CMMC Level 2 Gap Analysis Data Collection Process
Before reviewing security controls, it is necessary to establish a clear understanding of the OSC's environment, business operations, and current compliance posture.
Phase 1: Scope Definition & Context Gathering
1
Identify OSC Details & Regulatory Requirements
Legal Name, Address, and POC Information (IT Director, Compliance Lead, CISO)
2
DIB Status
Is the OSC a DoD contractor? Do they handle Controlled Unclassified Information (CUI)?
3
Active DoD Contracts & Requirements
Does the contract require CMMC Level 2 or adherence to DFARS 252.204-7012? Are flow-down requirements applicable to subcontractors?
4
CAGE Code / UEI
5
Current Compliance Posture
Have they attempted self-assessments (e.g., SPRS score)? Have they completed any previous compliance work (e.g., NIST 800-171 SSP, POAM, or third-party audits)?
Phase 2: System Boundaries & Architecture Review
To analyze compliance, it is important to determine where CUI exists and how it is managed within the organization's systems.
1
Identify CUI Scope & System Boundaries
What systems, networks, and users handle CUI?
2
Data Flow Mapping
Where is CUI stored, processed, or transmitted? Are cloud services used (e.g., GCC High, AWS GovCloud)? Are external IT providers or Managed Service Providers (MSPs) involved?
3
System Inventory
List all devices handling CUI (workstations, servers, mobile devices). Identify FedRAMP-authorized services, local infrastructure, and hybrid environments.
4
Remote Access & External Connections
How is remote work handled? Are VPNs, VDI, or other security measures in place?
Phase 3: Policies, Procedures & Documentation Review
Reviewing administrative controls helps determine whether necessary documentation exists and is in use.
Review Core Cybersecurity Policies & Procedures
  • System Security Plan (SSP) (If exists—validate against actual controls)
  • Access Control Policy
  • Incident Response Plan (IRP)
  • Data Backup & Disaster Recovery Policy
  • Encryption & Data Protection Policies
  • User Training & Awareness Program
  • Third-Party & Supply Chain Security Policies
  • Policy on Handling CUI
  • Multi-Factor Authentication (MFA) Policy
  • Security Logging & Monitoring Policy
If any of these policies are missing or outdated, they are considered a gap.
Phase 4: Control-by-Control Gap Analysis
Once the necessary data has been collected, each NIST 800-171 r2 control must be reviewed to determine compliance.
Control-Specific Information Collection
Each of the 14 control families under NIST 800-171 must be analyzed, with evidence collected for each requirement.
  • Access Control (AC)
  • Awareness & Training (AT)
  • Audit & Accountability (AU)
  • Configuration Management (CM)
  • Identification & Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System & Communications Protection (SC)
  • System & Information Integrity (SI)
🔹 Document all gaps found for each control in the Gap Analysis Report.
Phase 5: Deliverables & Next Steps
Once the Gap Analysis is complete, findings must be compiled and documented.
Gap Analysis Deliverables
1
Gap Analysis Report
  • Lists control-by-control compliance status.
  • Identifies missing controls and high-risk areas.
  • Includes evidence-based findings on gaps.
2
Executive Summary
  • High-level findings for leadership.
  • Overview of the compliance gaps.
These deliverables provide both detailed technical findings and strategic guidance to help organizations move toward CMMC Level 2 compliance.
Final Notes
1
This is not a C3PAO readiness review. The goal is to identify compliance gaps, not to prepare for certification.
2
The final report should clearly document which NIST 800-171 controls are met and which are not, without suggesting remediation actions.
3
Ensure the OSC understands that this is not an official certification or pre-assessment.