Is a CMMC gap assessment the same as a CMMC assessment?

No. A gap assessment is a readiness diagnostic. A CMMC assessment is the applicable formal self-assessment, Level 2 (C3PAO) certification assessment, or Level 3 DIBCAC assessment required for your level and contract. Only the formal assessment produces a CMMC Status posted in SPRS.

Does a CMMC gap assessment produce CMMC certification?

No. A gap assessment may prepare you for certification, but it does not produce a Final Level 2 (C3PAO) status or a Final Level 3 (DIBCAC) status. Any provider that claims otherwise is misrepresenting the program.

Do I need a gap assessment before a C3PAO assessment?

Not legally. Practically, most contractors should complete readiness work before engaging a C3PAO. Hiring a C3PAO before your scope, SSP, evidence, and control implementation are ready wastes time and money and risks burning your queue position with an authorized assessor.

What's the difference between a CMMC gap assessment and a NIST 800-171 gap analysis?

For Level 2, the substantive control set is NIST SP 800-171 Revision 2 under 32 CFR Part 170 — the two terms describe the same underlying work. A stronger CMMC gap assessment goes further by accounting for CMMC-specific scoping, SPRS posting requirements, POA&M restrictions, annual affirmation cadence, C3PAO-readiness implications, and provider independence considerations.

Can I do a CMMC gap assessment myself?

Yes, especially for early triage. The result is only as strong as your team's understanding of NIST SP 800-171A's interview, examine, and test methods, CUI scoping under 32 CFR Part 170, the DoD Assessment Methodology, and POA&M restrictions. Most small DIB companies benefit from an external second opinion before committing remediation spend.

How much does a CMMC gap assessment cost?

Most Level 2 gap assessments in 2026 range from $3,500 to $20,000, depending on starting maturity, environment complexity, employee count, and the number of sites in scope. Level 1 typically runs $1,500 to $4,000. Level 3 adds $5,000–$12,000+ on top of the Level 2 baseline.

What documents should I have ready before a gap assessment?

Contract documents and any flow-down clauses, current CUI inventory (if known), system and network diagrams, asset list, current SSP, current POA&M, security policies, current SPRS score (if posted), MSP/MSSP contracts, cloud environment details, and incident-response procedures. Do not upload any of these documents through public web forms — share them only through secure channels after the provider's identity is verified.

Should I upload CUI to a provider intake form?

No. Use intake forms only for routing and basic contact information. Share CUI or sensitive security details only through appropriate secure channels after independently verifying the provider's identity and security posture.

Does a low SPRS score mean we can't bid on DoD contracts?

It depends on the solicitation, the clause, and the contracting officer. DFARS 252.204-7025 establishes the solicitation-level award gate by requiring a current CMMC Status at the specified level. DFARS 252.204-7019 separately requires offerors to have current NIST SP 800-171 DoD Assessment summary scores posted in SPRS when the contract applies. Binding award eligibility is governed by the specific solicitation and contract terms — not by a gap assessment provider's opinion. Consult federal-contracts counsel if your status is in dispute.

Can every CMMC gap go on a POA&M?

No. POA&Ms are not permitted at Level 1. At Level 2, POA&Ms are restricted — specific weighted requirements cannot be deferred to a POA&M, and Conditional Level 2 status requires both a minimum 80% score (88 out of 110) and full implementation of the non-POA&M-eligible requirements. All POA&M items must close within 180 days or Conditional status expires.

What if my prime contractor says we need CMMC compliance in 90 days?

Start with rapid scoping and readiness triage. The right next step may be a provider match, a contracts review, a scope-reduction plan, or a focused remediation sprint — but don't buy a 'guaranteed certification' promise. Most 90-day timelines require both an honest scope conversation with the prime and realistic expectation-setting with your own leadership.

Does GCC High or AWS GovCloud automatically make us CMMC compliant?

No. Microsoft 365 GCC High and AWS GovCloud can support compliant architectures. Neither environment, by itself, defines scope, implements every organizational control, builds your SSP, satisfies POA&M restrictions, or produces a CMMC Status. The platform is a piece — not the program.

How often should we repeat a gap assessment?

Repeat it when your scope changes materially, when a new contract or flow-down changes your assessment path, before a Level 2 (C3PAO) assessment, after significant remediation work, or during annual maintenance before your Affirming Official enters the SPRS affirmation.

What's the first step if we don't know whether we handle CUI?

Start with a contract and data triage. Map where data enters your environment, where it lives, who has access, and whether your contract clause designates any of it as CUI. Don't buy a Level 2 implementation package before you know whether CUI is present in scope. If clause language is ambiguous, engage federal-contracts counsel — that is a legal determination, not a consulting opinion.

How recent is the information on this page?

This page was last verified on May 26, 2026. We track CMMC regulatory developments continuously and re-verify against the Federal Register, eCFR, NIST CSRC, Acquisition.gov, Cyber AB, and the Department of War CIO CMMC FAQ each quarter. Material changes trigger a re-review and a dated update.

CMMC Gap Assessment Services: What They Should Deliver, Who Can Perform Them, and What to Verify Before You Hire (2026)

By The Defense Compliance Report Editorial Team · An independent trade publication on CMMC 2.0 and DIB compliance.

Last verified: May 26, 2026

This page is educational, not legal, contractual, or compliance advice. Provider-matching forms may generate lead-routing compensation. We are not affiliated with the Cyber AB, the Department of Defense, the Department of War, or any U.S. government agency.

The Bottom Line

CMMC gap assessment services are pre-assessment reviews of your scope, System Security Plan (SSP), evidence, score posture, and remediation gaps against the Cybersecurity Maturity Model Certification (CMMC) level your contract requires. For most defense contractors handling Controlled Unclassified Information (CUI), the useful version is a Level 2 gap assessment against NIST SP 800-171 Revision 2 — the 110 security requirements organized into 14 control families and the 320 assessment objectives in NIST SP 800-171A. Typical cost in 2026 runs $3,500 to $20,000. Typical duration is 2 to 6 weeks for small-to-mid Defense Industrial Base (DIB) companies. The right provider is almost always a Registered Provider Organization (RPO) with credentialed practitioners on staff — and almost never the same Certified Third-Party Assessment Organization (C3PAO) you plan to use for your future certification.

That last point is where most buyers we see lose money. The Cyber AB’s CMMC Assessment Process (CAP) draws a hard line between formal pre-assessment activities (which a C3PAO can perform) and readiness consulting, SSP build-out, remediation advice, implementation assistance, or recommendations to improve preparedness (which can create a conflict that prevents the C3PAO from later assessing the same client). Hire the wrong firm for the wrong job and you will pay twice — once for the work, then again when you discover the firm you trusted with your gap report is conflicted from issuing your certification.

We’ll walk through the full decision below: what a CMMC gap assessment must deliver to be worth buying, who can perform it (and who cannot), how much it actually costs, what to put in the Statement of Work, and the red flags that separate a defensible engagement from a $12,000 spreadsheet.

Quick-fit guide (first screen)

If your situation is…	Start with…	Avoid…
Not sure whether you have CUI	CUI/FCI scoping review	Buying a Level 2 package before scope is known
Federal Contract Information (FCI) only / Level 1	Basic safeguarding gap review	Paying for full Level 2 readiness unnecessarily
CUI / Level 2 (Self)	NIST SP 800-171 Rev. 2 gap assessment	Treating a gap report as a SPRS submission
CUI / Level 2 (C3PAO)	Readiness provider first, C3PAO later	Hiring the assessor before evidence is ready
Already assessment-ready	Formal C3PAO pre-assessment / scoping	Asking the C3PAO to remediate your gaps

Find your gap assessment path before you ask for quotes

Answer a few questions about level, CUI scope, environment, and timeline. No CUI, contracts, system diagrams, or sensitive files.

Find your path

What a CMMC Gap Assessment Service Actually Is — and What It Isn’t

A CMMC gap assessment is a diagnostic. It identifies the distance between your current cybersecurity posture and the requirements of the CMMC level your contract specifies. It produces a preliminary Supplier Performance Risk System (SPRS) score posture, an evidence inventory, a list of unmet requirements, and a remediation roadmap. It does notproduce a CMMC certification. It does not replace a self-assessment posting in SPRS. It is not a “mock” of a Level 2 (C3PAO) assessment, and it is not the assessment itself.

This matters because the CMMC ecosystem uses at least six different terms for assessments, and most vendor marketing blurs them. We separate them below.

The six assessments — only three of them produce a CMMC Status

Assessment	Who performs it	What it produces	Produces a CMMC Status?
Gap assessment (a.k.a. gap analysis)	Internal team, RPO, Registered Practitioner (RP), or qualified consultant — should not be the firm you plan to use as your C3PAO assessor if that engagement would include advisory or remediation work	Findings against NIST SP 800-171 Rev. 2, preliminary score posture, SSP and POA&M draft material, remediation roadmap	No — diagnostic only
Pre-assessment / SSP & POA&M build	RPO, RP, or internal team	Documented SSP, documented POA&M, evidence inventory	No — preparation deliverable
Readiness (“mock”) assessment	RPO, RP, or third-party CCA outside your planned C3PAO	Mock-of-the-real-thing findings using NIST 800-171A methods (interview, examine, test); punch list	No — practice run
CMMC Level 1 self-assessment	Your organization, attested by an Affirming Official	Level 1 result of MET / NOT MET in its entirety and annual affirmation posted in SPRS (no POA&M permitted at Level 1)	Yes — produces Final Level 1 (Self) status, but is not a C3PAO certification assessment
CMMC Level 2 self-assessment	Your organization, attested by an Affirming Official	Overall assessment score, POA&M status if applicable, CMMC Status, and annual affirmation in SPRS	Yes — produces a Conditional or Final Level 2 (Self) status, but is not a C3PAO certification assessment
Level 2 C3PAO certification assessment	An authorized C3PAO listed in the Cyber AB Marketplace, staffed by Certified CMMC Assessors	Conditional or Final Level 2 (C3PAO) status submitted via eMASS and reflected in SPRS	Yes — this is the third-party certification path
Level 3 DIBCAC assessment	The Defense Industrial Base Cybersecurity Assessment Center (DCMA’s DIBCAC)	Conditional or Final Level 3 (DIBCAC) status; requires Final Level 2 (C3PAO) first	Yes — this is the government-conducted certification path

The CMMC Final Rule — codified at 32 CFR Part 170, published in the Federal Register at 89 FR 83092 on October 15, 2024, and effective December 16, 2024 — defines the assessment requirements. The implementing DFARS rule (DFARS Case 2019-D041) was published September 10, 2025 and became effective November 10, 2025, starting Phase 1, which runs through November 9, 2026.

Why this disambiguation matters before you ask for quotes

Two things happen when buyers don’t separate these. First, they pay for a “gap analysis” that is really just a control-name checklist exported from a vendor’s Governance, Risk, and Compliance (GRC) platform, then discover at the C3PAO stage that they have no defensible evidence. Second, they hire a C3PAO for “readiness work” expecting that firm to also certify them — and only later learn that any advisory or remediation activity may disqualify that firm from the formal assessment.

A direct admission, because the page is worthless without it: A meaningful share of “CMMC gap assessments” sold in 2026 are little more than a control-name spreadsheet. We’ve reviewed gap assessment deliverables at the upper end of the market that turned out to be exactly that — no evidence-based testing of the 320 NIST 800-171A objectives, no scoring posture, no scope memo. The deliverable matters more than the price tag. We’ll show you exactly what a defensible report contains further down. For now, the rule is simple: if the engagement does not walk the NIST 800-171A objectives with the assessor’s interview, examine, and test methods, you are not buying a gap assessment. You are buying a list.

Do You Actually Need a CMMC Gap Assessment?

No, not as a discrete contractual requirement. The CMMC Final Rule does not name “gap assessment” as a required deliverable. What it requires is the applicable CMMC Status path for the level and assessment type specified in the solicitation and resulting contract — primarily DFARS 252.204-7025 (Notice of Cybersecurity Maturity Model Certification Level Requirements), the solicitation provision that establishes the award gate, and DFARS 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements), the contract clause that governs ongoing compliance. A gap assessment is a practical readiness step, not a regulatory mandate.

That said, a gap assessment becomes practically necessary in several common situations:

Your SSP is incomplete, out of date, or never existed in a defensible form.
Your SPRS score is negative, low, or hasn’t been refreshed against the actual environment.
Your CUI scope is unclear — you suspect CUI is everywhere, or you suspect it’s nowhere, and you can’t prove either.
A prime contractor has asked for status under a new flow-down.
You’re considering a Level 2 (C3PAO) certification assessment and the assessor’s schedule is months out.
You use an external service provider (ESP) — typically a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP) — and you don’t have a written shared-responsibility matrix.
You aren’t sure which of your unmet requirements are eligible for a Plan of Action and Milestones (POA&M) and which are not.

What the rule actually requires of you

Your CMMC Level	What you must do	Source
Level 1	Annual self-assessment of the 15 basic safeguarding requirements from FAR 52.204-21; Affirming Official attestation; MET/NOT MET self-assessment result posted in SPRS (no POA&M permitted)	32 CFR Part 170; FAR 52.204-21
Level 2 (Self)	Triennial self-assessment against NIST SP 800-171 Rev. 2’s 110 requirements (320 objectives in NIST SP 800-171A); overall score and CMMC Status posted in SPRS; Affirming Official attestation; annual affirmation thereafter	32 CFR Part 170; DFARS 252.204-7019/-7020
Level 2 (C3PAO)	Triennial certification assessment by an authorized C3PAO; results submitted through eMASS and reflected in SPRS; annual affirmation thereafter	32 CFR Part 170; Cyber AB CAP v2.0
Level 3	DIBCAC assessment against the Level 2 baseline plus 24 selected NIST SP 800-172 enhanced requirements; requires Final Level 2 (C3PAO) status first	32 CFR Part 170; DoW CIO CMMC FAQ Rev. 2.3 (May 2026)

The CyberSheath / Merrill Research State of the DIB 2025 survey — which sampled 300 defense contractors in advance of the November 10, 2025 enforcement date — found that only 1% of respondents felt fully prepared and that none reported the perfect SPRS score of 110 required for full Level 2 compliance, with 17% still reporting negative scores. That isn’t a gap assessment fact. That’s a gap industryfact. The reason most contractors need a gap assessment isn’t because the rule says so. It’s because they don’t actually know where they stand.

What Kind of CMMC Gap Assessment Fits Your Situation

The right engagement depends on four variables: whether you handle FCI, CUI, or both; which CMMC level and assessment type your contract specifies; how mature your existing SSP and evidence are; and whether your CUI environment can be scoped tightly via an enclave. The table below is the version we wish someone had given us before we started comparing vendor service pages.

CMMC Gap Assessment Service Fit Matrix

Your situation	What you probably need	Who should perform it	What it should produce	What it does not do
You only handle FCI and think you may be Level 1	Level 1 basic safeguarding gap review	Internal team, RP/RPO, or small readiness consultant	FAR 52.204-21 safeguard review, annual self-assessment readiness, affirmation workflow	Produce a Level 2 status or C3PAO certification
You handle CUI; your contract requires Level 2 (Self)	NIST SP 800-171 Rev. 2 gap assessment using 800-171A methods	RPO/readiness consultant, internal security team, or qualified independent assessor outside your planned C3PAO	Scope boundary, SSP review, evidence map, preliminary score, POA&M eligibility screen, SPRS readiness	Replace your SPRS submission or annual affirmation
You handle CUI; your contract requires Level 2 (C3PAO)	C3PAO-readiness gap assessment before hiring the C3PAO	RPO/readiness consultant; MSP/MSSP if implementation help is needed	C3PAO-readiness decision, evidence package, scope boundary, SSP and POA&M cleanup, remediation roadmap	Certify you — a separate authorized C3PAO does that
You’re already assessment-ready	Pre-assessment scoping and validation by your selected C3PAO (Phase 1 of the CAP)	Authorized C3PAO	Formal pre-assessment activities, scope validation, assessment planning	Allow the C3PAO to remediate gaps it finds for you
You don’t know whether you handle CUI	CUI/FCI scoping-first review	RP/RPO; federal contracts counsel if clause language is ambiguous; IT/security lead	Contract and data triage, CUI data-flow map, system boundary recommendation	Determine a binding contract interpretation by itself
Your CUI is spread across the entire enterprise	Scope-reduction / enclave feasibility assessment	Readiness consultant plus an MSP/MSSP or enclave provider	Enclave vs. full-tenant decision, shared-responsibility matrix, user and workflow plan	Eliminate all organizational controls
Your prime is asking for status in 60–90 days	Rapid readiness triage	Readiness consultant/RPO; legal/contracts counsel if needed	Current posture, blockers, realistic timeline, quote-ready scope	Guarantee contract award eligibility

The clearest principle: identify the path your contract requires, then buy the gap assessment that fits that path. The most expensive failures we’ve reviewed started with buying a Level 2 (C3PAO) readiness program when the contract actually permitted Level 2 (Self), or vice versa.

If you’re not sure where you fall on the three CMMC levels, start there before scoping a service.

What a Defensible CMMC Gap Assessment Must Deliver

A useful gap assessment produces decisions, not just findings. The deliverable should give a senior official enough information to choose between self-assessing, remediating, scoping down, engaging a C3PAO, or delaying — and to defend that choice in writing.

Below is our 12-point Deliverable Sufficiency Scorecard. Score each item on a quoted proposal from 0 to 2. 0 = missing. 1 = mentioned but vague. 2 = clearly included with acceptance criteria. A defensible engagement scores at least 17 out of 24.

The 12-Point CMMC Gap Assessment Deliverable Sufficiency Scorecard

#	Deliverable	Why it matters	Red flag if missing
1	Contract and data triage — FCI, CUI, CUI category, applicable clause, flow-down status	The required Level and assessment type depend on the contract and the CUI you handle, not on company size or vendor opinion	Provider quotes Level 2 without asking what data you handle or what the clause says
2	Assessment scope boundary — written, defensible	CMMC assessment scope under 32 CFR Part 170 turns on which assets process, store, transmit, protect, or are not isolated from FCI/CUI	Provider says “we assess the whole company” or “we assess your Microsoft tenant” without a boundary conversation
3	CUI data-flow map — where it enters, moves, is stored, leaves, and is accessed	The reader needs to see how CUI moves across users, file stores, email, collaboration tools, vendors, and subcontractor flows	No data-flow discussion at all
4	Asset categorization — CUI assets, security protection assets, contractor risk managed assets, specialized assets, out-of-scope assets	Level 2 scoping requires asset categorization, not just device counts	Provider only asks for a headcount
5	SSP review against actual scope	The SSP is central to NIST 800-171 and CMMC assessment posture; NIST notes there is no prescribed SSP format, but the required information must be conveyed	Provider treats the SSP as a template-filling exercise
6	NIST SP 800-171A-style evidence map with interview, examine, and test methods	NIST SP 800-171A defines the assessment procedures for the 110 requirements (320 assessment objectives). A defensible gap report walks those objectives, not just the requirement names	Provider checks controls as “met” without evidence-method logic
7	Preliminary score posture using the DoD Assessment Methodology	Level 2 self-assessment scoring uses the DoD methodology. The gap assessment’s preliminary score tells you what your real submission will look like	Provider refuses to show how gaps affect score posture
8	POA&M eligibility screen	POA&Ms are restricted under the Final Rule: not permitted at Level 1, limited at Level 2, certain weighted requirements are excluded, and the 180-day closeout window is hard	Provider says “you can POA&M the rest” without checking excluded controls
9	Remediation roadmap with owner, cost driver, dependencies, and sequencing	You need to know what to fix first and which fixes are prerequisites for others	Provider delivers a control list with no priority, owner, or sequence
10	Provider independence plan	A C3PAO that gives advisory or implementation help can be conflicted from later assessing the same client	Provider offers “readiness consulting + guaranteed certification” in a bundle
11	ESP/CSP shared-responsibility matrix	External service providers and cloud service providers affect scope and evidence. The CAP requires confirmation of an ESP responsibility matrix when the ESP is in scope	Provider ignores MSP, MSSP, cloud, or shared-responsibility boundaries
12	Executive decision memo	The output should tell leadership whether to self-assess, remediate, scope down, engage a C3PAO, or delay — in writing	Provider produces a spreadsheet but no decision path

Scoring interpretation:

0–8:Not a sufficient CMMC gap assessment. You’re buying a list, not a decision.
9–16: Useful preliminary review. Not quote-ready for serious remediation planning.
17–22: Strong readiness deliverable if the scope and evidence assumptions are clear.
23–24: Buyer-grade gap assessment. Drives remediation quotes and C3PAO-readiness planning with confidence.

Run this scorecard against every CMMC gap assessment proposal you receive. The scorecard takes ten minutes. The contract you’d otherwise sign takes months and tens of thousands of dollars to unwind.

Download the CMMC Readiness Checklist

A 32-point internal review mapped to the 14 NIST SP 800-171 Rev. 2 control families. Use it alongside the scorecard above when comparing provider quotes against the same scope, deliverables, and exclusions.

Download the Checklist

Who Can Perform Your CMMC Gap Assessment — and Who Cannot

Most defense contractors that aren’t already assessment-ready should engage a Registered Provider Organization (RPO) listed on the Cyber AB Marketplace, or an MSP/MSSP that has earned RPO status and staffs the engagement with Certified CMMC Professionals (CCPs) or Certified CMMC Assessors (CCAs). A C3PAO can perform formal pre-assessment activities under the CAP, but if the work shifts into readiness consulting, SSP build-out, remediation advice, or implementation assistance, the firm can be conflicted from later assessing the same client. This is the single most expensive sequencing mistake we see.

Provider category matrix

Provider category	Best used for	Can certify?	What to verify	Common mistake
Internal team	Early self-review, document inventory, control owner mapping	No	NIST 800-171A familiarity; independence from wishful scoring	Marking controls “met” without evidence
Registered Practitioner (RP) / RPO / readiness consultant	Scoping, gap assessment, SSP development, POA&M planning, readiness preparation	No	Cyber AB Marketplace status (active, not expired); DIB experience; deliverable scope; independence boundary	Assuming an RPO can certify you — it cannot
MSP / MSSP	Implementing and operating security controls, logging, identity, endpoint, monitoring	No	CUI/FCI environment experience; incident-response capability; evidence output quality; shared-responsibility documentation	Treating managed IT as a complete compliance program
GRC platform	Evidence tracking, workflows, SSP support, control mapping	No	Current CMMC and NIST 800-171 Rev. 2 mapping; reporting quality; evidence handling	Believing software alone makes you compliant
CUI enclave / secure cloud	Scope reduction by isolating CUI workflows	No	Contractual fit; data-flow assumptions; cloud environment; user-access model; shared-responsibility boundary	Assuming a platform alone determines your level or eliminates organizational obligations
C3PAO	Formal Level 2 certification assessment and CAP-defined pre-assessment activities	Yes, if authorized	Active C3PAO listing on the Cyber AB Marketplace; assessment team credentials (CCAs); scope; timeline; conflict-of-interest policy	Asking the C3PAO to do advisory or remediation work that creates a future conflict
Federal contracts counsel	Clause interpretation, flow-down disputes, legal risk	No	Federal-contracts and cybersecurity practice depth	Asking a consultant to make binding legal determinations

Before signing with any provider, verify three things in writing:

Cyber AB Marketplace status — RPO or C3PAO listing, active status. The Marketplace at cyberab.org is the authoritative directory. Some listings are expired, suspended, or candidate-status; some firms claim status they don’t have.
Individual practitioner credentials — names and current CCP, CCA, or RP status of the people who will actually perform your work, not just the firm.
Written independence position — explicit language in the proposal stating whether the firm will or will not perform your future C3PAO assessment, and confirming no affiliation with the C3PAO you select.

Get matched with verified CMMC gap assessment providers

We’ll connect you with RPOs, Registered Practitioners, and CMMC-experienced MSPs that fit your level, scope, environment, and timeline. We do not perform gap assessments ourselves and we do not accept editorial-approval rights from any provider. Verified means provider category, claimed credential status, and basic fit are checked before routing. It does not mean government endorsement, Cyber AB endorsement, guaranteed certification, or guaranteed contract eligibility.

Get matched with providers

The C3PAO Conflict-of-Interest Problem Nobody Warns You About

The Cyber AB’s CMMC Assessment Process (CAP) v2.0 and the CMMC Code of Professional Conduct treat readiness consulting and the formal Level 2 (C3PAO) certification assessment as separate roles for the same client engagement. A firm acting as both your readiness consultant and your assessor for the same engagement creates a conflict that the Cyber AB views as compromising impartiality. The practical effect: if you hire a C3PAO for “gap assessment” or “readiness” work that includes advisory, remediation, or implementation activity, that firm can be conflicted from issuing your later certification.

We read the CAP. The Phase 1 procedures explicitly require the C3PAO to determine whether the Organization Seeking Certification (OSC) is sufficiently prepared. If the C3PAO concludes the OSC is not ready, the CAP requires the C3PAO to issue a written explanation and may suspend the assessment — but it prohibits the C3PAO from providing remedial advice, implementation assistance, or recommendations to improve preparedness for a rescheduled assessment. That is the line.

What this means at the buying decision

You can hire a C3PAO for the certification assessment. That is the C3PAO’s job.
You can hire a C3PAO for a formal CAP pre-assessment. That activity is part of the CAP and is distinct from advisory work.
You should not hire that same C3PAO for the readiness consulting, SSP build, gap remediation, or implementation work that precedes it. Different firm, different engagement, different invoice.
You should not hire an MSP, MSSP, or RPO that is affiliated, owned, or controlled by your selected C3PAO for the readiness work, for the same reason.

The five questions to ask any provider before signing

Are you acting as readiness consultant, MSP/MSSP, GRC vendor, C3PAO, attorney, or multiple roles?
Will any advisory, remediation, or implementation work performed under this Statement of Work prevent your organization (or an affiliated C3PAO) from later conducting our certification assessment?
Do you have a written conflict-of-interest policy you can share?
Will the Statement of Work explicitly state that no certification outcome is guaranteed?
Will you identify in writing where readiness work ends and where formal assessment activity begins?

Any provider that hedges on questions 1, 2, or 3 should be removed from your shortlist.

What CMMC Gap Assessment Services Cost in 2026

There is no published industry rate card. Cost depends on your CMMC level, the size and complexity of your environment, the number of physical sites in scope, the maturity of your existing SSP and evidence, and whether the engagement includes remediation support or just diagnosis. The cost band most commonly quoted in 2026 for Level 2 gap assessments is $3,500 to $20,000. Level 1 engagements typically run $1,500 to $4,000. Level 3 engagements add a $5,000–$12,000+ uplift over Level 2.

The largest cost in a CMMC program is almost never the gap assessment itself — it is the remediation that follows. Industry estimates for remediation typically range from $35,000 to $250,000+depending on starting maturity. The DoD’s own published cost analysis appended to 32 CFR Part 170 estimates a small-entity Level 2 certification assessment and affirmation support cost of $101,752, of which the C3PAO engagement component is estimated at $31,234. Those are regulatory estimates, not market rates, and they describe the certification assessment, not the gap assessment that precedes it.

Cost-by-starting-maturity ladder (Level 2 focus)

The table below synthesizes market data from at least five published cost references (PreVeil, Paramify, Secureframe, IBSSCORP, CISPOINT, and CMMC.com Newsroom) cross-checked against current vendor pricing. None of these is a primary regulatory source for pricing — pricing is market-driven and varies by region and provider. Treat this table as a quote-comparison anchor and collect at least three current quotes against the same Statement of Work before signing.

Starting state	Headcount	Typical gap assessment cost (Level 2)	Typical duration
No prior cybersecurity program, no MSP, no SSP	1–25	$5,000–$8,000	2–4 weeks
No prior cybersecurity program, no MSP, no SSP	26–100	$8,000–$12,000	3–6 weeks
Existing MSP, partial documentation, ad hoc controls	1–25	$4,000–$7,000	2–3 weeks
Existing MSP, partial documentation, ad hoc controls	26–100	$7,000–$12,000	3–6 weeks
Existing MSP, partial documentation, ad hoc controls	101–500	$12,000–$18,000	6–12 weeks
Existing MSP, partial documentation, ad hoc controls	501+	$15,000–$25,000+	8–20 weeks
Mature security shop (NIST CSF in place, existing SSP, SOC)	1–100	$3,500–$6,000	1–3 weeks
Mature security shop (NIST CSF in place, existing SSP, SOC)	101–500	$6,000–$12,000	3–8 weeks
Mature security shop (NIST CSF in place, existing SSP, SOC)	501+	$10,000–$20,000	4–12 weeks
Level 1 only (FCI only)	Any	$1,500–$4,000	1–2 weeks
Level 3 (Level 2 + NIST 800-172 subset)	Varies	Level 2 cost + $5,000–$12,000+ uplift	Level 2 duration + 1–3 weeks

For a full breakdown of the broader Level 2 program cost — not just the gap assessment line item — see our CMMC Level 2 Cost Guide.

The truth-in-pricing rule

Don’t compare CMMC gap assessment quotes on price alone. A $4,500 quote that excludes CUI scoping, evidence walkthrough, POA&M eligibility, ESP/CSP responsibility matrix, and remediation sequencing will cost more six months later than a $14,000 quote that delivers all twelve items on the scorecard above. The right comparison is cost per decision delivered, not cost per page of report.

Request scoped quotes using the same 12-point checklist

Better quotes start with the same level, same scope, same deliverables, and the same exclusions — so you can compare apples-to-apples instead of price-to-price.

Request scoped quotes

How Long a CMMC Gap Assessment Takes

For small DIB companies (1–100 employees) targeting Level 2, a CMMC gap assessment typically runs 2 to 6 weeks from kickoff to final report. Larger companies (101–500+) commonly run 6 to 20 weeks, driven by IT complexity, the number of physical sites, and the number of Active Directory domains in scope. Level 1 engagements are shorter — typically 1 to 2 weeks.

What drives duration

The limiting factor in nearly every engagement is the contractor’s ability to make stakeholders available and produce evidence on request — not the assessor’s speed. The fastest engagements share three characteristics: a named single point of contact on the contractor side, a pre-existing inventory of policies and configuration documents, and stakeholders blocked off for the interview phase. The slowest engagements share one characteristic: the contractor begins building the documents the assessor needs only after the kickoff call.

Why fast can be dangerous

Triage speed is fine. Certified speed is not. The CAP’s Phase 1 requires the C3PAO to review the SSP for completeness, validate assessment scope, resolve scope disagreements before Phase 2, and establish evaluation methods based on the OSC’s Level 2 CUI assets. A gap assessment that promises a “ready for assessment” verdict in 72 hours is either using a questionnaire scan in place of NIST 800-171A methods or is misrepresenting what readiness means. Both are expensive in different ways.

One real-world reference point

The first small business to pass the DIBCAC/C3PAO Joint Surveillance Voluntary Assessment Program (JSVAP) — Aero-Glen International — did so after a years-long preparation cycle that included multiple readiness reviews before the formal assessment. Their published case study, disclosed in a Redspin BusinessWire announcement in January 2023, is an attributable, named industry example of a small-business CMMC-equivalent JSVAP result. It is industry press, not regulatory evidence, and JSVAP itself was a precursor program; today’s certification path runs through authorized C3PAOs under 32 CFR Part 170. The substantive lesson, however, is universally cited: organizational buy-in and a tested incident response program matter as much as control implementation.

What Should Be in the Statement of Work

The Statement of Work (SOW) is where most gap assessments succeed or fail before the work begins. A defensible SOW defines the level, the assessment path, the scope assumptions, the evidence methods, the deliverables, the exclusions, the timeline, the data-handling rules, the conflict-of-interest boundaries, and the quote assumptions. Without those, you cannot compare quotes, you cannot hold the provider accountable, and you cannot defend the engagement to a contracting officer or auditor.

SOW elements checklist

SOW element	Language we require in every contract we review
Level and assessment path	Level 1, Level 2 (Self), Level 2 (C3PAO) readiness, or Level 3 planning — named explicitly
Standard and version	“CMMC Level 2 against NIST SP 800-171 Revision 2 under current 32 CFR Part 170; assessed using NIST SP 800-171A objectives”
Scope assumptions	Locations, systems, users, CUI workflows, cloud services, MSP/MSSP dependencies, ESPs, subcontractor flows
Evidence methods	Interview, examine, and test; sampling approach; expected artifact types
Deliverables	Scope memo, SSP findings, evidence map, score posture, POA&M screen, remediation roadmap, executive decision memo — all twelve scorecard items
Exclusions	No legal advice, no official certification, no guaranteed outcome, no CUI uploaded to intake forms
Independence	The provider’s role and whether any work performed creates a future C3PAO conflict
Data handling	No CUI in web forms; secure exchange only after the provider’s identity and security posture are verified
Acceptance criteria	What must be delivered for the engagement to be considered complete
Quote assumptions	Number of systems, locations, users, meetings, artifacts, and revisions covered; change-order triggers
Timeline and dependencies	Provider-side and contractor-side dependencies; named SPOC
Confidentiality	NDA scope; data retention period; destruction terms

Do not submit CUI, controlled technical data, export-controlled content, contract numbers, system diagrams, vulnerability details, passwords, incident details, or sensitive security information through public web forms. Share sensitive material only through appropriate secure channels after independently verifying the provider’s identity and security posture.

We use that same standard on our own intake forms. Any provider that asks for CUI through a public form has failed the most basic test of its own competence.

How to Compare CMMC Gap Assessment Quotes

Compare quotes by normalizing scope, level, deliverables, evidence depth, provider role, exclusions, and conflict-of-interest posture. The cheapest quote that omits scoping, evidence review, or POA&M eligibility analysis is more expensive than the more expensive quote that delivers all twelve scorecard items.

Quote comparison framework

Question to ask every provider	Why it matters
What role are you playing — readiness consultant, MSP/MSSP, GRC vendor, C3PAO, attorney, or multiple?	Determines what they can and cannot do later
What’s your current Cyber AB Marketplace status, and when was it last renewed?	Some claims of status are outdated, expired, or candidate-only
Which assessment path is this engagement scoped for — Level 1, Level 2 (Self), Level 2 (C3PAO) readiness, or Level 3 planning?	Determines control set and depth
What systems, users, locations, cloud services, and ESP/CSP relationships are in scope?	Determines real cost
Will you review artifacts, interview owners, and test implementation, or only review documents?	The difference between an evidence-based gap assessment and a checklist
Which of the 12 Deliverable Scorecard items are included? Which are explicit exclusions?	Apples-to-apples basis for price comparison
Is remediation advice included? Is implementation included? Is it priced separately?	Determines total program cost, not just the gap line item
Would any advisory, remediation, or implementation work performed under this SOW prevent your firm — or any affiliated C3PAO — from later conducting our certification assessment?	The independence question
How will CUI and sensitive artifacts be exchanged and protected?	Determines whether the provider takes its own security seriously
What’s your timeline and what dependencies do you require from us?	Determines realistic delivery date
What would trigger a change order in pricing or scope?	Determines exposure to scope creep

If a provider can’t answer any one of these in writing, move on. Three quotes scored against the same checklist beats five quotes scored on price.

Red Flags When Buying CMMC Gap Assessment Services

The most expensive vendor isn’t always the worst one. The most dangerous vendor is the one that makes you feel assessment-ready before you actually are. These are the patterns we see most often in proposals we don’t recommend.

“Guaranteed CMMC certification.” No firm can guarantee a CMMC certification outcome. The CAP explicitly prohibits C3PAO assessment contracts that include guarantees, promises, or incentives tied to certificate issuance.
“We do readiness andyour C3PAO assessment.” This is the Cyber AB independence rule risk discussed above. Walk away if the work would include advisory or remediation activity.
“No need to map CUI flows — we’ll just use a template SSP.” Scope determines everything. A template SSP is a starting point, not a deliverable.
“Software will make you compliant.” GRC platforms, secure cloud environments, and CUI enclaves are useful. None of them, alone, produces CMMC status.
“Your MSP already has this covered.” Maybe — but if your MSP doesn’t have RPO status and named CCP/CCA practitioners, it doesn’t have CMMC compliance covered. It has IT operations covered.
“You can POA&M anything left.” False. POA&Ms are restricted at Level 2 (specific weighted requirements cannot be deferred) and the 180-day closeout window is firm.
“We don’t need to talk to your contracts team.” The clause sets the level and the assessment type. A gap assessment that ignores the clause is mis-scoping itself by design.
“All Level 2 contracts require a C3PAO.” False. DoD policy during Phase 1 focuses on Level 2 (Self) where applicable. Some Level 2 contracts will require C3PAO assessment, but not all.
“NIST 800-171 Rev. 3 is what CMMC requires today.” False as of May 26, 2026. The current CMMC Program Rule (32 CFR Part 170) incorporates NIST SP 800-171 Revision 2 for CMMC Level 2 unless and until DoD amends the rule. The Department of War CIO’s May 2026 CMMC FAQ (Rev. 2.3) confirms CMMC assessments are conducted against Rev. 2 until the relevant class deviation memo is withdrawn or superseded and future rulemaking implements Rev. 3.
Pricing dramatically below the market band. A Level 2 gap assessment under $3,500 for a non-trivial environment usually means a questionnaire scan, not an evidence-based engagement.
No published methodology, no named practitioners, no Marketplace listing. Three independent failures of basic professional infrastructure.

Where CMMC Gap Assessments Usually Need to Look First: The 14 NIST SP 800-171 Rev. 2 Control Families

The 110 NIST SP 800-171 Rev. 2 security requirements are organized into 14 control families. Across gap assessments, Cyber AB town hall commentary, and DIBCAC-published findings, five families are consistently cited as the highest-risk areas in defense industrial base environments: Access Control, Identification and Authentication, Audit and Accountability, System and Communications Protection, and Configuration Management. Within those, multi-factor authentication on privileged accounts and remote access (a 5-point weighted requirement under the DoD Assessment Methodology) is one of the most frequently cited failure points.

The 14 families and what tends to break in each

Access Control (AC) — Account provisioning gaps, missing separation of duties, weak privileged access management.
Awareness and Training (AT)— Generic training programs that don’t cover CUI handling specifics or insider threat indicators.
Audit and Accountability (AU) — Inadequate log retention, no central log aggregation, weak alert coverage.
Configuration Management (CM) — Undocumented baselines, no change control, missing inventory.
Identification and Authentication (IA) — Multi-factor authentication gaps on privileged accounts and remote access are the most commonly cited single failure point in industry commentary.
Incident Response (IR) — Untested IR plans, no reporting paths that meet DFARS 252.204-7012 timelines.
Maintenance (MA) — Remote maintenance authentication and oversight gaps.
Media Protection (MP) — Marking, transport, sanitization, and destruction gaps.
Personnel Security (PS) — Pre-employment screening and termination procedures.
Physical Protection (PE) — Visitor controls, access records, escort procedures for CUI areas.
Risk Assessment (RA) — Vulnerability scanning frequency and remediation tracking.
Security Assessment (CA) — Plan of action and milestones rigor, control assessment cadence.
System and Communications Protection (SC) — Boundary protection, encryption-in-transit, cryptographic key management, separation of CUI from non-CUI flows.
System and Information Integrity (SI) — Flaw remediation timelines, malicious-code protection coverage, system monitoring gaps.

A gap assessment that doesn’t walk all 14 families with NIST SP 800-171A objectives is not finding your real gaps. It’s finding the gaps the questionnaire was designed to find.

What Happens After the Gap Assessment

The report should lead to one of four decisions: self-assess and affirm, remediate before posting or updating score posture, prepare for a C3PAO assessment, or rescope the environment before spending more. A gap assessment that doesn’t tell you which of those four to do is incomplete.

Next steps by Level

If you’re Level 1.Complete the annual Level 1 self-assessment, post the required MET/NOT MET self-assessment result and CMMC Status in SPRS, and have your Affirming Official enter the annual affirmation. Keep evidence and re-run the review before next year’s affirmation. POA&Ms are not permitted at Level 1.

If you’re Level 2 (Self).Update your SSP. Remediate the gaps that block your score. Conduct the formal NIST SP 800-171 DoD Assessment per the methodology. Post the results — including overall score, POA&M status if applicable, and CMMC Status — to SPRS per DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) and DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements). File the annual affirmation. Repeat triennially.

If you’re Level 2 (C3PAO). Remediate first, then engage a C3PAO when scope, SSP, evidence, and control implementation are ready. C3PAO capacity is constrained relative to anticipated demand, and scheduling lead times at popular firms can be measured in months rather than weeks. Check current availability with named providers directly — your queue position is itself a deliverable.

If you may need Level 3. Achieve Final Level 2 (C3PAO) status first. Then engage DIBCAC for the Level 3 assessment, which adds the 24 selected NIST SP 800-172 enhanced requirements per the current CMMC FAQ.

If the scope is too large. Consider a CUI enclave or other scope-reduction approach. An enclave may reduce assessment and remediation scope when CUI workflows can be isolated cleanly, but the economics depend on user count, data flow, licensing, implementation work, and residual organizational controls. Model it before committing.

POA&M reality under the Final Rule

POA&Ms are tightly restricted. No POA&Ms are permitted at Level 1. At Level 2, Conditional status requires a minimum score equal to 80% of the maximum (88 out of 110 points)and the implementation of all “critical” (non-POA&M-eligible) requirements. The POA&M closeout window is 180 days from Conditional status — miss it and Conditional status expires. For Conditional Level 2 (C3PAO), a C3PAO performs the closeout assessment as a separate engagement; the OSC may use the same C3PAO or a different authorized/accredited C3PAO, and if a different C3PAO performs the closeout, that firm assumes responsibility for the Final status determination.

Not ready to talk to a provider yet?

Download our CMMC Readiness Checklist — a 32-point internal review mapped to the 14 NIST SP 800-171 Rev. 2 control families. Use it to scope your environment and pressure-test your readiness before you engage a gap assessment provider.

Download the CMMC Readiness Checklist

What We Actually Verified for This Page

This page is editorial research by The Defense Compliance Report Editorial Team. The verification log below shows what we checked, when, and against which source.

Verified by: The Defense Compliance Report Editorial Team · Last verified: May 26, 2026

Item verified	Source	Source type
CMMC Final Rule effective date (December 16, 2024)	89 FR 83092; Federal Register; eCFR Title 32 Part 170	Primary
DFARS implementation rule effective date (November 10, 2025)	DFARS Case 2019-D041 Final Rule, Federal Register, September 10, 2025	Primary
Phase 1 timing (November 10, 2025 – November 9, 2026)	32 CFR §170.3(e); DoD CIO CMMC page	Primary
CMMC Level 1, Level 2, Level 3 model and assessment paths	32 CFR Part 170	Primary
Level 1 self-assessment MET/NOT MET in its entirety; no POA&M permitted	32 CFR Part 170; DoW CIO CMMC FAQ Rev. 2.3	Primary + authoritative
Level 2 self-assessment path (overall score, POA&M status, CMMC Status in SPRS)	32 CFR Part 170	Primary
Level 2 (C3PAO) certification assessment path	32 CFR Part 170; Cyber AB CAP v2.0	Primary + authoritative
Level 3 DIBCAC assessment path; 24 selected NIST SP 800-172 requirements	32 CFR Part 170; DoW CIO CMMC FAQ Rev. 2.3	Primary + authoritative
POA&M conditions and 180-day closeout window; closeout C3PAO may be the same or different	32 CFR Part 170; Cyber AB CAP v2.0	Primary + authoritative
Annual affirmations	32 CFR Part 170	Primary
NIST SP 800-171 Revision 2 control set (110 requirements, 14 families)	NIST CSRC	Primary
NIST SP 800-171A assessment objectives (320 objectives, interview/examine/test methods)	NIST CSRC	Primary
NIST SP 800-172 enhanced requirements; current CMMC Level 3 uses DoD-selected subset	NIST CSRC; 32 CFR Part 170	Primary
DFARS 252.204-7012, -7019, -7020	Acquisition.gov	Primary
DFARS 252.204-7021 (contract clause; ongoing performance)	Acquisition.gov	Primary
DFARS 252.204-7025 (solicitation provision; award gate)	Acquisition.gov; eCFR Title 48 §252.204-7025	Primary
CMMC Assessment Process (CAP) v2.0	Cyber AB	Authoritative
C3PAO conflict-of-interest framework	Cyber AB CAP v2.0 and Code of Professional Conduct	Authoritative
Cyber AB Marketplace as authoritative directory	cyberab.org	Authoritative
Rev. 2 vs Rev. 3 status for CMMC assessments	NIST CSRC marks Rev. 2 as superseded; DoW CIO CMMC FAQ Rev. 2.3 (May 2026) confirms CMMC assessments continue against Rev. 2	NIST CSRC + authoritative DoW FAQ
SPRS as system of record	DoD SPRS at sprs.csd.disa.mil	Primary
DIB readiness statistics (1% fully prepared, 0% reporting perfect 110)	CyberSheath / Merrill Research State of the DIB 2025	Industry survey (named, attributable)
Aero-Glen JSVAP case study reference	Redspin / BusinessWire announcement, January 2023	Attributable industry press
Gap assessment market pricing	Cross-checked against PreVeil, Paramify, Secureframe, IBSSCORP, CISPOINT, CMMC.com Newsroom	Market data (cited sources)
Named provider rankings on this page	Not performed — this page does not rank or endorse named CMMC providers	Editorial policy

If you find an error on this page, please submit a correction. Confirmed errors are corrected and dated under our Corrections policy.

Frequently Asked Questions

Is a CMMC gap assessment the same as a CMMC assessment?: No. A gap assessment is a readiness diagnostic. A CMMC assessment is the applicable formal self-assessment, Level 2 (C3PAO) certification assessment, or Level 3 DIBCAC assessment required for your level and contract. Only the formal assessment produces a CMMC Status posted in SPRS.
Does a CMMC gap assessment produce CMMC certification?: No. A gap assessment may prepare you for certification, but it does not produce a Final Level 2 (C3PAO) status or a Final Level 3 (DIBCAC) status. Any provider that claims otherwise is misrepresenting the program.
Do I need a gap assessment before a C3PAO assessment?: Not legally. Practically, most contractors should complete readiness work before engaging a C3PAO. Hiring a C3PAO before your scope, SSP, evidence, and control implementation are ready wastes time and money and risks burning your queue position with an authorized assessor.
Can a C3PAO perform my CMMC gap assessment?: A C3PAO can perform formal pre-assessment activities under the CAP. However, if the work includes readiness consulting, SSP build-out, remediation advice, implementation assistance, templates or tools that guide remediation, or recommendations to improve preparedness for a rescheduled assessment, that work can create a conflict that prevents the C3PAO from later assessing the same client. Use separate readiness and assessment providers unless the C3PAO’s role is clearly limited to CAP pre-assessment activities and is documented as such.
What’s the difference between a CMMC gap assessment and a NIST 800-171 gap analysis?: For Level 2, the substantive control set is NIST SP 800-171 Revision 2 under 32 CFR Part 170 — the two terms describe the same underlying work. A stronger CMMC gap assessment goes further than a generic NIST 800-171 gap analysis by accounting for CMMC-specific scoping, SPRS posting requirements, POA&M restrictions, annual affirmation cadence, C3PAO-readiness implications, and provider independence considerations.
Can I do a CMMC gap assessment myself?: Yes, especially for early triage. The result is only as strong as your team’s understanding of NIST SP 800-171A’s interview, examine, and test methods, CUI scoping under 32 CFR Part 170, the DoD Assessment Methodology, and POA&M restrictions. Most small DIB companies benefit from an external second opinion before committing remediation spend.
How much does a CMMC gap assessment cost?: Most Level 2 gap assessments in 2026 range from $3,500 to $20,000, depending on starting maturity, environment complexity, employee count, and the number of sites in scope. Level 1 typically runs $1,500 to $4,000. Level 3 adds $5,000–$12,000+ on top of the Level 2 baseline.
How long does a CMMC gap assessment take?: For small DIB companies (1–100 employees) targeting Level 2, a CMMC gap assessment typically runs 2 to 6 weeks. Larger companies commonly run 6 to 20 weeks, driven by IT complexity, the number of physical sites, and the number of Active Directory domains in scope. Level 1 engagements are shorter — typically 1 to 2 weeks.
What documents should I have ready before a gap assessment?: Contract documents and any flow-down clauses, current CUI inventory (if known), system and network diagrams, asset list, current SSP, current POA&M, security policies, current SPRS score (if posted), MSP/MSSP contracts, cloud environment details, and incident-response procedures. Do not upload any of these documents through public web forms — share them only through secure channels after the provider’s identity is verified.
Should I upload CUI to a provider intake form?: No. Use intake forms only for routing and basic contact information. Share CUI or sensitive security details only through appropriate secure channels after independently verifying the provider’s identity and security posture.
Does a low SPRS score mean we can’t bid on DoD contracts?: It depends on the solicitation, the clause, and the contracting officer. DFARS 252.204-7025 establishes the solicitation-level award gate by requiring a current CMMC Status at the specified level. DFARS 252.204-7019 separately requires offerors to have current NIST SP 800-171 DoD Assessment summary scores posted in SPRS when the contract applies. Binding award eligibility is governed by the specific solicitation and contract terms — not by a gap assessment provider’s opinion. Consult federal-contracts counsel if your status is in dispute.
Can every CMMC gap go on a POA&M?: No. POA&Ms are not permitted at Level 1. At Level 2, POA&Ms are restricted — specific weighted requirements cannot be deferred to a POA&M, and Conditional Level 2 status requires both a minimum 80% score (88 out of 110) and full implementation of the non-POA&M-eligible requirements. All POA&M items must close within 180 days or Conditional status expires.
What if my prime contractor says we need CMMC compliance in 90 days?: Start with rapid scoping and readiness triage. The right next step may be a provider match, a contracts review, a scope-reduction plan, or a focused remediation sprint — but don’t buy a “guaranteed certification” promise. Most 90-day timelines require both an honest scope conversation with the prime and realistic expectation-setting with your own leadership.
Does GCC High or AWS GovCloud automatically make us CMMC compliant?: No. Microsoft 365 GCC High and AWS GovCloud can support compliant architectures. Neither environment, by itself, defines scope, implements every organizational control, builds your SSP, satisfies POA&M restrictions, or produces a CMMC Status. The platform is a piece — not the program.
How often should we repeat a gap assessment?: Repeat it when your scope changes materially, when a new contract or flow-down changes your assessment path, before a Level 2 (C3PAO) assessment, after significant remediation work, or during annual maintenance before your Affirming Official enters the SPRS affirmation.
What’s the first step if we don’t know whether we handle CUI?: Start with a contract and data triage. Map where data enters your environment, where it lives, who has access, and whether your contract clause designates any of it as CUI. Don’t buy a Level 2 implementation package before you know whether CUI is present in scope. If clause language is ambiguous, engage federal-contracts counsel — that is a legal determination, not a consulting opinion.
How recent is the information on this page?: This page was last verified on May 26, 2026. We track CMMC regulatory developments continuously and re-verify against the Federal Register, eCFR, NIST CSRC, Acquisition.gov, Cyber AB, and the Department of War CIO CMMC FAQ each quarter. Material changes trigger a re-review and a dated update. See our Methodology and Corrections policies for details.

The Bottom Line, Again

A CMMC gap assessment service is a diagnostic engagement — not a certification, not a self-assessment, not a substitute for the formal assessment your contract requires. The defensible version walks each of the 320 NIST SP 800-171A objectives with interview, examine, and test methods, produces all twelve items on the deliverable scorecard, and tells your senior leadership exactly what to do next. The right provider is almost always a Registered Provider Organization with credentialed practitioners on staff. The wrong provider is the one that promises certification, the one that bundles readiness with the formal assessment, and the one that ignores your contract clause.

The market is set up to make this confusing because confusion is expensive — for you. We built this page to make it less so.

Need help deciding what type of CMMC provider you need?

Get matched with verified providers in 60 seconds. No CUI, contracts, system diagrams, vulnerability details, or sensitive files. We only use the form to route you by level, scope, timeline, and provider category.

Get matched with verified providers

Sources and Primary References

32 CFR Part 170 — CMMC Program Rule. Published 89 FR 83092, October 15, 2024. Effective December 16, 2024. Federal Register · eCFR Title 32 Part 170
DFARS Final Rule (DFARS Case 2019-D041). Published September 10, 2025. Effective November 10, 2025.
DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. Acquisition.gov
DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements. Acquisition.gov
DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements. Acquisition.gov
DFARS 252.204-7021 — Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements. Acquisition.gov
DFARS 252.204-7025 — Notice of Cybersecurity Maturity Model Certification Level Requirements (solicitation provision; award gate). Acquisition.gov · eCFR Title 48 §252.204-7025
NIST SP 800-171 Revision 2 — Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST CSRC
NIST SP 800-171A — Assessing Security Requirements for Controlled Unclassified Information. NIST CSRC
NIST SP 800-172 — Enhanced Security Requirements, as incorporated through the DoD-selected Level 3 requirements in 32 CFR Part 170. NIST CSRC
CMMC Assessment Process (CAP) v2.0 — Cyber AB. Cyber AB Catalog
CMMC Code of Professional Conduct — Cyber AB. Cyber AB
Cyber AB Marketplace — authoritative directory of C3PAOs, RPOs, RPs, CCPs, CCAs. cyberab.org
Department of War CIO CMMC FAQ, Revision 2.3 (May 2026) — DoD CIO CMMC page
DoD Supplier Performance Risk System (SPRS) — SPRS
CyberSheath / Merrill Research State of the DIB 2025 — survey of 300 defense contractors. CyberSheath

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, the Department of War, or any U.S. government agency. Our Editorial Standards, Methodology, and Editorial & Advertising Policy are published in full. Provider-matching forms on this site may generate referral or lead-routing compensation; we disclose these relationships at the page level. This page is educational and is not legal, contractual, or compliance advice.

Corrections policy · Editorial & Advertising policy · Privacy policy · Last verified: May 26, 2026