CMMC Gap Analysis

Where do you stand with CMMC?

Dark blue background with white circles and lines

CMMC Gap Analysis

If you are already doing work for the DoD or its Primes, then you likely have been getting questionnaires about the status your NIST SP 800-171 compliance. You know you must become compliant, but you think compliance or CMMC certification may be too expensive or daunting.

CMMC RPO Logo ATS can help. We know time is critical, especially if you already have contracts in place or are bidding on new ones. Our cybersecurity experts can come onsite or work remotely to assess your business for compliance gaps, create a Plan of Action Matrix (POAM), and help you submit and raise your DoD Supplier Performance Risk System (SPRS) score. Don’t risk losing your government contracts because you are not compliant.

There is no single boxed solution for NIST SP 800-171 compliance and CMMC Certification. Every business has unique IT and Facility needs. ATS’ compliance analysis will examine your complete IT infrastructure and facilities. Our CMMC-AB certified Registered Practitioners (RP) will see exactly what a CMMC Third-Party Assessment Organization (C3PAO) performing a certification audit would see. This allows us to identify compliance gaps and assist you with becoming compliant quickly.

How long does it take?

It usually takes 2 to 6 weeks for most companies. The size of your company, the complexity of your IT environment, and itegartion with Shared IT (MSP), cloud services, and other resources will contribute to the time window.

How much does it cost?

Your cost for our CMMC Gap Analysis depends on these variables:

  • The size of your business and your industry
  • IT systems: on-premises, cloud, hybrid, and number of items in scope

How can I afford the cost or keep costs down?

  • Not everything in your business must meet be NIST SP 800-171 complaint. You can save time and money by isolating government data that must be protected in limited locations isolated from your non-government contracts.
  • There are organizations out there that help businesses obtain grants and funding for cybersecurity. If you’re a manufacturer in the Rochester, NY or Finger lakes Region of New York State, our partner NextCorps might be able to get you access to funding opportunities that can take 10-60% off your costs.
  • Being NIST SP 800-171 complaint gives your business an advantage over companies that have not achieved compliance yet. This can result in winning more government contracts and growing your business and increasing revenue.
  • Losing a contract or not being able to bid on new contracts due to not being compliant can result in significant revenue loss. Cyber attacks can also cripple a business that is not protected.

What’s involved in CMMC Gap Analysis?

  1. Interview

    We begin with meeting with all your managers who handle CUI to ensure the identification of all your touchpoints as CUI flows through your business. Additional meetings will be IT related and will identify all systems "In-Scope" for CMMC.

  2. Determine your IT Asset Types

    We determine your IT related asset types and categorize them into the 5 categories required by the CMMC Scoping Guide

  3. Perform NIST 800-171 Analysis

    We find out where you stand with CMMC by evaluating the 320 objectives within the 110 security controls of NIST 800-171

  4. Determine your true SPRS score

    We determine your true SPRS score according to the DoD scoring methodology and assist you with submitting your score if you needed. Our CMMC Gap Analysis provides you with a System Security Plan (SSP) which satisfies the DoD’s “minimum viable product” requirement. Once you enable your DoD Incident Response reporting capability, you’ll be able to report “in compliance” to the DoD and your prime customers even if you don’t yet have a perfect score of 110 yet.

  5. Prioritize your Plan of Action Matrix (POAM)

    Our CMMC Gap Analysis provides you with prioritized recommendations for POAM items, outlining high-impact items and the ease of remediation. This will help you to quickly improve your SPRS score.

    With SPRS, a negative score is better than no score at all, and frequent submissions as you remediate your POAM shows the DoD and Primes you are making progress and are serious about obtaining a perfect 110 score.

Give us a call today and discover the power of a authorized CMMC RPO.

Contact Us