What Happens After Your CMMC Gap Assessment: A Step by Step Roadmap

After a Cybersecurity Maturity Model Certification (CMMC) gap assessment, the work moves through five phases: documentation cleanup, technical remediation, evidence collection, a readiness check, and, for Level 2, booking your formal assessment with a Certified Third Party Assessment Organization (C3PAO). The report you just received is the map. This post explains how to read it and how to work through each phase without stalling.

This roadmap is written for defense contractors and subcontractors who have just received a gap assessment report, or who are about to. It applies whether you are heading toward Level 1 self-attestation or a Level 2 assessment against the 110 NIST SP 800-171 controls.

APT Security Management, a managed security services provider based in North Charleston, South Carolina, runs gap assessments and the remediation work that follows. What you read below is the same sequence we walk clients through.

How to Read Your Gap Assessment Report

A good gap assessment report gives you three things for every practice in scope: a status, a severity, and an effort estimate. If you have not been through one yet, read What to Expect From a CMMC Gap Assessment first.


Status tells you whether the practice is met, partially met, or not met. Be careful with "partially met." For assessment purposes, a practice that is partially met is not met. Assessors evaluate against assessment objectives, and missing one objective fails the practice. Treat partial findings as open work, not near wins.


Severity tells you how much the gap matters. For Level 2, this often maps to the Department of Defense scoring methodology used for your Supplier Performance Risk System (SPRS) score, where some controls carry far more weight than others. A gap on a 5 point control is a bigger problem than a gap on a 1 point control.


Effort estimates tell you what closing the gap will cost in time and work. A missing policy might take a week. Network segmentation might take a quarter. You need all three dimensions to prioritize honestly.

How to Prioritize the Findings

Do not work the report top to bottom. Sort your gaps into four buckets and sequence them.

Quick wins

Gaps you can close in days with configuration changes or settings you already own. Enabling screen lock policies, turning on logging features in tools you already pay for, removing stale accounts. Close these first. They build momentum and shrink the list fast.

Documentation gaps

Practices you actually perform but cannot prove because nothing is written down. These are common and cheap to fix, and they feed directly into Phase 1 below.

Technical control gaps

Missing capabilities that require new tools, new architecture, or real configuration work. Multifactor authentication, network segmentation, centralized audit logging, email protection. These take the longest, so start procurement and planning early even if implementation comes later.

Organizational changes

Gaps that require people to work differently. Access request workflows, onboarding and offboarding procedures, incident reporting habits. These are easy to underestimate because the hard part is adoption, not setup.

One more note for Level 2: not every gap can wait for a Plan of Action and Milestones (POA&M). Under 32 CFR Part 170, only certain lower weighted requirements are eligible to sit on a POA&M at assessment time, you must still meet a minimum score, and POA&M items must close within 180 days. Plan to fully remediate the heavily weighted controls before your assessment, not after.

Phase 1: Documentation Cleanup

Documentation comes first because it shapes everything after it. For Level 2, the anchor document is your System Security Plan (SSP). The SSP describes your in scope environment, your assessment boundary, and how each of the 110 controls is implemented. If your gap assessment produced an SSP draft, this phase is about completing it. If it did not, this phase is about building it.


Alongside the SSP, this phase covers:

    The POA&M, which tracks every open gap with an owner, a remediation plan, and a target date

    Core policies: access control, incident response, configuration management, media protection, and the rest of the policy set your report flagged

    Procedures that describe how the policies actually get executed day to day

    For Level 1, the documentation load is lighter. There is no SSP requirement, but you still need written evidence that the 15 practices from FAR 52.204-21 are implemented, because an executive will be affirming that in SPRS annually.

    A warning from the assessment side: policies alone do not satisfy anything. A policy that says "we review audit logs weekly" fails the moment an assessor asks to see last month's reviews and nothing exists. Write documentation that matches reality, then fix reality where it falls short.

    Phase 2: Technical Remediation

    This is where identified gaps actually get closed. The work depends on your report, but the same categories show up in most defense industrial base environments:

    Boundary protection and segmentation

    Separating the systems that touch Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) from everything else shrinks your assessment scope and your risk at the same time. APT typically deploys firewalls from providers like Fortinet and SonicWall enabling segmentation here, building a defined boundary around the in scope environment.

    Endpoint protection and audit logging

    Level 2 requires real detection capability and audit records you can retain and review. Endpoint protection and its logging stack provided by vendors like Sophos and Bitdefender cover both, and APT can run it as a managed service so log review actually happens instead of living in a policy document.

    Email security

    Phishing remains the most common entry point into contractor environments, and several controls touch mail flow. Tools like those from Proofpoint close the email gap, including phishing defense and policy enforcement.

    The point of naming tools is not the tools. It is that a gap assessment that ends with a findings list leaves you holding the hard part. APT does the deployment and configuration work through its CMMC compliance prep service, so the roadmap and the remediation come from the same place.


    Sequence this phase around procurement lead times. Order long lead items early, run quick configuration fixes in parallel, and update the POA&M as each item closes.

    Phase 3: Evidence Collection and Operational Discipline

    Passing an assessment is not about having controls. It is about proving they operate. Assessors examine artifacts, interview staff, and test systems. That means you need evidence that accumulates over time, not screenshots taken the week before.


    Build evidence collection into normal operations:

    Save artifacts as activities happen: log review records, access approvals, training completions, incident tickets, change records

    Map each artifact to the practice it supports, so you can retrieve evidence by control instead of digging through folders

    Assign owners. Evidence nobody owns stops accumulating within a month

    Give this phase time to run. An assessor who sees three to six months of operating evidence sees a program. An assessor who sees two weeks of evidence sees a scramble. For Level 1, the same discipline protects whoever signs your annual affirmation, because that affirmation carries legal weight and should rest on evidence you can produce.

    Phase 4: Pre Assessment Readiness Check

    Before you book a formal assessment or sign a self-attestation, run a readiness check. This is a dry run against the same assessment objectives a real assessor will use, conducted by someone who was not heads down in the remediation work.

    The readiness check should confirm three things: every practice has implementation in place, every practice has evidence behind it, and the people who will be interviewed can describe how the controls work in their own words. Interviews trip up more assessments than missing documents do. If your staff cannot explain the incident reporting process, it does not matter that the plan is well written.

    Findings from the readiness check go back into the POA&M for a final remediation pass. It is far cheaper to fail a dry run than a paid C3PAO assessment.

    Phase 5: C3PAO Selection and Booking (Level 2 Only)

    If your contracts require a Level 2 certification assessment, the last phase is selecting and booking a C3PAO. APT is an advisory and prep partner staffed with a Registered Practitioner (RP). APT does not conduct certification assessments, and no advisory firm that prepped you should. The roles are deliberately separate.


    When selecting a C3PAO:

    Verify their authorization status with the Cyber AB at the time of selection, since the authorized list changes

    Ask about scheduling lead times early. Demand for assessments has grown since DFARS 252.204-7021 began placing CMMC status requirements on solicitations in November 2025, and booking windows can be long

    Confirm scope alignment up front, so the assessment boundary in your SSP matches what the assessor plans to evaluate

    If you are stopping at Level 1, there is no Phase 5 assessor. Your path ends with a senior official affirming compliance in SPRS, renewed annually. Treat that signature with the same seriousness, because it is a federal representation.

    How APT Supports Each Phase

    APT works on a prepaid token model instead of long retainer contracts, which fits this roadmap well because the phases need different amounts of help. Some clients use tokens for documentation support in Phase 1, handle their own technical work, then come back for a readiness check in Phase 4. Others have APT run the full sequence from gap assessment through C3PAO coordination.


    Tokens apply across all of it: SSP and POA&M development, tool deployment with partners like Fortinet, Sophos, and Proofpoint, managed services for the controls that need ongoing operation, and readiness review. You spend tokens where your gaps are, not where a contract says you must.

    What to Do Next

    Pull out your gap assessment report and sort every finding into the four buckets: quick wins, documentation, technical, and organizational. Close the quick wins this month. Then put dates and owners on Phase 1 and start the procurement conversations for Phase 2. If you do not have a gap assessment yet, that is the actual first step, and the roadmap above is what it sets up.

    Talk Through Your Situation With APT

    If you have a gap assessment report and are not sure how to sequence the work, bring it to a free 30 minute consultation. We will help you sort the findings and map the phases to your contract timeline.

    Book a Free Consultation