NIST 800-171 Gap Analysis: What It Includes, What It Costs, and What to Do Next (2026)

Do you actually need a NIST 800-171 gap analysis right now?

A gap analysis is the right next step if you handle CUI, lack a current SSP and POA&M, or a prime has asked about your CMMC or SPRS status. It is the wrong next step if you handle only Federal Contract Information (FCI), if you don’t yet know whether your data is CUI, or if your evidence is already mature and you’re ready for a formal assessment. Start with the table, then read the sections that match your situation.

If you’re FCI-only, do yourself a favor and stop here — you likely need a Level 1 self-assessment, not a 110-requirement gap analysis, and we’d rather tell you that than sell you something you don’t need.

What is a NIST 800-171 gap analysis?

A NIST 800-171 gap analysis compares what your organization has actually implemented against the NIST SP 800-171 security requirements and assessment objectives that apply to your CUI environment. A credible one reviews scope, policies, technical controls, and process evidence, then converts the findings into a score, an SSP, a POA&M, and a prioritized remediation plan. It is a readiness diagnostic — not a certification, a legal opinion, or a guarantee that you will pass a CMMC assessment.

In plain terms, it’s the “where are we versus where we need to be” step. NIST SP 800-171 (the National Institute of Standards and Technology publication that defines how to protect CUI in non-federal systems) contains 110 security requirements organized into 14 control families under Revision 2, and those requirements break down into 320 assessment objectives in its companion, NIST SP 800-171A. A real gap analysis tests against those objectives. A weak one runs down a yes/no checklist.

The word “gap” covers more ground than people expect. A gap can be any of these:

• A requirement that simply isn’t implemented.
• A requirement that’s implemented but undocumented.
• A requirement that’s documented but can’t be evidenced.
• A requirement that’s met in one system while CUI quietly lives somewhere else.
• A requirement that depends on a cloud provider or managed service partner whose responsibilities were never written down.
• A requirement that’s technically satisfied, but no one on staff can explain how it works when an assessor asks.

That last one matters more than it sounds. Assessments are about demonstrable evidence, not good intentions.

What a gap analysis produces — and what each output controls

This is the part competitors gloss over. Each deliverable maps to a specific regulatory authority and carries a specific consequence. We read the rules so you can see the chain clearly.

A gap analysis should never claim you’re CMMC certified, that you’re guaranteed to pass, that your SPRS status is official, that Revision 3 replaces Revision 2 for CMMC Level 2, that a software dashboard equals compliance, or that an enclave erases your obligations. If a provider says any of those things, that’s your signal to keep looking.

Is a NIST 800-171 gap analysis required?

Usually, the gap analysis itself is not the named contractual requirement. It’s the practical readiness step contractors take before a self-assessment, an SPRS affirmation, remediation, or a C3PAO assessment. The actual obligations come from your contract — handling CUI under DFARS 252.204-7012, and meeting the CMMC level set in your solicitation under DFARS 252.204-7021.

The pressure to run one comes from a predictable set of triggers: CUI living in your environment; the safeguarding and 72-hour incident-reporting duties under DFARS 252.204-7012 (the clause that’s required NIST 800-171 implementation since 2017); a CMMC clause appearing in a new solicitation; a prime flowing requirements down to you; the need to post a CMMC status and affirmation in SPRS (the Supplier Performance Risk System), the DoD database contracting officers check before award; and CMMC phasing— with Phase 1 running through November 9, 2026 and Phase 2 beginning November 10, 2026.

Two notes that save money. First, don’t buy a full Level 2 gap analysis until you know whether you handle CUI or only FCI, which systems touch CUI, and whether your contract calls for a Level 2 self-assessment or a Level 2 C3PAO certification. If you don’t know yet, a CUI scoping review comes first. Second, check the exact clauses in your own solicitation. Clause numbers are mid-transition right now (more on that below), so confirm the requirement with your contracting officer rather than assuming.

Is a gap analysis the same as a self-assessment, an SPRS score, or a CMMC assessment?

No. A gap analysis is preparatory work. A self-assessment, an SPRS score, and a C3PAO assessment are formal or contract-linked actions with different outputs and consequences. A gap analysis can inform every one of them, but it replaces none of them — and only an authorized C3PAO (CMMC Third-Party Assessment Organization) can perform a CMMC Level 2 certification assessment.

Here’s the honest admission we promised: you can run a preliminary gap analysis yourself, for free. The DoD’s scoring methodology is public (32 CFR 170.24), NIST SP 800-171A lays out the assessment objectives, and a capable internal IT or security lead can produce a first-pass score and a rough gap list without paying anyone a dollar. We’d rather you know that than feel cornered into a five-figure engagement on day one.

So why does anyone pay for one? Because a self-scored result tells you what you think your gaps are — not what a trained assessor will find. That gap between self-perception and assessment reality is exactly where failed assessments, blown timelines, and re-billed engagements come from. The free version is a great way to orient yourself and decide how much help you actually need. It is not the version you want standing between you and a contract.

DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center, the DoD organization that conducts government-led assessments. eMASS is the government system C3PAOs use to submit Level 2 assessment results, which then flow into SPRS. Your gap analysis feeds that process; it doesn’t replace it.

A 2026 clause change most pages still get wrong

If you’ve read other gap-analysis pages, you’ve seen them cite DFARS 252.204-7019 and 252.204-7020 as the clauses that require posting a NIST 800-171 score to SPRS. That picture changed on February 1, 2026.Under a set of DoD class deviations tied to the Revolutionary FAR Overhaul — a government-wide effort to streamline acquisition rules — solicitations issued under the deviation now use a new DFARS Part 240 structure, including 252.240-7997 (NIST SP 800-171 DoD Assessment Requirements), in place of the legacy 7019/7020 pairing, with assessment obligations met through CMMC under DFARS 252.204-7021.

First, a class deviation is not a repeal: the codified DFARS still contains 252.204-7019 and 252.204-7020, and existing contracts may still reference them until they’re updated at the next modification or option exercise. Second, what hasn’t changed at all is the foundation — 7012 (safeguarding) and 7021 (the CMMC requirement). The operational rule: follow the exact clause set in your solicitation or contract, and confirm with your contracting officer whether the deviation language applies. (Verified June 11, 2026 against the DoD class-deviation materials and Acquisition.gov.)

How much should a NIST 800-171 gap analysis cost in 2026?

Published provider pricing for a NIST 800-171 gap analysis ranges from under $1,000 for a fixed-scope snapshot to a common $3,500–$20,000+ for a full evidence-based engagement, depending on scope, environment complexity, and whether SSP and POA&M authoring are included. That’s a small fraction of what the full compliance journey costs — and that gap is the whole reason a gap analysis is worth doing first.

Two numbers get blurred constantly: the price of the gap analysis and the cost of the whole CMMC effort. They are not the same, and confusing them leads people to either overpay for a diagnostic or panic at the wrong figure.

Gap-analysis price signals(publicly published prices cited as market reference points — not quotes, recommendations, or endorsements; observed June 2026):

Full-journey cost, in the DoD’s own numbers (from the DoD’s published CMMC cost estimates in the Federal Register; these cover assessment and affirmation — and, for the C3PAO path, technology and documentation — not gap-analysis fees):

Read those two tables together and the logic clicks: you spend roughly $1,000–$20,000 to learn precisely where you stand, beforecommitting to a journey the DoD itself pegs at over $37,000 to well over $100,000 — plus remediation. A good gap analysis doesn’t just find problems. It tells you which problems to spend on first, so you don’t burn your budget remediating things an assessor was never going to flag.

Why quotes vary so wildly

The same search term produces a $975 quote for one company and a $25,000 quote for another, and both can be legitimate. The drivers are scope and depth, not vendor greed: number of employees and systems, the complexity of how CUI flows, cloud versus on-premises versus hybrid, how mature your documentation already is, whether evidence is ready to review or scattered across ten tools, whether the engagement only interviews you or actually examines artifacts, and whether SSP authoring, POA&M development, and remediation planning are bundled in or sold separately.

Cheap gap-analysis red flags

A low price isn’t the problem. A low price hiding a hollow deliverable is. Walk away if a provider:

• Skips the CUI scoping step entirely.
• Reviews no evidence — only interview answers.
• Produces no SSP and no POA&M.
• Can’t explain Rev. 2 versus Rev. 3.
• Blurs gap analysis with self-assessment or certification.
• Quotes a fixed fee without first defining your systems, sites, users, and CUI flows.
• Claims you’ll be “certification ready” sight unseen, or — the biggest tell — guaranteesyou’ll pass.

How long does a NIST 800-171 gap analysis take?

A lightweight questionnaire or fixed-scope snapshot can take days to one or two weeks. An evidence-based gap analysis with CUI scoping, evidence review, SSP and POA&M inputs, and a remediation sequence usually takes several weeks, depending on scope. The gap analysis is only the diagnostic — remediation is measured in months, not weeks.

(Observed engagement ranges; your timeline depends on scope and documentation maturity.)

What slows it down is rarely the controls themselves. It’s that nobody owns CUI scope, the current managed-services provider doesn’t know the environment, the policies on file don’t match what actually happens, evidence is scattered across tools, cloud and shared-responsibility duties were never documented, or staff can’t explain how a control operates when asked. A fast gap analysis can tell you where the holes are. It can’t make them disappear. The single best way to shorten the engagement — and the bill — is to gather your evidence before the first call, using the 14-family checklist further down this page.

How your gap analysis estimates the score behind your CMMC status (and the 88-point threshold)

Your gap-analysis findings can be converted into a preliminary score estimate using the DoD/CMMC Level 2 scoring method: start at 110 and subtract a weighted value — 1, 3, or 5 points — for each requirement that isn’t fully met, with limited partial-credit exceptions and a floor of −203. That estimate supports a later self-assessment or a C3PAO readiness decision, but it is not itself an official SPRS or CMMC status action. For Conditional Level 2, you need at least 88 (80%), and only the lowest-weight gaps can be deferred.

This is where a lot of gap-analysis content goes quiet, and it shouldn’t, because the scoring math is the most decision-relevant thing on this page. We pulled it straight from the CMMC Scoring Methodology at 32 CFR 170.24.

You begin with a perfect 110 and subtract for each requirement scored NOT MET. There’s no partial credit for most requirements — you either fully meet one or you lose its full value — with two narrow, rule-defined exceptions. The weighting matters, because not every requirement costs the same (32 CFR 170.24):

The two adjustable requirements are the rule’s only real partial-credit allowance (32 CFR 170.24). For multifactor authentication, you lose 3 points if MFA is implemented only for remote and privileged users, but 5 points if it isn’t implemented for anyone. For FIPS-validated encryption, you lose 3 points if encryption is in use but not FIPS-validated, and 5 points if no encryption is employed.

First, a single high-weight miss can sink you faster than a dozen small ones. Skip MFA entirely and you don’t lose one point — you lose five. Miss FIPS-validated encryption and that’s potentially another five. A handful of 5-point gaps can drag a score below the threshold while the company assumes it’s “mostly there.”

Second, you can’t defer the gaps that matter most. Under 32 CFR 170.21, Conditional Level 2 status requires a score that is at least 80% of the maximum — 88 out of 110.Below 88, you don’t get Conditional status; you get no status, full stop. And of the gaps that remain, only 1-point requirements may go on a POA&M. Anything weighted 3 or 5 must be fully implemented at assessment time, with one narrow exception: CUI encryption (SC.L2-3.13.11) may be deferred at 3 points if encryption is in use but not yet FIPS-validated. On top of that, six specific requirements can never be deferred, regardless of point value (32 CFR 170.21):

• AC.L2-3.1.20External connections
• AC.L2-3.1.22Control of public information
• CA.L2-3.12.4System Security Plan
• PE.L2-3.10.3Escort visitors
• PE.L2-3.10.4Physical access logs
• PE.L2-3.10.5Manage physical access

Put those together, and here’s how your estimated score maps to your real options:

If you earn Conditional Level 2, a 180-day clock starts from your Conditional status date (32 CFR 170.21). Close every POA&M item and pass a closeout assessment inside that window, or your Conditional status expires.

Should your gap analysis use NIST SP 800-171 Rev. 2 or Rev. 3?

For CMMC, your gap analysis should use NIST SP 800-171 Revision 2 as the controlling baseline — 110 requirements in 14 control families — unless the rule or your contract changes. Revision 3 is real and was published by NIST in May 2024, but for CMMC Level 2 it functions as a future-readiness overlay, not a replacement. Build to Rev. 2; track Rev. 3.

This is the trust opening we mentioned at the top, because a meaningful number of pages ranking today still describe Revision 3 as “the backbone of CMMC.” It isn’t, and acting on that error can send you implementing the wrong control set.

Here’s the source of the confusion, cleared up. The CMMC program rule at 32 CFR Part 170 ties CMMC Level 2 to NIST SP 800-171 Revision 2, which it incorporates by reference (32 CFR 170.24). NIST then published Revision 3in May 2024, which — in NIST’s own publication catalog — supersedes Revision 2. But a NIST publication update doesn’t automatically rewrite a DoD contracting rule. As of our June 11, 2026 check, the current CMMC Level 2 rule and scoring methodology are based on Revision 2, so do not draw CMMC Level 2 status conclusions from a Revision 3-only gap analysis. Treat any move to Revision 3 as non-controlling until the DoD updates the applicable CMMC rule, its incorporated-by-reference material, the acquisition rule, or your contract language.

For the record, Revision 3 consolidates the requirement set (to 97 requirements), introduces three new families — Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) — and adds Organization-Defined Parameters. Worth understanding. Not worth building your assessment around yet.

When you scope an engagement, put it in writing: “Provider will perform a NIST SP 800-171 Revision 2 gap analysis for CMMC Level 2 readiness, with an optional Revision 3 delta overlay clearly separated from any CMMC Level 2 status conclusions.” That one sentence prevents a surprising number of expensive misunderstandings.

What should a legitimate NIST 800-171 gap analysis include?

A legitimate gap analysis starts with CUI scope, then tests whether each applicable requirement is implemented and evidenced against the NIST SP 800-171A assessment objectives. The minimum useful output is not a pass/fail sheet — it’s a scope record, an evidence log, a requirement-by-requirement gap register, a score impact, SSP and POA&M inputs, a prioritized remediation roadmap, and a provider-category recommendation.

If you take one principle from this section, take this one: evidence, not vibes.A gap analysis that asks “do you have multifactor authentication?” and never reviews the configuration, the user scope, privileged access, exceptions, and the supporting policy is an orientation call, not an assessment-quality review. Both have their place. Just know which one you’re buying.

Complete deliverable set

Evidence quality has levels — know which one you’re getting

Not all “yes” answers are equal. This is the lens an assessor uses, and it’s the lens your gap analysis should use too:

The 14 control families — and the evidence most companies are missing

We mapped each NIST SP 800-171 Rev. 2 family to the evidence a gap analysis should collect and the item we most often see missing. Use this as a pre-engagement gut check — and as your pre-call checklist before you request quotes.

Who should perform your NIST 800-171 gap analysis?

The right performer depends on what you need the gap analysis to accomplish: orientation, evidence-quality readiness, hands-on implementation, managed security operations, scope reduction, or a formal assessment dry run. Most contractors who are not yet assessment-ready should start with a readiness, RPO, MSP/MSSP, GRC, or enclave path — not a formal C3PAO assessment.

A quick vocabulary check, because the ecosystem is alphabet soup. An RPO(Registered Provider Organization) is a firm authorized by the Cyber AB — the CMMC accreditation body — to provide CMMC consulting; its individual consultants are RPs (Registered Practitioners). A C3PAOis the only kind of organization authorized to conduct a CMMC Level 2 certification assessment. The two roles are deliberately kept apart, which we’ll get to.

The independence trap most contractors miss

This is the detail that protects you, and almost no vendor sales page mentions it: the firm that does your gap analysis and remediation generally should not be the firm that performs your formal C3PAO assessment. Under the Cyber AB Code of Professional Conduct, a consulting or advisory relationship triggers a three-year prohibition— a firm or individual that provided CMMC consulting or implementation help to an organization is barred from serving on the C3PAO assessment team for that organization until three years have passed (Cyber AB Code of Professional Conduct v2.0). More broadly, conflicts of interest must be identified, disclosed, and mitigated, and if a conflict can’t be sufficiently mitigated, the C3PAO must not proceed. A firm can hold both RPO and C3PAO roles — but not for the same client. So if your MSP or readiness consultant is tied to a particular C3PAO, that C3PAO may be unable to assess you. Plan the separation from the start, or you’ll be scrambling to find a clean assessor right when you’re ready to book one.

Our editorial bottom line: for the typical reader of this page, the right first move is not“go hire a C3PAO.” It’s: define scope, run the gap analysis, then choose an RPO, MSP/MSSP, GRC tool, or enclave path based on what the findings demand — and keep your eventual assessment cleanly separate.

How does CUI scope change the gap-analysis result?

Scope is the single biggest cost and risk lever in a NIST 800-171 gap analysis. If CUI touches every inbox, laptop, server, file share, and vendor workflow, the analysis gets broader and more expensive. If CUI is isolated in a controlled enclave or a narrow workflow, the assessment boundary can shrink — but it still has to be documented and evidenced. Get scope wrong and a polished, expensive report can still be flatly misleading.

Most of the cost overruns and false starts we see trace back to scope, not to controls. So before you let anyone test a single requirement, nail down what’s actually in bounds.

That starts with knowing what CUI even is. CUI is information the government created or possesses — or that’s created or possessed for the government — that law, regulation, or government-wide policy requires be protected. It is not“any sensitive business information,” and a vendor shouldn’t define it for you from a sales call. Use your contract markings, your prime’s flow-down, the National Archives (NARA) CUI Registry, and the DoD CUI Registry to determine your categories.

Where CUI lives drives everything downstream:

What a wrong scope actually costs: the Georgia Tech case

This isn’t hypothetical. On September 30, 2025, the U.S. Department of Justice announced that Georgia Tech Research Corporation agreed to pay $875,000 to resolve False Claims Act allegations involving cybersecurity requirements on certain Air Force and DARPA contracts (U.S. Department of Justice, Sept. 30, 2025). Among the government’s allegations: that the organization had submitted a summary cybersecurity assessment score of 98 to the DoD that was based on a “fictitious” environment — one that didn’t correspond to the actual systems processing, storing, or transmitting covered defense information. The case was brought by two former members of the university’s own cybersecurity team under the whistleblower provisions of the False Claims Act.

As Stacy Bostjanick, the DoD’s Chief of Defense Industrial Base Cybersecurity, put it in the announcement: failure to follow required cybersecurity requirements puts everyone at risk. (The claims were resolved as allegations only; no liability was determined, and we’re not suggesting this outcome is typical.)

The lesson for a gap analysis is direct: a score is only as honest as the scope it’s measured against. A gap analysis that defines the boundary correctly — what’s in, what’s out, and why — is precisely what keeps a number defensible. One that scores a “fictitious environment” is worse than useless. It’s a liability with a cover sheet.

What happens after the NIST 800-171 gap analysis?

A good gap analysis ends with a sequenced plan, not a pile of findings. Your first moves depend on the score you came out with — there’s a real difference between tuning a near-ready environment and rebuilding one. Confirm scope, finalize the SSP, prioritize remediation by impact, gather evidence, and then decide whether to self-assess or prepare for a C3PAO.

A fast gap analysis can tell you where the holes are. It can’t make them disappear — remediation is where the real time and money go.

To leadership,report the estimated score and status, the top remediation dependencies, the budget bands, the contract and timeline risk, and — critically — what the company can and cannot truthfully claim today.

To a prime, stay precise: something like “We’ve completed a NIST SP 800-171 Revision 2 gap analysis for CMMC Level 2 readiness and are remediating identified gaps through an approved POA&M. We are not representing this as CMMC certification.” That sentence is the difference between a credible supplier and a False Claims Act problem.

Four contractor scenarios: which one is you?

The same search term has different correct next steps depending on size, CUI scope, environment, and maturity. A 20-person shop with no SSP, a 150-person manufacturer on aging on-premises systems, and a SaaS company unsure whether its product even touches CUI should not buy the same engagement.

What to ask before you buy — and the mistakes to avoid

The best pre-purchase questions force a provider to explain scope, baseline, evidence method, assessment objectives, deliverables, scoring, independence limits, and what happens after the report. The most expensive mistakes are scope errors, evidence errors, version errors, and status overclaims — buying something called a “gap analysis” that leaves you no closer to a defensible SSP, POA&M, score, or assessment path.

Bring this list to every shortlist call:

1. Which baseline do you use — Rev. 2, Rev. 3, or both?
2. How do you determine CUI scope?
3. Do you review evidence, or only interview?
4. Do you map findings to the NIST SP 800-171A assessment objectives?
5. Do you produce or update an SSP?
6. Do you produce a POA&M?
7. Do you estimate score impact on the 32 CFR 170.24 methodology?
8. Do you identify cloud, MSP, and external-service-provider dependencies?
9. Do you review the Customer Responsibility Matrix for inherited controls?
10. What’s your role — RPO, MSP, MSSP, tool vendor, enclave provider, C3PAO?
11. Exactly what can we say after this engagement — and what can we not say?
12. Can you remediate, assess, or both — and what conflict would stop you from assessing us later?
13. What deliverables do we own at the end?

And the mistakes we watch contractors repeat, distilled: starting with tools before scope; treating Rev. 3 as the CMMC Level 2 baseline; counting interview answers as evidence; confusing a gap analysis with certification; hiring a C3PAO before remediation is done; letting an implementer create an independence conflict for the assessment; underestimating SSP and POA&M effort; ignoring external service providers; skipping cloud and shared-responsibility evidence; and — the one the Georgia Tech case underscores — telling a prime a status your evidence doesn’t support.

How we verified this guide

We separate three kinds of claims on this page: regulatory facts, provider-published signals, and our own editorial judgment. Regulatory facts are checked against primary and authoritative sources; provider prices are treated as public signals, not guaranteed quotes; and our recommendations are framed as editorial conclusions drawn from those verified facts.

See our editorial standards and corrections policy.

NIST 800-171 gap analysis FAQ

Related DCR guides

• CMMC Gap Assessment Guide
• CMMC Gap Assessment Services
• SPRS Score: How It Works
• CMMC Certification Process
• CMMC Levels Explained
• CMMC Level 1 vs. Level 2
• CMMC Managed Compliance Services
• CMMC Secure Enclave Options
• NIST 800-171 Consultant Guide
• CMMC Readiness Checklist
• RPO vs. C3PAO
• CMMC Phases Timeline
• Self-Assessment vs. C3PAO
• Enclave vs. Enterprise Compliance