Gap analysis.
Checking yourself against the objectives before anyone official does.
A gap analysis is nothing exotic: the same lens an assessor will eventually use — NIST SP 800-171A’s assessment objectives — applied by you, earlier, while findings are still cheap. This page describes what the exercise is and is not, the reference points that keep it honest, a sequence that works, and the traps that make self-checks read better than reality.
01What it is, and what it isn’t
A gap analysis is an internal comparison: the environment as it actually runs, held against the requirements as they are actually assessed. It produces a list of findings and, done honestly, a rough score. It does not produce a CMMC Status, it binds no assessor, and a good result is a prediction, not a promise — the determination that counts is made under DoD program authority, by a C3PAO or DIBCAC where certification applies, or through the formal self-assessment entered in SPRS.
What the exercise is genuinely for: finding the gaps while they cost a config change or a habit instead of a failed assessment; making the SSP true (writing implementation statements forces the discovery of what is actually implemented); and sizing the remaining work in a way that a calendar and a budget can absorb. Deficiency-tracking is itself a Level 2 requirement — 3.12.2 — so the habit this page describes is one the rule already expects to exist.
02The reference points
Three fixed points keep a self-check aligned with how the real thing behaves.
The objectives, not the requirement sentences. NIST SP 800-171A breaks each requirement into determination statements, and MET means every applicable objective behind the requirement is met — a requirement can read as done while one objective quietly fails. Checking at the objective level is most of what separates a useful gap analysis from a reassuring one. NIST SP 800-171A; 32 CFR 170.24(b)
The scoring methodology. Level 2 scores run from −203 to 110: every requirement starts granted, and unmet requirements subtract 1, 3, or 5 points by weight. A practice score locates you against the two lines that matter — 110 for Final, and the 88 floor that opens Conditional status. 32 CFR 170.24
The POA&M rules. Conditional status requires at least 88, every open item worth 1 point (with the single named 3-point exception, SC.L2-3.13.11), and none of the six categorically excluded requirements open — Evidence, SSP & POA&M carries the full mechanics. A gap analysis that sorts findings against these rules tells you not just how far from 110 you are, but whether the remaining gaps are even deferrable. At Level 1 the sorting is simpler and stricter: the same objectives apply (FCI substituted for CUI), and nothing is deferrable at all. 32 CFR 170.21(a); 170.15(c)(1)
03A sequence that works
- Fix the scope first. Findings against the wrong boundary are noise. The five asset categories, the enclave question, and the ESP relationships get settled before any requirement is checked — Scope & Boundary is the page to have open.
- Bring the SSP current. The comparison is practice-versus-plan; an out-of-date plan breaks the comparison. If the SSP is thin, writing the implementation statements is the first pass of the gap analysis (what an SSP typically contains).
- Walk the requirements against the objectives, naming evidence as you go. For each requirement: which objectives apply, and what artifact shows each one — a named ticket, a config export, a log, a roster. “Yes, we do that” without a nameable artifact is a finding, not a pass. The family pages’ What evidence may look like sections and each page’s at-a-glance box exist for exactly this step (Domains).
- Score it honestly. Apply the 1/3/5 weights and note which open items sit on the exclusion list or above 1 point — those are must-fix-first, whatever the total says.
- Sort the findings by what closing them takes. Config changes (fast, cheap, do now); habit gaps (a recurring calendar entry and an owner, then time for the record to accumulate); capital items (a FIPS-validated replacement, a segmentation project — the ones that need a budget line and a date).
- Sort them again by POA&M eligibility. The two sorts differ, and the difference is the plan: a 1-point habit gap can ride a POA&M into Conditional status; an excluded requirement cannot, however easy the fix looks.
- Re-run after remediation. The second pass is the one with predictive value — the first pass mostly measures surprise.
04The traps
Requirement-level optimism. Scoring at the requirement sentence instead of the objectives — the single most common way a self-check overstates reality. The fix is mechanical: check objectives, not vibes.
Paper controls. A policy that exists but isn’t practiced examines well and interviews badly. Assessors use three methods — examine, interview, test — precisely so documents alone can’t carry a determination (how assessors check). A self-check that only reads documents inherits the same blind spot.
N/A as a dodge. Not applicable is a real category with a real bar: the requirement genuinely cannot apply to the assessed environment. It scores as MET, which makes it tempting — and a wrong N/A surfaces at the worst possible time, in front of the people whose determination counts.
Treating the practice score as the answer. A self-scored 96 is a plan input — it says Conditional is plausibly in reach if the open items sort correctly. It is not a number to put in a proposal, and it moves the moment an assessor reads an objective differently than you did.
05At the shop
Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard’s practice self-assessment — the one Evidence, SSP & POA&M walks in full — is this page’s sequence in miniature. Scope was already drawn, so findings meant something. The walk-through surfaced three gaps, and the POA&M sort did the real work: the non-FIPS-validated backup encryption (SC.L2-3.13.11, the named 3-point exception) could ride a POA&M; the visitor-log format (PE.L2-3.10.4) and the SSP’s stale network diagram (CA.L2-3.12.4) sat on the exclusion list and had to close before the assessment, whatever the score said. Two fixes and one ordered replacement drive later, the second pass — not the first — was the one that predicted the clean result.
06Sources
| Document | What it’s for |
|---|---|
| NIST SP 800-171A | The assessment objectives — the determination statements a self-check should run on. |
| 32 CFR 170.24 | The scoring methodology: the −203 to 110 range, the 1/3/5 weights, and the MET / NOT MET / N/A definitions. |
| 32 CFR 170.21 | POA&M eligibility — the 88 floor, the 1-point limit, the 3.13.11 exception, and the six exclusions. |
| 32 CFR 170.15(c); 170.16(c) | The self-assessment procedures the practice run should mirror, at Level 1 and Level 2. |
| CMMC Level 2 Assessment Guide · Scoping Guidance | DoD’s own methodology and scoping references (Source Library). |