Two Very Different Things
Defense contractors preparing for CMMC frequently conflate two distinct activities: a gap analysis and a formal C3PAO assessment. They serve different purposes, cost different amounts, and happen at different stages of the compliance journey. Confusing them—or skipping the first to jump straight to the second—is one of the most expensive mistakes a contractor can make.
This guide breaks down exactly what each one is, what each one costs, and when you need which.
What a Gap Analysis Is
A gap analysis is an internal readiness evaluation conducted by a consultant, Registered Practitioner (RP), or internal team. It measures your current cybersecurity posture against the 110 practices in NIST SP 800-171 Rev 2—the same standard used for CMMC Level 2 assessment.
The output of a gap analysis is a remediation roadmap: a prioritized list of what you need to fix, implement, or document before you are ready for a formal assessment. It answers one question: "Where do we stand, and what does it take to get assessment-ready?"
A well-executed gap analysis produces:
- Current-state scoring against all 110 controls and 320 assessment objectives
- Preliminary SPRS score calculation to baseline your starting position
- Prioritized remediation roadmap with effort estimates and dependencies
- CUI boundary mapping to define your assessment scope
- Documentation inventory identifying missing policies, procedures, and evidence
- Timeline projection with milestones backward from the Phase 2 deadline
What a Formal C3PAO Assessment Is
A formal assessment is the official certification determination conducted by a CMMC Third-Party Assessment Organization (C3PAO) authorized by the CyberAB. This is not a readiness check—it is the exam. The C3PAO evaluates your organization against every assessment objective and issues a MET or NOT MET determination for each.
The formal assessment is what results in your CMMC certification. Without it, you cannot demonstrate compliance on contracts that require Level 2. There is no substitute, no alternative, and no workaround.
The Comparison
| Aspect | Gap Analysis | Formal Assessment |
|---|---|---|
| Purpose | Identify readiness gaps and build remediation plan | Official certification determination |
| Conducted By | RP, consultant, or internal team | Authorized C3PAO only |
| Cost | $2,500 – $15,000 | $30,000 – $75,000 |
| Duration | 2 – 4 weeks | 4 – 8 weeks |
| Outcome | Remediation roadmap and readiness score | MET / NOT MET certification decision |
| Required? | No (but highly recommended) | Yes, for Level 2 certification |
| When | Before remediation begins | After remediation is complete |
When to Get a Gap Analysis
The short answer: now. The gap analysis is the first step in the certification process, not an optional add-on. It is how you answer three critical questions:
- How far are we from passing? Without a gap analysis, you are guessing at your readiness. Most organizations dramatically overestimate their compliance posture.
- How much will remediation cost? The gap analysis scopes the remediation work. Without it, you cannot budget accurately for the certification process.
- Can we make the deadline? The gap analysis reveals the scope of work and lets you build a realistic timeline backward from November 10, 2026.
Think of it this way: You would not schedule surgery without a diagnosis. A gap analysis is the diagnosis. The formal assessment is the surgery. Going straight to the C3PAO without knowing your gaps is the compliance equivalent of walking into an operating room and hoping for the best.
The Cost of Skipping the Gap Analysis
Our research across the defense industrial base identifies seven failure modes that consistently cause contractors to fail their formal assessments. Every single one of them is detectable—and correctable—through a proper gap analysis.
Approximately 25% of organizations that skip the gap analysis and go directly to a formal assessment receive a NOT MET determination. That means they spent $30,000–$75,000 on an assessment they were not ready for, lost months of time, and now must remediate and schedule a re-assessment—competing for C3PAO availability with every other contractor facing the same deadline.
The Seven Failure Modes
- Documentation gaps. 100% of organizations in our research had incomplete or missing documentation—System Security Plans, policies, procedures, or evidence artifacts. An assessor cannot give credit for controls you cannot document.
- Scope creep. Poorly defined CUI boundaries mean the assessment scope is larger than expected, revealing controls that were never implemented in the expanded boundary.
- Access control failures. 85% lack proper MFA, role-based access, or regular access reviews. These are foundational controls that touch multiple practice families.
- Audit logging deficiencies. 78% cannot demonstrate adequate logging, monitoring, and review. You must prove who accessed what, when, and from where.
- Incident response gaps. 70% have no tested incident response plan. Having a document is not enough—assessors look for evidence of tabletop exercises and actual process execution.
- Configuration management absence. 65% lack security baselines, change control processes, and system hardening documentation.
- Evidence packaging failures. Organizations that can demonstrate compliance in practice but cannot present evidence in a format assessors can validate.
A gap analysis identifies every one of these issues before you spend $30,000+ discovering them during a formal assessment.
The Correct Sequence
The path from "not started" to "certified" follows a specific sequence. Skipping steps does not save time—it creates expensive rework:
- Gap analysis — Baseline your current state, scope the remediation
- Remediation — Implement controls, create documentation, train personnel
- Internal readiness review — Verify remediation is complete and evidence is packaged
- Formal C3PAO assessment — The certification exam
- POA&M closure (if applicable) — Resolve any conditional findings within 180 days
The gap analysis is Step 1 because everything else depends on its output. The remediation scope comes from the gap analysis. The timeline comes from the gap analysis. The budget comes from the gap analysis. Without it, you are building on assumptions—and in compliance, assumptions fail assessments.
A common pattern we see: A contractor hears about CMMC, panics, and immediately contacts a C3PAO to schedule an assessment. The C3PAO asks for their SSP, SPRS score, and evidence inventory. The contractor does not have any of these. The C3PAO recommends they get a gap analysis first. The contractor has now lost weeks and is further behind than when they started.
What This Means for Your Organization
If you have not had a gap analysis, start there. Not next quarter. Not after the next contract renewal. Now. The Phase 2 deadline is not moving, the C3PAO bottleneck is real, and the organizations that will be certified on time are the ones that understood their gaps early enough to fix them.
A gap analysis at the $2,500 level covers the fundamentals: a control-by-control assessment against all 110 practices, a preliminary SPRS score, and a prioritized remediation roadmap. That is enough to make informed decisions about timeline, budget, and next steps. It is the lowest-risk, highest-information investment you can make in the certification process.
Start With the Quick-Start Assessment
Our Quick-Start Assessment ($2,500) gives you a control-by-control gap analysis against all 110 NIST 800-171 practices, a preliminary SPRS score, and a prioritized remediation roadmap—everything you need to make informed decisions about your certification timeline.