Most contractors have never been through a formal CMMC gap assessment. They know they need one, they know it costs something, but they don't know what actually happens: what we look at, how we evaluate it, what they walk away with. This is that explanation.
It Starts Before the Assessment
The first thing we do is a scoping call, and this isn't a formality. The scope of your assessment determines the cost, the timeline, and the complexity. We need to understand your environment before we can give you an accurate quote or begin any evaluation work.
On that call we're learning: How many endpoints are in scope? What operating systems are you running? Where does CUI live? Which systems touch it, transmit it, store it? Do you have cloud infrastructure, and if so which services? Do you use managed service providers? What does your network boundary look like?
The answers to those questions shape everything that follows.
What We Actually Evaluate
A CMMC Level 2 gap assessment evaluates your environment against all 110 practices across 14 domains drawn from NIST SP 800-171. These aren't vague categories. They're specific, testable requirements. Either you have MFA configured on all accounts accessing CUI systems or you don't. Either you have a documented incident response plan or you don't. Either your audit logs are protected from modification or they aren't.
The 14 domains include: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity.
For each practice, we determine one of three things: met, not met, or not applicable to your environment. "Not applicable" requires justification. You can't simply exclude a control because it's inconvenient.
How We Do the Evaluation
We use a combination of documentation review, interviews, and technical observation. We'll ask for your System Security Plan (SSP) if you have one, review configuration evidence, and work through your environment systematically. We're not trying to catch you off guard. We're trying to get an accurate picture of where you actually are.
The assessment is collaborative, not adversarial. You know your environment better than anyone. We know the requirements and what assessors look for. The gap assessment is where those two things meet.
What You Get
At the end of the assessment, you have a clear view of your current compliance posture: which of the 110 practices you meet, which you don't, and where the gaps are. You'll know your approximate SPRS score, which determines whether you're eligible to bid on CUI contracts.
That information is the foundation for everything that comes next, whether that's remediation planning, documentation work, or scheduling your C3PAO assessment.