CMMC Gap Analysis for all Levels: Steps, Templates & Examples

Article summary:

A CMMC gap analysis identifies missing controls, evidence, and readiness gaps for CMMC Levels 1, 2, and 3 before self-assessment, C3PAO certification, or government review. The process follows three phases: scoping, assessment, and reporting. Scoping defines system boundaries and the required CMMC level. Assessment evaluates required practices and maps them to verifiable evidence. Reporting documents gaps, updates the System Security Plan in Levels 2 and 3, and builds a remediation roadmap through permitted POA&Ms. This approach helps defense contractors prepare efficiently and reduce certification risk.

Purpose of a CMMC gap analysis

A CMMC gap analysis shows you what’s missing in your data security before a formal assessment. It focuses your time and effort by showing which controls are in place, which are not, and what needs to happen next to meet DoD contract requirements.

How to conduct a CMMC gap analysis for any level

A CMMC gap analysis runs in three phases, including scoping, assessment, and reporting. Your workflow stays the same across levels. Level 1 is lighter and easier to document. Level 2 adds many more controls, evidence, and formal records. Level 3 is rare and builds on Level 2 with DoD-selected enhanced requirements from NIST SP 800-172.

The format is the same whether you’re doing a self-assessment or working with Certified Third-party Assessment Organizations (C3PAOs). You define what’s in scope, rehearse each required control, collect evidence, and detail what’s missing. CMMC Level 1 includes 15 safeguarding requirements from FAR 52.204-21, which are assessed using 17 assessment objectives in the Level 1 self-assessment and SPRS. For CMMC Level 2 compliance, you review 110 NIST SP 800-171 Rev. 2 requirements and map them to real evidence.

The process prepares you to produce key compliance documents, including the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M), and to post assessment results/status in the Supplier Performance Risk System (SPRS). It’s the pre-game warmup to show you're ready to handle controlled data in the arena under Defense Federal Acquisition Regulation Supplement (DFARS) contracts.

CMMC aligns defense suppliers with DoD expectations for protecting data across the Defense Industrial Base (DIB). Two types of data drive scope in the CMMC (Cybersecurity Maturity Model Certification) program: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

FCI aligns with Level 1 self-assessment safeguards. CUI drives Level 2 requirements. According to the CMMC Assessment Guide (v2.13, September 2024), the Level 2 certification assessment gives the DoD confidence that you protect CUI at the required risk level, including safeguarding data flows with subcontractors across a multi-tier supply chain.

The following phases provide step-by-step directions for each phase of CMMC gap analysis. Use these phased steps to scope systems, test practices, collect proof, and rank gaps by risk.

CMMC gap analysis phase 1: scoping and preparation

Scoping defines what’s in and out for your assessment. The Level 1 scope is usually narrow and simpler to track. For Level 2, you track how your CUI flows through systems and people.

“Start by identifying your CUI system boundaries to help scope the situation and make you more successful in completing any gap assessment or putting controls in place,” says Micah Spieler, Chief Product Officer at Strike Graph. “Data flows across systems fluidly now. Don’t create a blind spot that surfaces during a CMMC audit, or worse, exposes a vulnerability, by assuming data is siloed adequately.”

Spieler notes that seeing how all systems process, store, or transmit CUI takes a bit of data forensics. Most organizations understandably lack the needed level of documentation to account for how all data flows in their systems. He recommends keeping an open mind and following the thread as you outline the full data flow. Watch out for shadow systems — the set-it-and-forget-it systems with information access, or the contractor with access to infrastructure.  

You don’t need to lock in every detail on day one, but you do need to agree on what’s in and out of scope and who decides.

Here are the phase one CMMC gap analysis scoping and prep steps:

1. Research which CMMC level you need: Confirm if your contracts involve FCI or CUI. Your contract wording and data handling determine which level you prepare for. If you’re targeting a third-party Level 2 assessment, shortlist C3PAOs from the Cyber AB marketplace. Cyber AB is the nonprofit DoD partner that oversees the CMMC assessment ecosystem.
   
   
2. Define the FCI or CUI boundaries: If you don’t define how the information flows throughout your environment, you’ll miss something, and so will your System Security Plan. At Level 1, the boundary covers FCI. At Level 2, include all people and platforms that store, transmit, or process CUI across locations, subcontractors, cloud services, and any enclave you operate.
   
   
3. Assemble a CMMC review team: You want to include technical owners. Identify an Information System Security Officer (ISSO), a policy lead (governance, risk, and compliance), and an executive sponsor for decisions.  If you’re on a small team, the roles may be combined. If a managed service provider supports you, include their representatives.
   
   
4. Gather CMMC documentation: You’ll need core policies, inventories, and configuration summaries for Level 1. For Levels 2 and 3, you’ll need a working SSP, IR procedures, backup and recovery details, logging queries, MFA settings, and system diagrams.
   
   
5. Read the CMMC assessment guide for your level: Your guide tells you exactly how to assess. Use the guide’s tests to keep your reviews consistent and your evidence repeatable: For Level 1, use the official CMMC assessment guide. For Level 2, use the CMMC Level 2 Assessment Guide (Version 2.13) and NIST SP 800‑171 Rev. 2 and SP 800‑171A. For Level 3, review the CMMC Level 3 Assessment Guide and execute the selected requirements from NIST SP 800‑172.
   
   
6. Get your CMMC tools: Compliance readiness tools help you stay organized and show your work. A structured spreadsheet template or a GRC platform like Strike Graph can both work for gap analysis. What matters is that you successfully keep track of each CMMC control mapped to status, owner, test, and evidence so anyone can repeat the pull without an email search. 
   
   

CMMC gap analysis phase 2: assessment/analysis

Phase 2 turns scoping into action. You check required practices, collect proof, and record where things fall short. Level 1 needs basic evidence. Level 2 expects mapped, dated artifacts across users and systems. 

Expect to finish this phase with a list of your CMMC gaps and the work needed to resolve them all.

Follow these phase two CMMC Gap Analysis assessment and analysis steps:

1. Review CMMC requirements for your level: At Level 1, you’ll assess 15 requirements. At Level 2, your scope expands to all 110 NIST SP 800-171 requirements mapped to CMMC security requirements. Level 3 adds selected requirements from NIST SP 800-172. You go one by one at each level and mark what’s fully implemented, what’s partial, and what’s missing entirely.
   
   
2. Collect CMMC evidence: You collect screenshots, config exports, access control logs, asset inventories, and policy documents. Each practice should tie to proof you can show and explain. Level 2 expects consistent, dated evidence across systems and users.
   
   
3. Identify CMMC gaps: For each practice, you describe what’s missing and what assets are affected. You want to note partial implementations when a process exists but is neither enforced nor documented.
   
   
4. Analyze causes of CMMC gaps: Do your gaps result from vague ownership, missing documents, or erratic enforcement? Write down the cause, not just what’s missing, to speed up remediation and stop the problems from recurring.
   
   
5. Prioritize CMMC gaps: Not every gap carries the same risk. You rank your gaps by effect and effort, and then you must make choices. Do you first address compliance blockers and high-impact practices? Or will you first fix low-effort/low-risk gaps to show quick progress, then revisit the ten highest-risk gaps?
   
   

Spieler notes that choosing which issues to tackle first is a choice each business makes based on its needs and capabilities. But whichever approach you take, you want to sequence dependencies and pay close attention to how issues stack. Pay attention to dependencies on NIST SP 800-53 control families already in place.

“All of your CMMC action items need to be resolved within a defined timeline. It’s about what resources you have available and how aggressively you can work to resolve the weakness,” he says. “Some weaknesses may be interconnected, so take note if you can tackle multiple issues with one action.”

CMMC gap analysis phase 3: reporting and strategic planning

The final phase turns your findings into actions. Summarize the status of your gap analysis. What’s missing, who owns the fix, and when it gets done. Update your core documents and schedule the work. 

For Level 2, you must include a formal remediation plan, an SSP, and documented progress toward full CMMC compliance.

Follow these phase 3 CMMC Gap Analysis reporting and planning steps:

1. Compile your report: Keep this report brief but actionable. Your reviewers want clarity and next steps. Start with an executive summary of what was reviewed, what was in scope, and how many requirements were fully, partially, or not implemented. Include a findings log with links to stable evidence locations and a clear status for each practice. Add notes so reviewers can see how you validated proof.
   
   
2. Develop your POA&M: Level 1 does not permit POA&Ms, but creating an internal plan can still help track fixes. POA&Ms are allowed for Levels 2 and 3 are allowed only under Conditional status and must be closed within 180 days. List every gap, the corrective action, who owns it, what resources are needed, and when it will be completed. If your POA&M doesn’t name an owner and a date, it’s another to-do list, not a plan. Also, well-structured POA&Ms show CMMC assessors you understand your risks and have a plan to close them. For more, see our CMMC POA&M template and guide.
   
   
3. Create the System Security Plan (SSP): The SSP is required for Level 2 and should describe the current environment, including how each control is implemented. If a control is only partly in place, you want to describe what exists today and explain what’s still missing. Then reference the related entry in your POA&M so your assessors see you’re tracking it. For more, see our CMMC SSP template and guide.
   
   
4. Present a CMMC strategic remediation plan: Now you turn your gap analysis into a budget and resource plan that leadership can act on. Prioritize the actions based on risk, internal audit readiness, and contract timelines. Organize fixes into phases. Leadership wants to see a current risk snapshot, what’s coming down the line, who’s owning what work, and when measurable progress will surface. 
   
   

The difference between minimal documentation and evidence that truly satisfies a CMMC assessment is verifiable, repeatable proof mapped to the practice, with timestamps, system context, and an owner. 

“Leaders should see a path they can fund, with owners and dates they can hold accountable,” says Spieler. “Your documentation and evidence should be as thorough as possible to prove that a control is operational and in place. It’s better to over-demonstrate control operation than it is to understate it.”

Don’t forget to document along the way. Spieler points out that this is a great habit to ensure you’re ready for future growth as your systems evolve and mature with the CMMC program. “Useful reports are prioritized, specific and actionable, and map to evidence requirements so that it’s easy to get started,” says Spieler. It also helps with future audits, maintaining continuous compliance, and developing a culture of compliance within your teams.

CMMC gap analysis steps

How gap analysis varies for CMMC Levels 1, 2, and 3

As you move to higher CMMC levels, the number of security requirements grows, and your evidence standards are more substantial. The requirements scale with sensitivity and risk. The framework remains consistent, but the depth of proof, the scope of review, and documentation requirements increase with each certification level. 

No matter the complexity, the CMMC framework anchors your approach. Whether you’re a smaller subcontractor or a large prime handling CUI, the right gap analysis depends on knowing what each level demands:

• CMMC Level 1: Limited scope, 15 security requirements, smaller evidence sets, and faster timelines. You focus on FCI controls.
  
  
• CMMC Level 2: The assessment scope includes all systems and assets that store, process, or transmit CUI, with 110 NIST SP 800-171 requirements supported by formal policies and repeatable evidence. Contractors must also address flow-down requirements for any subcontractor or service provider handling CUI, with expanded identity, logging, and access controls.
  
  
• CMMC Level 3: This level of gap analysis is rare. You extend your Level 2 efforts with advanced protections aligned to NIST SP 800-172. Level 3 is a government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Treat this as a specialized program with lots of federal coordination and support. 

Gap analysis comparison for CMMC Levels 1, 2, and 3

CMMC gap analysis templates for all levels

Download our CMMC Gap Analysis Templates for all three levels 

Use these CMMC gap analysis templates to turn notes into assessment-ready evidence. You get Level 1, Level 2, and Level 3 workbooks, plus examples for each.

CMMC Level 1 gap analysis template

Download this CMMC Level 1 gap template with all 15 requirements. You enter the status, evidence, assessment method, and your follow-up notes. Use it to keep scope tight, document simple controls, and produce a clean summary for leadership.

CMMC Level 1 gap analysis example

This example, which appears as a tab within the CMMC Level 1 gap analysis template above, is for a small subcontractor we’re calling Summit Precision Fabrication. You can see how each practice is scored, what proof was collected, and how the findings roll into your action plan.

CMMC Level 2 gap analysis template

Download the CMMC Level 2 gap template to map 110 requirements to the required evidence.  It includes the CMMC and NIST reference numbers, domains, and control requirements, with entries for status, evidence, assessment method and notes.

CMMC Level 2 gap analysis examples

The two examples, which appear as tabs in the CMMC Level 2 gap analysis template above, show how fictional companies might complete it. Summit Precision Fabrication is the same subcontractor in the Level 1 example, but this time it’s handling CUI and needs Level 2. The second example is Orion Manufacturing, a fictional mid-sized aerospace manufacturer. 

CMMC Level 3 gap analysis template

Download the CMMC Level 3 gap analysis template to map the additional requirements from NIST SP 800-172 to your evidence. Only a handful of the largest companies need Level 3, but we’re showing it for instructional purposes.

CMMC Level 3 gap analysis example

Only a few top companies will need CMMC Level 3 certification. However, we are still showing this example of a CMMC Level 3 gap analysis to explain the types of issues in this level. This example shows a fictional Tier-1 prime contractor supporting a high-value DoD program.

Key components of a CMMC gap analysis

A strong gap analysis is predictable and defensible. You arrange a scope, test against the right standard, collect proof the same way every time, and interpret what you find to fund the work. The key components of CMMC gap analysis keep your teams in sync and your evidence consistent.

Treat the gap analysis as plan building, not paperwork. It shows what works, what is missing, and how much effort is needed to fund the work. It turns requirements into work and frees you to progress with clarity. Here’s a component snapshot:

• Figuring out scope and level needed: Settle on Level 1, 2, or 3. Then, document boundaries, data flows, and your rationale to keep your future reviews consistent. 
  
  
• Reviewing required controls: Next, assess CMMC requirements using the appropriate guide. For Level 2, you follow NIST SP 800-171 security requirements and 800-171A test methods so your gap results are objective and repeatable across teams.
  
  
• Compiling evidence: Then, store screenshots, exports, logs, and policies in stable locations with timestamps.  Link each practice to proof. Remember, avoid email attachments. Anyone authorized and involved can quickly re-pull the same evidence.
  
  
• Identifying and prioritizing gaps: Now record what’s missing, why it matters, the affected assets, and who owns the gap. Rank your gaps by impact and resulting effort, and decide whether to address compliance blockers first or group low-effort wins to create momentum.
  
  
• Reporting results and developing remediation plans (POA&M + SSP): Finally, you’re ready to describe your CMMC assessment readiness. Update your SSP and build a POA&M that includes all tasks, owners, dates, and dependencies tied to the evidence.
  
  

Spieler points out that you’re probably already implementing many CMMC-aligned practices. Still, some of those protections may need to be formalized into policies or monitoring programs. 

“Doing a gap analysis, for any framework, is a perfect place to start your implementation process,” says Spieler. “If you’re coming to InfoSec compliance without much experience, the CMMC requirements can be confusing, and jumping straight in can be overwhelming. Doing a gap analysis can help right-size your investment toward building the right compliance program.”

Time to do a CMMC gap analysis by level

Typical timelines deviate by level, flow complexity, and whether you run the work internally or with outside help. A disciplined approach will keep the work moving. 

Here’s what you can expect based on our experience with planning ranges, along with what to be aware of that can change your timelines:

• Level 1 gap analysis timeline: Plan one to two weeks for most small environments where the scope is tight and evidence is centralized. You want to add time for missing policies or outdated inventories.
  
  
• Level 2 gap analysis timeline: Plan for three to six weeks. That depends on the scope and the quality of the documentation. Reviewing all 110 requirements, pulling dated proof, and logging gaps drives your schedule. If you are working with multi-site networks, vendors, and cloud enclaves, adjust for more time.
  
  
• Level 3 gap analysis timeline: It’s program-dependent. Treat it as an extension of your Level 2 CMMC planning, with extra time for the added safeguards. You build time into your schedule for sophisticated monitoring, segmentation, and coordination.
  
  

Internal teams may move faster at the start because they know the systems and the right people. Your timelines slip when you start juggling operations, the evidence sits in someone's inbox, or decisions wait too long for approval. You can expect added coordination time with subcontractors.

“Unless you’re touching CUI, most organizations should start with Level 1. Jumping into Level 2 could require more time and effort than you’re prepared to invest,” says Spieler. “If you over-scope from the beginning, the project is more likely to stall, resulting in wasted investment.”

He emphasizes that this point is especially important to consider when contracting with a C3PAO for a Level 2 assessment. “This is sometimes a good thing to do earlier in the process, so you can align with the auditor on the system boundaries that they plan to certify,” he says. “Partnering with a C3PAO for the CMMC Level 2 certification process too early can be an expensive endeavor and definitely something to avoid.” 

Cost of a CMMC gap analysis by level

The cost of a CMMC gap analysis depends on the level, scope, and who’s doing the work. Your costs can rise when evidence is scattered across owners and systems, when boundaries are unclear, or when third parties are in scope. 

The DoD publishes CMMC 2.0 compliance cost estimates derived from averages of assessment and affirmation activities for each assessment phase. Use CMMC program cost estimates to help you set expectations for each level. Then you can estimate your budget for gap analysis and remediation costs for your level:

• Level 1 cost: Expect lower costs than the higher levels due to a smaller scope and fewer requirements. The DoD’s Level 1 self-assessment and affirmation cost estimate is $5,977 per small entity. Smaller teams can keep costs down by centralizing proof and assigning owners early. 
• Level 2 cost: Expect a higher price due to 110 requirements. This level requires greater depth of evidence and broader vendor reviews. The DoD Level 2 self-assessment and affirmation cost estimate for a small entity is $34,277, and $43,403 for larger entities. A Certified Third-Party Assessment Organization (C3PAO) certification assessment is higher, exceeding $100k for a small entity.
• Level 3 cost: This level is program-specific. Expect the highest cost due to NIST SP 800-172 safeguards and specialized engineering reviews. This level can entail substantial per-entity engineering costs in the seven-figure range for small entities and in the eight-figure range for larger entities. These DoD Level 3 cost estimates include implementation costs for applicable 800-172 requirements in addition to assessment, certification, and affirmation activities. 
  
  

Spieler says that automation and machine learning can mitigate the cost of your CMMC gap analysis. Strike Graph’s Verify AI is a powerful tool that helps you monitor your evidence collection, so you can feel more confident that you’ve integrated with the right systems or provided the right evidence. It validates hundreds of artifacts in minutes, saving hundreds of hours of validation effort. 

“We provide a to-do list for you,” says Spieler. “The pre-mapped controls and evidence requirements are already laid out for Strike Graph customers, making implementing a CMMC program straightforward. Our integrations and automated evidence collection make it easier to get the right data from the right systems and save time on future evidence collection for continuous monitoring.” 

Strike Graph’s CMMC customers report up to 42 percent less prep time and 40 percent shorter assessments by embracing automated evidence collection, resulting in more than $8,000 in first-year savings and $26,000 in year two. 

Who needs a CMMC gap analysis?

If you handle FCI or CUI for a DoD contract, you need a CMMC gap analysis. And that applies to prime contractors and subcontractors that touch the data at any point in the supply chain. The requirements flow to every entity in your delivery chain.

You initiate a gap analysis when you bid, renew, change scope, or introduce new systems or third parties that affect where FCI or CUI lives. Doing so reduces your CMMC assessment risk and aligns spending to evidence you can produce on request.

Common challenges in CMMC gap analysis

Most CMMC gap analysis challenges come from scope confusion, scattered evidence, unclear ownership, vendor blind spots, and poor time estimates. Identify common obstacles early so your analysis moves faster, and your gap fixes align with budgets and contract timelines.

• Scope definition: This becomes a problem if your team guesses at boundaries and misses systems. “Watch out for scope creep and system boundary confusion,” says Spieler. “Map early so that CUI is easier to identify and control later on.”
  
  
• Evidence sprawl: If your proof is scattered across screenshots and shared drives, pick one repository and label items by control and date. Then set a refresh cadence to keep evidence current. “Validating evidence collection removes a huge gap in the auditing process,” says Spieler. “Errors get caught in real time instead of months later.”
  
  
• Ownership gaps: Cross-team controls without an owner can lead to stalled tasks. Assign named owners for each control and its evidence. You can use a simple RACI for identity, patching, logging, and access reviews, and revisit ownership for each new contract or change to the org chart. 
  
  
• Vendor risk: Your cloud and SaaS providers get overlooked or assumed to be compliant. You want to list every provider that stores, processes, or transmits FCI or CUI. And again, record who owns each safeguard and the required proof, and include CMMC requirements in your contracts.
  
  
• Policy versus practice: This happens when your documents say one thing while teams do another. Start by comparing the policy with the daily operations. Then close those gaps and verify each control runs on schedule. “Don’t get stuck in documentation paralysis,” says Spieler. “Put your processes in place while you document your operations so that you don’t get burned out.”
  
  
• Tool sprawl and data accuracy: What if your counts fail to match across systems? Pick sources of truth for users, assets, logs, and vulnerabilities. Then reconcile your totals before the review so inventory, scanning, and tickets align.
  
  
• Readiness drift: Don’t let your teams treat the CMMC readiness assessment like a one-time event. You want to keep evidence fresh with a living SSP and a rolling POA&M. “Get leadership buy-in. It can take a lot of effort to stand up a CMMC program, and so you want coverage and support from your company’s leadership,” says Spieler. “Attach the compliance program to business goals so it remains a priority.”
  
  
• Time and sequencing: What if your plans focus on documents rather than engineering work? You should budget time for network changes, logging coverage, and access cleanup. 
  
  

Streamline your CMMC compliance with Strike Graph

When you begin your CMMC gap analysis, it’s vital to turn findings into evidence — and Strike Graph’s compliance automation platform makes that easier. The platform combines a guided self-assessment, AI-driven validation, and automatic reporting so you can move quickly from identifying gaps to demonstrating compliance.

“CMMC compliance breaks down when organizations stop at the checklist,” says Justin Beals, CEO of Strike Graph. “What auditors care about is evidence that controls are documented, operating, and defensible. Our goal is to help teams move from ‘we think we’re compliant’ to ‘we can prove it,’ without adding unnecessary manual work.”

You start with Strike Graph’s interactive CMMC self-assessment, aligned with NIST SP 800-171 and CMMC 2.0. In minutes, you’ll see where you stand and can generate a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and an SPRS-ready package.

As you close gaps, Verify AI automatically validates evidence, confirming your controls are well-documented and operating as intended. The result is continuous readiness — lower manual effort, fewer surprises at assessment time, and a well-defined path from your initial gap analysis to sustained CMMC compliance.

FAQs on CMMC gap analysis

Is a CMMC gap analysis different from other gap analyses?

A CMMC gap analysis maps your environment to DoD-specific requirements tied to FCI and CUI. It focuses on level selection, system boundaries, evidence depth, and flow-down to subcontractors and service providers. Other frameworks use different control sets and evidence rules. 

Is a CMMC gap analysis the same as a CMMC gap assessment?

You’ll see the terms used interchangeably, though there is a practical line. The CMMC gap analysis is the diagnostic. You map controls, check evidence, and list gaps. The gap assessment is a structured test. You sample records, verify execution, and confirm effectiveness over time. 

Is a CMMC gap analysis the same as a CMMC readiness assessment?

No. A readiness assessment is a dress rehearsal for the review. It resembles the reviewer’s approach with interviews, evidence sampling, and issue logging. A gap analysis builds the inventory of gaps and high-value fixes that the readiness assessment will later test.

How is a CMMC gap analysis different from a Plan of Action and Milestones (POA&M)?

A CMMC gap analysis identifies where controls and evidence fall short. A POA&M manages the fixes. It lists each gap with tasks, owners, resources, and due dates, then tracks status to closure. One finds the work, and the other runs it. You use the POA&M to budget, sequence quick wins, and stage longer changes such as segmentation and logging coverage.