Posted on:

In this Article:

  • Learn about action items leading up to CMMC preparation.
  • Learn what to do when your organization is ready to begin CMMC preparation.
  • Learn what goes into a CMMC Gap Analysis, and why you need one.

Can My Organization Handle CMMC Internally?

Most organizations are not recommended to internally handle all aspects of CMMC preparation even if they have an in-house IT team. On the one hand, it's prudent to examine all of the controls currently in place prior to an a CMMC assessment or audit.

On the other hand, there may be several gaps that you might gloss over without an expert, outside view. With this in mind, call a Registered Provider Organization (RPO) with Registered Practitioners (RPs) when you get to the CMMC preparation phase.

An RPO understands the requirements as intended because they have received training directly from the CMMC Accreditation Body (CMMC-AB) and must act by an approved standard to maintain their RPO-status. When walking through a complete gap analysis, a knowledgeable RP will examine your network, systems, and controls in terms of the applicable CMMC Level an organization is trying to achieve.

Enter: The CMMC Gap Analysis

Compliance teams are familiar with Gap Analysis for other, similar frameworks, like NIST 800-171. They’re extremely helpful when formulating a Plan of Action & Milestones (POA&M) and deciding on a general approach to a cybersecurity strategy.

CMMC Level 3, for example, contains the 110 controls of NIST 800-171 and an additional 20 for a total of 130 controls. Unlike a normal NIST 800-171 gap analysis and report, however, CMMC requires maturity and repeatable, reliable documentation for two out of three methods per control:

  • Proof via interview;
  • Proof via testing; and
  • Proof via observation.

That means that each control must be a provable part of your organization’s cybersecurity process and methodology before passing the CMMC audit. A gap analysis is invaluable in documenting controls, especially when completed through an RP That has received training from the CMMC-AB.

What Action-Items Should My Organization Pursue Now?

Start data collection.

A general NIST 800-171 audit isn’t a bad idea if you believe that your organization can pass it. Remember that just checking off the boxes won’t demonstrate maturity, but you’ll at least have most of the technical controls in place.

Start a CMMC Gap Analysis.

These can take time, especially for Level 3 and above. However, it will get your organization into a position to demonstrate and document maturity as soon as possible.

Stay on top of CMMC news and get in contact with an RPO or C3PAO.

If your bandwidth is short, reach out to an organization with expertise in this area and make room for CMMC to become an unavoidable part of your IT and compliance plans for the foreseeable future.


Do you have more questions about Gap Analysis and whether they’re the next, most appropriate step for your organization’s journey in preparing for the CMMC? Read more about them on our services page, or schedule a one-on-one conversation with a CMMC subject matter expert.

Categories: cmmc