CMMC readiness · NIST 800-171 alignment · DFARS support Mon–Fri · 0800–1800 ET
Service 02 · Gap analysis

Gap assessment & remediation.

Control-by-control evidence review against NIST SP 800-171, with technical and policy guidance you can act on. We do not displace your IT team or MSP, we work alongside them.

What this engagement produces

A defensible position on every control in scope. Specifically:

  • A control-by-control assessment against the NIST SP 800-171 Rev 2 (or Rev 3, where applicable) requirements.
  • Evidence inventory: what you have, what is missing, and what is partially implemented.
  • Technical remediation guidance written for your IT team or MSP, not for assessors.
  • Policy and procedure remediation guidance, including drafts of any documents you are missing.
  • An updated SPRS-style score you can use to recalibrate your DFARS 7019 attestation.
  • A remediation tracker (the foundation of your eventual POA&M) that you and we will work from for the duration of the engagement.

Who this is for

Organizations that have completed a Readiness Roadmap (with us or another firm), conducted a self-assessment that they suspect is incomplete, or stalled mid-remediation and need a credible reset.

Most organizations underestimate how much of CMMC is documentation rather than technology. Our gap assessments find both.

How we work

Phase 1 — Evidence collection

We work from your existing documentation, interview key personnel, and sample-test technical controls. The objective is a complete picture, not a punitive audit. We tell you what we are looking at and why.

Phase 2 — Control-by-control assessment

Each control is evaluated against the assessment objectives that authorized C3PAOs use. The standard is “would this hold up” rather than “is something present.” We document the difference clearly.

Phase 3 — Remediation guidance

For each gap, we deliver specific guidance: what needs to change technically, what needs to be written, who should do it, and roughly how long it should take. This is the document your IT team or MSP will work from.

Phase 4 — Continuous engagement

We remain engaged through the remediation cycle on an as-needed basis. Most organizations need spot consultation on technical interpretation, policy review, or evidence quality. We do not bill discovery time during this phase. You are paying for an outcome, not for hours.

How it differs from a mock assessment

A gap assessment identifies what to fix. A mock assessment validates that what you have fixed will hold up. They are sequential, not interchangeable. Most organizations need both, in that order.

What it costs

Gap assessments are scoped based on environment complexity, the number of CUI assets, and the depth of existing documentation. We provide a fixed-fee quote in writing after the initial scoping conversation. Engagements typically run six to ten weeks, with a portion of that being your remediation work in parallel.

Begin the conversation

Your contract eligibility is on a clock. Let’s get to work.

A 30-minute scoping call with a senior consultant. No pitch. We listen, scope honestly, and tell you what we’d do — including whether we are the right fit.

Request a scoping call →