Deretti Cyber Labs CMMC Desk · Gap Analysis

Gap analysis.

Checking yourself against the objectives before anyone official does.

A gap analysis is nothing exotic: the same lens an assessor will eventually use — NIST SP 800-171A’s assessment objectives — applied by you, earlier, while findings are still cheap. This page describes what the exercise is and is not, the reference points that keep it honest, a sequence that works, and the traps that make self-checks read better than reality.

01What it is, and what it isn’t

A gap analysis is an internal comparison: the environment as it actually runs, held against the requirements as they are actually assessed. It produces a list of findings and, done honestly, a rough score. It does not produce a CMMC Status, it binds no assessor, and a good result is a prediction, not a promise — the determination that counts is made under DoD program authority, by a C3PAO or DIBCAC where certification applies, or through the formal self-assessment entered in SPRS.

What the exercise is genuinely for: finding the gaps while they cost a config change or a habit instead of a failed assessment; making the SSP true (writing implementation statements forces the discovery of what is actually implemented); and sizing the remaining work in a way that a calendar and a budget can absorb. Deficiency-tracking is itself a Level 2 requirement — 3.12.2 — so the habit this page describes is one the rule already expects to exist.

02The reference points

Three fixed points keep a self-check aligned with how the real thing behaves.

The objectives, not the requirement sentences. NIST SP 800-171A breaks each requirement into determination statements, and MET means every applicable objective behind the requirement is met — a requirement can read as done while one objective quietly fails. Checking at the objective level is most of what separates a useful gap analysis from a reassuring one. NIST SP 800-171A; 32 CFR 170.24(b)

The scoring methodology. Level 2 scores run from −203 to 110: every requirement starts granted, and unmet requirements subtract 1, 3, or 5 points by weight. A practice score locates you against the two lines that matter — 110 for Final, and the 88 floor that opens Conditional status. 32 CFR 170.24

The POA&M rules. Conditional status requires at least 88, every open item worth 1 point (with the single named 3-point exception, SC.L2-3.13.11), and none of the six categorically excluded requirements open — Evidence, SSP & POA&M carries the full mechanics. A gap analysis that sorts findings against these rules tells you not just how far from 110 you are, but whether the remaining gaps are even deferrable. At Level 1 the sorting is simpler and stricter: the same objectives apply (FCI substituted for CUI), and nothing is deferrable at all. 32 CFR 170.21(a); 170.15(c)(1)

03A sequence that works

  1. Fix the scope first. Findings against the wrong boundary are noise. The five asset categories, the enclave question, and the ESP relationships get settled before any requirement is checked — Scope & Boundary is the page to have open.
  2. Bring the SSP current. The comparison is practice-versus-plan; an out-of-date plan breaks the comparison. If the SSP is thin, writing the implementation statements is the first pass of the gap analysis (what an SSP typically contains).
  3. Walk the requirements against the objectives, naming evidence as you go. For each requirement: which objectives apply, and what artifact shows each one — a named ticket, a config export, a log, a roster. “Yes, we do that” without a nameable artifact is a finding, not a pass. The family pages’ What evidence may look like sections and each page’s at-a-glance box exist for exactly this step (Domains).
  4. Score it honestly. Apply the 1/3/5 weights and note which open items sit on the exclusion list or above 1 point — those are must-fix-first, whatever the total says.
  5. Sort the findings by what closing them takes. Config changes (fast, cheap, do now); habit gaps (a recurring calendar entry and an owner, then time for the record to accumulate); capital items (a FIPS-validated replacement, a segmentation project — the ones that need a budget line and a date).
  6. Sort them again by POA&M eligibility. The two sorts differ, and the difference is the plan: a 1-point habit gap can ride a POA&M into Conditional status; an excluded requirement cannot, however easy the fix looks.
  7. Re-run after remediation. The second pass is the one with predictive value — the first pass mostly measures surprise.

04The traps

Requirement-level optimism. Scoring at the requirement sentence instead of the objectives — the single most common way a self-check overstates reality. The fix is mechanical: check objectives, not vibes.

Paper controls. A policy that exists but isn’t practiced examines well and interviews badly. Assessors use three methods — examine, interview, test — precisely so documents alone can’t carry a determination (how assessors check). A self-check that only reads documents inherits the same blind spot.

N/A as a dodge. Not applicable is a real category with a real bar: the requirement genuinely cannot apply to the assessed environment. It scores as MET, which makes it tempting — and a wrong N/A surfaces at the worst possible time, in front of the people whose determination counts.

Treating the practice score as the answer. A self-scored 96 is a plan input — it says Conditional is plausibly in reach if the open items sort correctly. It is not a number to put in a proposal, and it moves the moment an assessor reads an objective differently than you did.

05At the shop

At the shop

Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard’s practice self-assessment — the one Evidence, SSP & POA&M walks in full — is this page’s sequence in miniature. Scope was already drawn, so findings meant something. The walk-through surfaced three gaps, and the POA&M sort did the real work: the non-FIPS-validated backup encryption (SC.L2-3.13.11, the named 3-point exception) could ride a POA&M; the visitor-log format (PE.L2-3.10.4) and the SSP’s stale network diagram (CA.L2-3.12.4) sat on the exclusion list and had to close before the assessment, whatever the score said. Two fixes and one ordered replacement drive later, the second pass — not the first — was the one that predicted the clean result.

06Sources

Primary sources for gap analysis reference points and scoring
DocumentWhat it’s for
NIST SP 800-171AThe assessment objectives — the determination statements a self-check should run on.
32 CFR 170.24The scoring methodology: the −203 to 110 range, the 1/3/5 weights, and the MET / NOT MET / N/A definitions.
32 CFR 170.21POA&M eligibility — the 88 floor, the 1-point limit, the 3.13.11 exception, and the six exclusions.
32 CFR 170.15(c); 170.16(c)The self-assessment procedures the practice run should mirror, at Level 1 and Level 2.
CMMC Level 2 Assessment Guide · Scoping GuidanceDoD’s own methodology and scoping references (Source Library).