CMMC Series Part 4: The 3 Most Common Issues in the CMMC Gap Analysis

Modified on: February 3, 2021

In this Article

  • Learn about the most common findings we find identity in CMMC Gap Analyses.
  • Learn how your organization can avoid these gaps on your path to CMMC.

#1. You Don’t Have Enough Documentation.

As IT and compliance become more complex, documentation of processes and management becomes increasingly important.

The technical implementation could be stellar, but without the policies and procedures to support it, you’ll have difficulty achieving other goals you need to meet to achieve CMMC, like fully managing incident response and configuration management. Lacking documentation for current policies and procedures also significantly complicates the process of managing and documenting further changes to your organization’s cyber environment.

Documentation is helpful during preparation for CMMC, especially during the Gap Analysis phase. If you don’t already have ample documentation for all policies and procedures, this will likely be a sizable part of remediation.

Having proper policies and procedures is also important for achieving CMMC Level 3 and above during the CMMC Assessment phase. At this level, two out of three types of acceptable proof — interview, testing, or observation — are required to validate each control; documentation will prove invaluable.

Also keep in mind that any documentation procedures will need to be both implemented and matured to pass CMMC Level 3, meaning that it is already an effective and established part of your organization’s compliance strategy.

#2. Your Cybersecurity Program Isn’t a Part of Your Business Strategy.

If you are a smaller organization, cybersecurity may have always been an afterthought — and this is one of the most glaring and difficult gaps to close. It may not even show up in the budget as its own line item, instead listed under IT. Unlike most operational and legal costs, IT and cybersecurity often fly below the radar.
However, now that Plans of Action and Milestones (POA&M) is not an option to pass an audit for. CMMC will now require more time and effort, and therefore more funding from organizations within the Defense Industrial Base. If not by necessity alone, cybersecurity should become a high-level line item moving into 2021 and beyond.
The advantages to prioritizing cybersecurity include improved security culture and behavior, a higher likelihood of achieving compliance, and a lower likelihood of losing DoD contracts or contractual relationships.

#3. You’re Relying on NIST 800-171.

#3. You’re Relying on NIST 800-171.
If your organization is in good shape with NIST 800-171 compliance, you may be tempted to forego an extra gap assessment and sprint straight towards CMMC compliance as soon as possible. But if you’re aiming for Level 3 or above, it is advisable to take more time to examine your controls because there’s more to take into consideration before getting your CMMC audit.
Being squared away with NIST 800-171 is a solid foundation for CMMC compliance, but it may not be enough.
On top of NIST 800-171’s 110 controls, CMMC Level 3 adds 20 Delta practices and the need for maturity. That means that you need well-established policies, procedures, plans, budgeting, role and responsibility documents, and proof that you’ve been following them. That requires documentation, maintenance, and tracking capability, which following NIST 800-171 alone will not cover.

Do you have questions about the CMMC Gap Analysis and whether it’s right for your organization? Talk to a CMMC subject matter expert one-on-one or read more about CMMC on our blog or CMMC services page to discover more options.