Bridging the Gap: A Closer Look at CMMC Gap Analysis
Whether your organization is embarking on CMMC preparations using internal resources only or planning to engage an advisory team like Coalfire Federal’s dedicated CMMC advisory and assessment team, a CMMC gap analysis is a crucial step. The purpose of the gap analysis is to understand your current state of preparedness and where your existing strengths and weaknesses lie. Once the gaps in your preparedness are identified you can develop a roadmap based on investment priorities that take into consideration required timelines and budgets. The plan for closing those gaps is called your Plans of Action and Milestones (POAMs), and having a well-organized set of POAMs as a result of a robust gap analysis is a key part of successful preparations.
Taking a proactive stance on identifying and managing gaps in and changes to your security posture not only helps you comply with regulations but also helps establish a foundation for continuous improvement that protects your organization effectively adapt to evolving threats. Additionally, being able to demonstrate due diligence helps foster trust with your customers and other members of your supply chain, positioning you for more success as a secure participant in the defense industrial base (DIB).
What’s in a CMMC Gap Analysis?
As you may already know, CMMC compliance involves a third-party assessment of an organization’s compliance with the NIST 800-171 framework but there is also significant nuance to compliance beyond identifying evidence against the top level controls.
A CMMC level 2 gap analysis does in fact help you measure your current state of NIST 800-171 conformance, assesses the effectiveness of your existing controls, and then pinpoint where your business is not yet fully compliant. However, the gap analysis should start with a scoping exercise first to understand the boundary for compliance.
One of the biggest errors we see with clients that have done their own gap analyses without any additional advice is that they only address the 110 top level controls without effectively addressing the 320 objectives. When a company is undergoing a certified assessment, the assessors will be looking for evidence that all of those security objectives have been adequately addressed. If they haven’t been, the organization is potentially looking at their security practices being inadequate and the controls being marked as unmet.
In addition, before the assessors even begin to look at whether control objectives are met, they are going to ask you how your environment is scoped. Where are your CUI assets, Security Protection Assets, Contractror Risk Managed Assets, and your Specialized Assets, as well as ask you how you are managing out of scope assets. They will also ask to see an asset inventory, your network diagram and you CUI dataflow diagram before they even think about looking at your SSP because the accuracy of you SSP is entirely dependent on how accurately your boundaries are defined.
Accordingly, every gap analysis we perform begins with a methodical approach to identifying what your CUI boundary is and then an evaluation of whether that boundary can be reduced. Reducing the boundary reduces risk as well as cost of compliance. It is the messiest part of a gap analysis because everyone’s environment is unique but once that step is completed, the rest of the gap will go more smoothly because the goals are much clearer. The CUI boundary portion of the gap is like laying out the border pieces on a jigsaw puzzle before trying to fill in the interior ‘gaps’ – it just clarifies your goals and helps align strategies for completion.
What does a CMMC Gap Analysis cost?
The cost of a CMMC gap analysis depends on a few things—how ready you are, the size of your organization, the certification level you’re aiming for, and how complicated your systems are.
The more contracts you have, the more organizational environments and locations involved, the more time and effort required. For organizations with multiple environments to secure, it is very helpful to standardize policies and procedures to the extent possible. This may require a great deal of effort on the front end but it is worth it because as your environments change and grow, making changes to your policies and procedures will be an order of magnitude easier and less expensive if everything is based on the same security standards.
Similarly, the more you can reduce the variability in systems and devices you have in your environment the easier and thus less expensive compliance and security will be as well. If you are dependent on third-party providers for managing your IT and/or security, make sure they are certified to the appropriate level for the sensitivity of the data they handle and make sure you understand what your responsibilities are in evaluating the shared responsibility matrix. Any third party that is managing CUI data for you must be FedRAMP moderate compliant per DFARS 252.204-7012.
How Long Does a Gap Analysis Take?
Unfortunately, the answer to how long does it take is similar to how much does it cost – it depends. The time it takes for a CMMC gap analysis depends on your existing security posture, how well documented your policies and procedures are already, how complex your systems are, how big your company is, the certification level you want, and how confident you are in the choices you have made.
For companies just starting their journey, the time to assess their posture, identify gaps, identify remediation strategies, implement the remediations and document everything in place is 18-24 months of diligent and consistent effort. And don’t forget that you need to document how you address each of the 320 security assessment objectives and not just a high level set of answers to address the 110 controls!
What is the difference between our CMMC Gap Analysis and Certified Assessment Services?
Gap analysis and assessment sound similar, but the gap analysis involves all the steps taken to prepare for your certified assessment. Under the CMMC rules, an organization seeking certification with the CMMC standard cannot work with the same company to perform their gap analysis and their certified assessment as it is a conflict of interest. This actually makes sense. In fact, anyone can offer CMMC advisory services regardless of experience. Accordingly, if you are looking for an advisor to help you prepare for an assessment, ask lots of questions about the experience and credentials before signing an agreement.
Certified CMMC Assessments, on the other hand, require that you work with a Certified 3rd Party Assessor Organization (C3PAO) to complete the assessment. C3PAOs have to undergo a rigorous evaluation for certification as do their key employees. All of the CMMC advisory and assessment team members at Coalfire Federal are certified as assessors which means that all of our clients, including those signing up for gap analysis services, work with a team that can answer even the toughest questions because they ‘know what good looks like.’
In summary, a gap analysis is the process of evaluating your preparedness and coming up with remediation plans for any outstanding POAMs so that you have a clear roadmap to CMMC readiness while the assessment is the final step in getting certified as an organization that meets the CMMC requirements. The Coalfire Federal CMMC team has personnel that can help you with either preparedness or we can provide you with a team to perform your assessment but we cannot do both just as no organization can since that would be a conflict of interest.
Need support on your path to CMMC certification?
Take the proactive step towards compliance readiness with Coalfire Federal. Our team can expertly guide you through the complex CMMC gap analysis and help you build your clear roadmap to CMMC readiness.