What to Expect From a CMMC Gap Assessment

A Cybersecurity Maturity Model Certification (CMMC) gap assessment is a structured review of your current security practices against the controls required by your CMMC level. It does not certify you. No certificate comes out of it. What you get is a clear picture of where you stand today, where you have gaps, and what it will take to close them.

If you are a defense contractor trying to figure out whether you are ready for CMMC compliance, a gap assessment is the right starting point. It tells you what the path ahead looks like before you commit time and budget to fixing things.

This post walks through how a CMMC gap assessment actually works, what happens at each stage, how Level 1 and Level 2 engagements differ, and what to do once you have the report in hand. APT Security Management, based in North Charleston, South Carolina, conducts gap assessments for both Level 1 and Level 2 contractors through its Compliance as a Service (CaaS) practice.

A Gap Assessment Is Not a Formal CMMC Assessment

It is worth being precise about this upfront, because buyers sometimes confuse the two.

A formal CMMC assessment is the official process that results in certification. For most Level 2 contractors, that assessment is conducted by a Certified Third-Party Assessor Organization (C3PAO) authorized by the Cyber AB. The outcome is a pass or fail that gets recorded and has contract consequences.

A gap assessment is advisory. It is work you commission before the formal assessment so you know what you are walking into. The assessor reviews your environment, your documentation, and your controls, then gives you a written report showing which practices you have implemented, which ones you have not, and what the remediation path looks like.

APT conducts gap assessments as a preparation and advisory service. APT is not a C3PAO and does not certify contractors. That distinction matters when you are planning your CMMC journey. If you want to understand how those roles fit together, the post RP vs RPO vs C3PAO: Understanding the CMMC Ecosystem covers the ecosystem clearly.

Level 1 vs Level 2: The Scope Is Very Different

The most important variable going into a gap assessment is which level applies to you. If you are not certain, start with APT's free CMMC Readiness Quickcheck before scheduling anything else.

Level 1 gap check

CMMC Level 1 covers 15 security practices derived from the Federal Acquisition Regulation (FAR) clause 52.204-21. These practices apply to contractors who handle Federal Contract Information (FCI) but do not process Controlled Unclassified Information (CUI). The scope is narrower, the engagement is faster, and the output is simpler.

A Level 1 gap check typically takes a few days of work total. It reviews whether each of the 15 practices is implemented, notes any gaps, and gives you a prioritized list of what needs to be addressed before your annual self-attestation. If you need to understand what these practices cover before the engagement, the post CMMC Level 1 Practices: What They Actually Require walks through each one.

Level 2 gap assessment

CMMC Level 2 aligns to the 110 security requirements in NIST Special Publication 800-171 Rev 2, organized across 14 control families (called domains). This applies to contractors who handle CUI. The scope is substantially larger, and the engagement takes proportionally more time.

A Level 2 gap assessment reviews all 110 practices, evaluates your existing System Security Plan (SSP) if one exists, and produces a more detailed output including a draft SSP structure and a Plan of Action and Milestones (POA&M) framework. Depending on company size and environment complexity, a Level 2 engagement typically runs one to four weeks from kickoff to report delivery.

How a Gap Assessment Actually Works

The process follows a consistent sequence regardless of level. What changes is the depth and duration at each stage.

Kickoff

The engagement starts with a kickoff call. You and the APT practitioner align on scope, confirm which systems are in scope, identify who will be the internal point of contact, and establish a timeline. For Level 2, this is also where your CMMC assessment boundary gets defined. Scoping correctly at the start saves significant time later.

If you have not yet categorized your assets under the five CMMC asset categories defined in 32 CFR 170.19, APT's free CMMC Asset Categorizer can help you work through that before or during kickoff.

Document review

Before any interviews or technical review happens, the practitioner reviews your existing documentation. This typically includes:

Any current System Security Plan (SSP) or draft

Network diagrams and asset inventories

Existing security policies and procedures

Prior self-assessment results or SPRS scores, if applicable

Any previous audit findings or third-party security reviews

Document quality is one of the most common gap areas. Many contractors have policies on paper that do not reflect what is actually implemented, or have no SSP at all. Gaps found at this stage are not a problem; they are exactly what the assessment is supposed to surface.

Interviews

The practitioner conducts structured interviews with the people who actually operate and maintain your systems. This usually includes your IT lead or administrator, anyone who manages your network or endpoints, and the person responsible for security decisions. For smaller contractors, this may all be one or two people.

Interviews cover how controls are actually implemented in your environment, who is responsible for them, and what evidence exists to demonstrate they are working. The goal is to get past what the policies say and understand what is actually happening in practice.

Environment review

For Level 2 engagements, the practitioner also reviews your technical environment directly. This includes boundary architecture, how CUI flows through your systems, how endpoints are configured and protected, how access is controlled and logged, and whether key controls like multi-factor authentication (MFA) are implemented correctly.

This is not a penetration test. The environment review is observational and configuration-focused. Its purpose is to verify that the technical controls your documentation describes are actually in place.

Scoring and analysis

After document review, interviews, and environment review, the practitioner scores each practice as implemented, partially implemented, or not implemented. For Level 2, this also maps to a NIST SP 800-171 scoring framework, which feeds into your Supplier Performance Risk System (SPRS) score. If you want to understand how SPRS scores are calculated, APT's free SPRS Score Calculator walks through the methodology.

Report delivery and debrief

The written report is the deliverable. The practitioner delivers it and then walks you through it in a debrief session so nothing is unclear. The debrief is where you can ask questions about specific findings, discuss remediation options, and get a realistic sense of timeline and effort.

What the Report Contains

A CMMC gap assessment report is not a pass/fail document. It is a working document you will use to drive remediation.

A complete report includes:

Control-by-control status for every practice in scope (implemented, partial, not implemented)

Written findings for each gap, explaining what is missing and why it matters

A prioritized remediation roadmap organized by effort and impact

Time and effort estimates for closing each gap

For Level 2: a draft SSP structure and a POA&M framework you can build out immediately

The remediation roadmap distinguishes between quick wins (documentation gaps that can be closed in days), medium-effort technical gaps (configuration changes, tool deployments), and longer-term structural gaps (network segmentation, access architecture changes). That structure lets you start making progress right away while planning the bigger-ticket work.

For Level 2 contractors who need to begin their SSP from scratch, APT's free SSP Scaffolder generates a pre-structured SSP document you can use as the foundation.

What You Provide vs What APT Provides

What you provide

Access to your IT environment and documentation

Time from your internal team for interviews (typically two to four hours total for Level 1; more for Level 2)

Any existing policies, diagrams, SSP drafts, or prior assessment results

Honest answers about how controls are actually implemented

You do not need to have everything in order before the assessment. The point of a gap assessment is to find out what is missing. If everything were already in place, you would not need one.

What APT provides:

A Registered Practitioner (RP) with direct CMMC experience conducting the review

Structured interviews and environment review

A written report with control-by-control scoring and findings

A prioritized remediation roadmap with effort estimates

A debrief session to walk through the results

For Level 2: SSP structure guidance and POA&M framework

APT conducts gap assessments on a token-based engagement model. You pay for the work you need, without a long-term retainer commitment. For Level 1 and Level 2 scoping and pricing, visit the CMMC Gap Assessment page or request a quote directly.

Realistic Timelines by Level

Level 1

A Level 1 gap check for a small contractor with a straightforward environment typically takes one to two weeks from kickoff to report delivery. If your documentation is minimal or your environment involves multiple sites or complex IT setups, expect it to run a bit longer.

Level 2

Level 2 engagements take more time, and the range is wider. A smaller contractor with a simpler environment might see a report in two to three weeks. A mid-size contractor with a larger asset inventory, more complex network architecture, or significant documentation gaps may take four to six weeks.

One thing that consistently stretches the timeline is poor documentation coming into the engagement. If your SSP is incomplete or nonexistent, or your policies have not been updated in years, expect to spend additional time at the document review stage. That is not a reason to delay starting. It is a reason to start sooner.

What to Do With the Report

The gap assessment report is the beginning of your CMMC prep, not the end of it.

Once you have it, the practical next steps are:

Triage the findings

Separate quick-win documentation gaps from technical control gaps from structural changes. Quick wins can start immediately.

Build out your POA&M

If you do not have one, APT's free POA&M Builder can help you structure it based on your findings.

Start your SSP if you do not have one

The report will include a draft structure for this, and the SSP Scaffolder can get the document started.

Begin technical remediation

Tool gaps and configuration gaps get addressed here. APT can handle implementation through its managed security services. Common technical gaps include endpoint protection coverage (which Sophos or Bitdefender can address), boundary and segmentation controls (where Fortinet fits), and email security (where Proofpoint is a common solution APT deploys).

Plan for your formal assessment if you are on a Level 2 path

DFARS 252.204-7021, effective November 10, 2025, is the contract clause placing CMMC certification requirements on new solicitations. If that clause is in your contract, your timeline is already running.

For a full walkthrough of what happens after the assessment, the post What Happens After Your Gap Assessment: A Step by Step Roadmap covers each phase in detail.

What to Do Next

If you are a defense contractor who handles CUI or FCI and have not yet had a professional review your CMMC readiness, a gap assessment is the clearest way to understand where you stand. Start with the free CMMC Readiness Quickcheck if you want a quick self-assessment first. When you are ready for a formal review, the CMMC Gap Assessment page has details on both Level 1 and Level 2 scoping.

Get a Quote for Your Environment

APT conducts Level 1 and Level 2 CMMC gap assessments on a token-based model, scoped to the size and complexity of your environment. Contact us to request pricing tailored to your situation.

Book a Free Consultation