A Gap Assessment is a review of your organization’s policies, procedures, technology, and security against a set standard. The Cybersecurity Maturity Model Certification (CMMC) maps to either 17 or 110 of the NIST SP 800-171 controls, depending on whether your organization handles FCI, or CUI. Your CMMC level is based on the information you handle for the U.S. Government, your contract, and the CMMC level requirements in DFARS 252.204- 7021. FCI requires CMMC Level 1 and the controls in FAR 52.204.21 and DFARS 252.204- 7012 which are drawn from NIST SP 800-171. CUI requires CMMC Level 2, and all 110 controls from NIST SP 800-171 as stipulated in DFARS 252.204-7020.
Performing a Gap Assessment is the first step in achieving compliance with the NIST/CMMC framework. Begin by gathering your team and mapping your current policies, and technical controls to the relevant controls. Doing this will show you the areas where your organization has failed to fully implement a requirement. This information is critical to addressing system and security deficiencies.
Properly performing a Gap Assessment takes skill, knowledge, and expertise. Ensure the personnel you have assigned are up to the task. Pay particular attention to the controls your organization is required to implement and be sure you and your team understand them. Many Gap Assessments fail when organizations fail to understand the specifics of a control and incorrectly believe they have fully implemented it.
At SherTech we can provide you with the skills, knowledge, and expertise to successfully conduct a Gap Assessment against the CMMC/NIST framework. Furthermore, we will assist you with implementing missing controls and other security elements, to bring your organization into compliance.