifies which controls are fully implemented, partially implemented, or missing entirely, calculates your accurate SPRS score, and produces a prioritized remediation roadmap for achieving full compliance. Think of it as a diagnostic exam before the formal C3PAO certification assessment — it reveals exactly what needs to be fixed and provides the plan for fixing it. The gap assessment is always the first step in any responsible CMMC preparation engagement.

How is a gap assessment different from the C3PAO assessment?

A gap assessment is an internal or consultant-led evaluation conducted before the formal certification assessment. It identifies deficiencies so they can be fixed. The C3PAO assessment is the official, third-party evaluation conducted by a Cyber AB-authorized assessment organization that determines whether your organization receives CMMC Level 2 certification. The gap assessment is diagnostic and advisory; the C3PAO assessment is evaluative and deterministic. You can conduct a gap assessment at any time and multiple times. The C3PAO assessment results in a formal certification determination. Organizations that skip the gap assessment and proceed directly to C3PAO evaluation frequently fail, incurring reassessment costs and contract eligibility delays.

How long does a CMMC gap assessment take?

A comprehensive gap assessment typically takes 4-6 weeks from kickoff to final report delivery. The timeline depends on organizational size, number of systems within the assessment boundary, geographic distribution of facilities, and availability of key personnel for interviews. Smaller organizations with a single location and limited CUI scope can often complete in 3-4 weeks. Larger organizations with multiple facilities, complex network architectures, and distributed CUI processing may require 6-8 weeks. The on-site technical evaluation portion typically requires 3-5 days of direct engagement, with the remainder dedicated to documentation review, analysis, SPRS scoring, and report preparation.

What do we receive after the gap assessment?

You receive a comprehensive gap report containing: assessment boundary documentation including CUI data flow diagrams; a requirement-by-requirement analysis of all 110 NIST SP 800-171 controls with implementation status, evidence notes, and specific deficiency descriptions; your validated SPRS score with supporting methodology; a risk-prioritized remediation roadmap with timelines, cost estimates, and resource requirements for each gap; and an executive summary suitable for presentation to leadership and board members. We also provide a findings presentation meeting where our assessors walk your team through the results, answer questions, and discuss remediation strategies and priorities.

How much does a CMMC gap assessment cost?

Gap assessment costs depend on organizational size, number of in-scope systems, number of facilities requiring on-site evaluation, and CUI scope complexity. For small to mid-size defense contractors with a single location, assessments typically range from $15,000 to $40,000. Larger or more complex organizations with multiple sites, diverse system environments, and extensive CUI processing may require $40,000 to $75,000. Petronella Technology Group, Inc. provides detailed, fixed-price proposals after an initial scoping conversation so you know exactly what the assessment will cost before committing. The gap assessment investment consistently saves organizations multiples of its cost by preventing misdirected remediation spending and False Claims Act exposure from inaccurate SPRS scores.

Do we need a gap assessment if we already have an SPRS score?

Yes, and this is especially important. Many organizations have submitted SPRS scores based on internal self-assessments that over-report compliance. Under the DoJ's Civil Cyber-Fraud Initiative, inaccurate SPRS scores can trigger False Claims Act penalties including treble damages. A professional gap assessment validates whether your submitted score accurately reflects your actual implementation status. If discrepancies exist, you can update your score and remediate deficiencies before a C3PAO or government investigator discovers them. Even if your score is accurate, a gap assessment provides the detailed remediation roadmap needed to systematically close remaining gaps and achieve the full 110 required for CMMC Level 2 certification.

Can the gap assessment be done remotely?

While technical evaluations of cloud systems and network configurations can be performed remotely, a thorough CMMC gap assessment requires on-site presence for physical security evaluation, facility inspection, and in-person personnel interviews. C3PAO assessors conduct on-site inspections during the formal assessment, so your gap assessment should mirror that approach to ensure no physical security deficiencies are missed. For organizations with multiple facilities, we prioritize on-site visits to locations where CUI is processed or stored. Petronella Technology Group, Inc.'s Raleigh headquarters enables easy on-site engagement for defense contractors throughout the Research Triangle, with travel available for organizations across North Carolina and the Southeast.

What should we prepare before the gap assessment?

To maximize the efficiency of your gap assessment, gather the following before our engagement begins: any existing System Security Plan or SSP draft; your current SPRS score and supporting documentation; network diagrams showing system architecture and CUI data flows; security policies and procedures you have already documented; a list of all systems, applications, and cloud services that process, store, or transmit CUI; your organizational chart identifying personnel with CUI access and security responsibilities; any prior audit reports, penetration test results, or vulnerability assessment findings; and your current DoD contracts identifying CUI categories and requirements. Do not worry if you lack some of these — identifying what is missing is part of the assessment. However, having available documentation ready accelerates the process and allows our assessors to focus evaluation time on areas that need the most attention.

Know Where You Stand Before Your C3PAO Arrives

A CMMC gap assessment eliminates the guesswork and risk from your certification journey. Petronella Technology Group, Inc.'s CMMC Registered Practitioners will evaluate your environment against all 110 requirements, calculate your accurate SPRS score, and deliver the remediation roadmap that transforms compliance gaps into a clear path to certification. Schedule your assessment today.

Schedule Gap Assessment 919-348-4912

Petronella Technology Group, Inc. • 919-348-4912 • 5540 Centerview Dr., Suite 200, Raleigh, NC 27606 • BBB A+ Since 2003 • Founded 2002