The Path to Compliance: A Detailed Look at CMMC Gap Analysis

Welcome to this overview of how the Coalfire Federal team performs gap analyses for companies working toward compliance with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program. Our goal here is to help companies understand how our team can support compliance efforts and to explain a bit about what is involved in the process. Our CMMC gap analyses and other advisory processes involve common steps across all clients, but the timelines and specific advice provided are based on the client’s unique environment and practices. 

The CMMC gap analysis process begins with building an understanding of the dataflow of government information in possession of the client’s organization. Level 1 of CMMC specifies the controls that must be in place for companies possessing Federal Contract Information (FCI) and Level 2 specifies requirements for companies possessing Controlled Unclassified Information (CUI). Level 1 requires a self-attestation of compliance with 15 controls where Level 2 currently requires compliance with the 110 controls of NIST 800-171r2. Compliance with Level 2 is significantly more involved. Most of our advisory clients seeking a gap analysis are trying to achieve compliance with the more complex Level 2 of CMMC. 

Introduced in January 2020, the Cybersecurity Maturity Model Certification (CMMC) framework, spearheaded by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), stands as a pivotal standard primarily due to the requirement that a company in the Defense Industrial Base (DIB) get third party attestation of their compliance by a Certified Third Party Assessor Organization (C3PAO). This requirement introduced a number of variables, including the need to develop and train a field of assessor experts which takes significant time. Numerous challenges with the proposed regulation were also identified during the early pilot tests, resulting in further delays in implementation while improvements were made. 

After a thorough review, a revised version of the proposed CMMC rule was published in December 2023. During the review period, there were numerous reports of security breaches across all levels of the DIB, underscoring the imperative for better security standards throughout the defense industry’s supply chain.  An understanding of how breaches were taking place also clarified the importance of applying cybersecurity standards in equal measure throughout the entire supply chain because all companies are under attack. In fact, evidence suggests that smaller companies are even greater targets given the expectation that they will be less secure.  

Our Approach to CMMC Gap Analysis 

The Coalfire Federal approach to conducting a Level 2 CMMC gap analysis involves scoping exercises, a review of the existing CUI boundaries and consideration of CUI boundary improvements, followed by an analysis of compliance with controls against the defined boundary. Essentially, a gap analysis serves as the compass guiding organizations through the intricate landscape of cybersecurity standards set by the Department of Defense. It is a comprehensive internal assessment where our team works closely with the client’s team to evaluate policies, procedures, practices, and technical capabilities against the specific requirements of the CMMC framework.

The first step of defining the CUI boundary is critical to ensuring that the controls are applied correctly and effectively. It also helps clients understand how they may be able to reduce the overall footprint and expense of their compliance journey. Toward the end of the CUI boundary exercise, it is common for our team to identify steps clients can take to reduce the number of places CUI is stored, the number of people who need access and otherwise streamline procedures and policies. The simplification process can reduce the complexity as well as the cost of compliance.

During the second major phase of a gap analysis, we work with a clients to help them understand the effectiveness of their existing controls and identify any remediation steps that are needed. While social media and similar forums focus on especially challenging security controls and complex third party contracting considerations, there are also a number of more mundane challenges that we find most clients are facing as well. Some examples of common controls frequently missing are:

Weak access controls including not only lack of effective multifactor authentication but also simply missing clear definition of authorized users and effectively managing those accounts
Ineffective data management across CUI and Contract Risk Managed Assets
Policy timelines that are not effectively updated
Insufficient network segmentation
Inadequate cybersecurity awareness training for administrators 
Insufficient management and organization of objective evidence for required controls

The earlier a company begins their compliance journey, the less stressful it is to budget the time and allocate the resources required to ensure that all gaps are closed.

The insights derived from the gap analysis provide clarity and confidence in your CMMC compliance roadmap. Working with an authorized C3PAO in creating a roadmap provides further assurances that the roadmap is accurate. The Coalfire Federal advisory team is made up of professionals who each have at least 10 years of cybersecurity experience and are all trained as Certified CMMC assessors. Our clients know that they are in good hands as our team knows what good looks like.

We are also committed to helping the U.S. Government protect national secrets and helping our clients meet the required standards for safeguarding Controlled Unclassified Information (CUI), which is something our team takes pride in.

How Long Does a Gap Analysis Take?

The timeline and effort required for a comprehensive CMMC gap analysis hinge on various factors:

The complexity of your environment.
The CMMC level(s) required of your company.
Human resources dedicated to the project – it is imperative that at least one leader of the team has some understanding of cybersecurity. In addition you need participation from personnel in contracts, human resources, and program managers, at minimum. 
Your current security posture and how far you are from currently complying will also impact your timeline and cost. 

As the timeline to compliance with CMMC approaches, there has been an uptick in requests for support as companies struggle with understanding specific requirements and feel a sense of urgency with regard to swiftly addressing potential compliance gaps in their current controls landscape. A CMMC gap analysis serves as a crucial navigational tool for promptly strengthening cybersecurity resilience in alignment with the latest regulatory developments. The feedback we have received on this service has been extremely positive in giving our clients clarity and satisfaction in understanding what they need to do to comply and what their individual timelines look like for compliance based on the investments in time, technology and third party service agreements required based on their current security posture.

At Coalfire Federal, we understand that each organization is unique. Contact us today, and let’s tailor a gap remediation strategy that aligns seamlessly with your CMMC compliance needs. Elevate your defenses, secure your data – because protecting the mission is our priority.