CMMC Gap Analysis
What You Need to Know 

CMMC maturity models enable companies to start by using whatever controls they have and more controls and processes over time to build a more robust program. 

CMMC Gap Analysis: What You Need to Know

The United States Department of Defense is implementing the Cybersecurity Maturity Model Certification it governance  (CMMC). The move aims to normalize and standardize cybersecurity to ensure adequate preparedness across the defense industrial base (DIB) of the federal government. This article will explore the concept of maturity models relevant to cybersecurity, the areas of the DIB, the different CMMC levels, and how we can help accelerate certification.

Cyber Maturity Model

The term maturity models refer to the best practices, the extent of adherence to which progressing organizations advance in a scale from lowest levels of adoption or maturity to the highest levels of implementation and certification.  When a company or organization reaches the certifying levels of a maturity model, it means that the company or organization is fully committed to advancing its procedures and practices within a domain’s model to attain a sustainable level of performance.

Defining CMMC Gap Analysis

Before we dive deeper, we first need to understand what a CMMC is before emphasizing the need to have one. CMMC (Cybersecurity Maturity Model Certification) is a program introduced by the US Department of Defense (DoD) in partnership with the Office of the Under the Secretary of Defense for Acquisition and Sustainment (USD(A&S), the Federally Funded Research and Development Centres (FFRDC) and University Affiliated Research Centres  (UARCs).

The program aims to measure the defense capabilities of all these organizations, their preparedness to deal with the threats of cybersecurity, and the sophistication of the resources they have at hand.

The program was launched in January 2020 with a goal to establish a standardized cybersecurity strategy across all DoD-affiliated companies and organizations within the supply chain of the Defense Industrial Base (DIB), including suppliers and subcontractors working with more robust defense equipment producers.

The compliance requirements of an organization or company depend on where it ranks in the DIB supply chain. The requirements vary by rank. Therefore, the requirements for smaller companies may be different from larger prime contractors.

As a maturity model, CMMC uses pre-existing legislation, including NIST SP 800-171, 48 CFR 52.204-21, DFARS clause 252.204-7012, and new ones to create a robust set of best practices in the context of cybersecurity.

Companies and organizations can utilize these best practices and policies to create the right frameworks to measure the effectiveness of their cybersecurity programs.

CMMC maturity models enable companies to start by using whatever controls they have and more controls and processes over time to build a more robust program.

Small contractors with low-level programs should start with the first level of maturity, which entails cyber hygiene, then expand their program to the highest level of maturity using the controls and procedures set out in the CMMC.

Overall, CMMC focuses on creating sustainable cybersecurity within the Defense Industrial Base (DIB) supply chain). All DoD subcontractors are required to review their security programs, identify compliance gaps and attain the highest level of maturity by 2025.

Determining CMMC Levels

To determine which CMMC level your company currently sits, you’ll need to consider two factors. These include the type of information to manage and the processes and best practices you have. CMMC has about five certification levels and 17 domains, 43 capabilities, 171 Practices, and 5 certification levels.

These best practices are categorized into 17 domains, including “Access Control” and “Systems and Communications Protection.” Furthermore, CMMC has 43 different capabilities, which are “control remote system access” and “control communications at system boundaries.” These are all included in each of the 17 domains.

Not all companies are required to attain all the  43 capabilities. They can apply depending on the CMMC maturity level they need to achieve. The five CMMC levels are as follows:

CMMC Level 1: Processes and Basic Cyber Hygiene

The first CMMC level entails the performed processes and requires an organization to achieve specific practices. It focuses on basic cyber hygiene or safeguarding the Federal Contact Information (FCI), which corresponds to 48 CFR 52.204-21. Since there are no detailed procedures for performing these practices or official documentation to adhere to, level one CMMC is not used to assess process maturity.

CMMC Level 2: Process Performed and Documented

At the second CMMC level, organizations must document all their processes and best practices to implement their CMMS efforts fully. Documentation of procedures and techniques allows the concerned individuals within an organization to repeatedly and consistently perform them.

When the processes are documented and practiced in the required manner, it results in organizations developing and attaining maturity capabilities.

Furthermore, the second CMMC level acts as an advancement of Level 1 to Level 3 and contains a set of the security requirements outlined in NIST SP 800-171 and practices from other references. Because this level is a progressional stage, specific courses focus on protecting the Controlled Unclassified Information (CUI).

Level 3: Processes Managed and Good Cyber Hygiene

In the third level of CMMC, an organization must establish, resource and maintain the specific plan, which demonstrates effective management of activities for implementation of best practices.

The plan may include a detailed description of the organization’s missions, objectives, project outlines, resourcing,  training, and input from relevant stakeholders. The aim of level 3 is to protect the CUI and cover all the security requirements outlined in NIST SP 800-171 and an additional 20 practices to prevent threats.

Contractors with a DFARS clause in their defense contracts must meet at least a minimum of  Level 3 requirements. Furthermore, a DFARS clause 252.204-7012 applies and comes with additional requirements beyond the standard NIST SP 800-171 security requirements like incident reporting.

Level 4: Process Reviewed

In CMMC Level 4, an organization must ensure practices are effective by reviewing and measuring the level of maturity capabilities. Organizations that meet this level of maturity may take any corrective action or notify management in higher levels of any recurring status or issues.

Level 4 also focuses on safeguarding  CUI from APTs and contains a subset of the advanced security requirements from Draft NIST SP 800-171B and other forms of cybersecurity best practices. These practices accelerate an organization’s detection and response capabilities to address and adapt to the new and emerging techniques, tactics, and procedures (TTPs) used by APTs.

Level 5: Process Optimized and Proactive

In CMMC level 5, an organization must standardize and optimize processes across all its departments. It also focuses on safeguarding CUI from APTs.The result is more robust and sophisticated cybersecurity capabilities and maturity levels.

Who Needs to Comply With CMMC Gap Analysis Certification?

Anyone working with DoD contractors and subcontractors needs to comply with CMMC. It applies to all stakeholders in the defense contract supply chain. These include those who work directly with the DoD and other subcontractors mandated to execute those contracts.

According to the DoD, the CMMC targets over 300,000 organizations. However, only a few of these companies will need to go beyond level 4. Overall, the majority only need to attain level 3 of the maturity models and certification to be eligible for government contracts.

The targeted organizations include all suppliers across the DoD supply chain, contractors of commercial goods, small businesses, and foreign distributors. Companies will be issued with the required certifications once they have demonstrated satisfactory security requirements for the tier being sought.

All CMMC assessors are CMMC-AB licensed, which guarantees confidential findings of your organization’s cybersecurity audit.  However, the certification levels can be easily assessed on the  DoD database.

Fast-Track CMMC Gap Analysis and Certification With Advantage Industries

Getting started with CMMC may be a daunting and frustrating task that may not be easy to handle by a single person or a small team within an organization. However, the certification is a mandatory requirement for all DoD contractors as of January 2020.

Therefore Advantage Industries can help you get started right away and take you through all the five frameworks, including Domains, Processes, Capabilities, Practises, and Maturity Levels. Our data security platform can seamlessly facilitate, execute and incorporate all the 171 Practises with their relevant Processes in line with the CMMC requirements. Contact us for more information.

Not Happy with your current IT Company? Advantage Industries is here to help.

Fill out the form below to schedule a no-obligation review with Advantage.


Keith Heilveil

In 1999 Advantage Industries was created to protect and promote our client’s success through the use of innovative technology. Our company is a full services technology firm that provides computer network support and solutions, managed services, cybersecurity, and custom application development for small and medium businesses in the Maryland, DC, and Virginia areas.

Looking for something specific?

Search our blog library to find the article you need.
Tim Happel

Tim Happel

Sr. Director of Sales, PMP

Get a strategic advantage over your competitors & peers by partnering with Advantage Industries.

Yes! Please Send Me A FREE Instant Quote For IT Services

Simply fill out the form below to schedule a no obligation, no hassle technology assessment with the experts at Advantage Industries.