Imagine going to the Grand Canyon and paying a tour guide to point out holes in the ground.
It sounds stupid, I know, but many companies do something like this by paying for a Gap Analysis. You already know your hygiene needs help; you don’t need to pay someone to tell you this.
If you cannot tell me the number of contracts you have with a 7012 clause, tell me the number of endpoints you possess, or tell me the number of people you employ, then you will be throwing away money on a Gap Analysis.
No clear definition exists in the community for the meaning of a Gap Analysis.
The conversation began when I discussed my trouble in determining the best way to teach the Domains in the CMMC CCP class. In my mind, I thought it would be best to teach the exact way our future CCP comrades would conduct assessments to help companies get to -171 and CMMC compliance.
Our class specifically focuses on the roots of cybersecurity before we even talk about Domains, Practices and Processes. Still—needing to cover 17 Domains, 130 Practices, and 705 objectives in one class presents a daunting task.
So I threw out this idea: what if we take CSF Cybersecurity Framework as a lifecycle approach and use that on your CMMC journey? Enough folks have mapped the objectives. Yet, you end up just confusing folks.
Cybersecurity frameworks are like religion. If you try to unify two, you just end up with a third.
(Christina Reynolds of BDO wrote the best life cycle approach to CMMC that I have seen to date)
We arrived at a rough sketch. The cycle begins with plan from a business awareness perspective. This means knowing your revenue from 7012 clause contracts, understanding the risks and threats used to attack sensitive data, and encouraging as many of your employees to learn about CMMC.
Following this, you do not hop right into a Gap Analysis. Conduct your formative assessments before a summative test to ensure you pass CMMC. You need a system to help you grow. The development of this system begins with a scoping assessment. The average small business cannot do this step alone.
To begin, you should know which contracts have CUI. Familiarize yourself with the vendors that may fall within your scope. You should also have a rough sketch of your CUI data flow. Once these things are in order, then it is time to engage a professional.
In the picture, remediate came after Gap Analysis. We meant to switch this around, but I never did. Here you complete a self-assessment, or better yet, utilize a compliance package to guide your journey and remediate the stuff you can by yourself. Focus on the People and the Process.
You may do this step a number of times. 2026 is a bit far off. You do not need to invest in all of this in one year. Grow your SSP, and shrink your POA&M, over the course of a year or two.
Then, when you feel your organization is approaching CMMC readiness, your company should start a formal Gap Analysis. Again, there is no point in paying people to point out the holes you already know exist.
Overall, we had such a wonderful Module Zero launch and I am super excited about the new learners joining the class. RJ, Jim, and Kevin gonna fit right in. Our crew is rolling up to almost 30 deep now.
We start module one on Thursday, so if you want to join check out Southern Connecticut State University.
CMMC may make you want to jump into the Grand Canyon. But if you take a step back, breathe, and focus on growing your SSP while shrinking the POA&M over a period of time, life will be okay.
And please turn on MFA.