Skip to searchSkip to main content
APT Security Management

CMMC Gap Assessment

A Cybersecurity Maturity Model Certification (CMMC) gap assessment compares your current security against the practices your contract requires and shows you exactly where the gaps are. APT Security Management, based in North Charleston, SC, runs CMMC gap assessments for Level 1 and Level 2 contractors across the United States using a prepaid token model with no long-term contract. You walk away with a written report, control-by-control findings, and a remediation roadmap you can actually execute.

Two Scopes. Same Process.

Your gap assessment scope depends on the data your contract requires you to protect. Pick the track that matches your contract, or talk to us if you are not sure which applies.

Level 1 Gap Check

For contractors handling Federal Contract Information (FCI) only, no Controlled Unclassified Information (CUI). Level 1 covers the 17 practices required for annual self-attestation in the Supplier Performance Risk System (SPRS).

What The Level 1 Gap Check Covers

Status review against all 17 CMMC Level 1 practices

Evidence inventory for each practice (policy, configuration, screenshots, logs)

Self-attestation readiness opinion before your senior official signs

Short remediation plan for any practices not in place

This track is lighter and faster than Level 2, designed for small subcontractors and suppliers who need to attest with confidence.

Level 2 Gap Assessment

For contractors handling CUI. Level 2 maps to the 110 controls in NIST Special Publication 800-171 and typically requires a third-party assessment by a Certified Third Party Assessment Organization (C3PAO).

What The Level 2 Gap Assessment Covers

Status review against all 110 NIST 800-171 controls

Draft System Security Plan (SSP)

Plan of Action and Milestones (POA&M) build for any open controls

Prioritized remediation roadmap with effort estimates

Evidence inventory and documentation gap list

This track is the foundation for the rest of your prep work and gives you a clear scope for budgeting and timeline.

What You Get in the Report

Every gap assessment produces a written deliverable you can hand to your executive team, your prime contractor, or a future C3PAO.

The Report Includes

Control-by-control status, marked as met, partially met, or not met

A plain-English finding for each gap, written so a non-security executive can act on it

Recommended remediation, including process changes, documentation needs, and tool fixes

Time and effort estimate per gap, so you can prioritize the work realistically

An executive summary you can share without redaction

You also get a working copy of your SSP draft (Level 2) or your evidence inventory (Level 1) that you can keep building on after the engagement.

Realistic Timelines

CMMC gap assessments are not week-long projects, and anyone promising you a one-week turnaround is skipping steps.

What to Actually Expect

Level 1 Gap Check

2 to 3 weeks from kickoff to final report, depending on how quickly your team can provide access and documentation.

Level 2 Gap Assessment

4 to 8 weeks from kickoff to final report, including SSP drafting and POA&M build. Larger or more complex environments may run longer.

What Happens After the Assessment

The gap assessment is the starting point. The findings are useful only if the gaps actually get closed, which is where most prep engagements stall.

APT stays involved after the report is delivered. 

The Same Engagement Can Cover

Documentation Work

SSP refinement, policy drafting, procedure development

Technical Remediation

Tool selection and deployment for the gaps that need new technology

Evidence Collection

Building the audit-ready evidence library a C3PAO will ask for at Level 2

Final Review

Pre-assessment readiness check before you book your C3PAO

For Level 2 contractors: APT is your advisory and prep partner. We are not a C3PAO and we do not perform the certification assessment itself. That separation is intentional. It means no conflict of interest, and no pressure to upsell you into an assessor relationship.

Why APT for Your CMMC Gap Assessment

Registered Practitioner Credential

APT has a Registered Practitioner (RP) on staff, credentialed through the Cyber AB. The RP leads CMMC engagements and signs off on the gap assessment work.

Dual Level 1 and Level 2 Expertise

A lot of small subcontractors get pushed into Level 2 scope they do not actually need, or stay at Level 1 when their contract requires more. We scope honestly based on the data you handle, not on what generates a bigger engagement.

Tokens, Not Retainers

You buy tokens, spend them as needed, and apply them to the gap assessment, remediation, or any other APT service. No 12-month commitment, no minimum spend. Unused tokens are valid for 12 months from purchase.

Partner Stack to Close Gaps

When the assessment finds gaps that need new technology, APT deploys endpoint protection and audit logging, network segmentation and boundary control, and email security. You do not have to find another vendor to actually fix what we identify.

Advisor, Not Assessor

APT is not a C3PAO and will not be your certifying body. We prepare you for the assessment and stand behind the work, but the certification stamp comes from an independent C3PAO. That is the correct separation under the CMMC ecosystem.

Frequently Asked Questions

How much does a CMMC gap assessment cost?

Pricing depends on your level, environment size, and how much documentation you already have in place. APT prices gap assessments in tokens, and most Level 1 engagements use significantly fewer tokens than Level 2 engagements. Contact us for a custom token quote.

How long does the gap assessment take?

Level 1 gap checks typically take 2 to 3 weeks. Level 2 gap assessments typically take 4 to 8 weeks, including SSP drafting and POA&M build. Complex or multi-site environments can take longer. Timelines are confirmed during the discovery call.

What is the difference between a Level 1 gap check and a Level 2 gap assessment?

Level 1 covers 17 practices for contractors handling Federal Contract Information (FCI) only and supports annual self-attestation. Level 2 covers all 110 NIST 800-171 controls for contractors handling Controlled Unclassified Information (CUI) and supports a third-party C3PAO assessment. Your contract language tells you which level applies.

Do you also perform the official CMMC assessment?

No. APT is an advisory and preparation partner, not a Certified Third Party Assessment Organization (C3PAO). We prepare you for assessment and help you close gaps. The official certification assessment is performed by an independent C3PAO. That separation protects you from conflicts of interest.

What do I receive at the end of the engagement?

A written gap assessment report with control-by-control status, an executive summary, prioritized remediation guidance, and effort estimates. Level 2 engagements also include a draft System Security Plan (SSP) and a Plan of Action and Milestones (POA&M).

Can APT help fix the gaps you find?

Yes. Most clients use the gap assessment as the first phase of a longer prep engagement. APT handles documentation work, tool deployment through partners like Sophos, Fortinet, and Proofpoint, evidence collection, and pre-assessment readiness checks. All of it runs on the same token balance.

Is APT a Registered Practitioner Organization (RPO)?

APT has an individual Registered Practitioner (RP) credentialed through the Cyber AB, not a full RPO designation. The RP leads CMMC engagements. For most small and mid-size contractors, working with a credentialed RP delivers the same practical outcome as working with an RPO.

Get a Custom Quote for Your CMMC Gap Assessment

Tell us your CMMC level and a few details about your environment. We will come back with a token quote and a realistic timeline. No long-term contract, no commitment to move forward.

  • Tell us a bit about the specific security needs you're reaching out to solve. All submitted data is encrypted.