What to Do After a CMMC Gap Assessment (Besides Panic-Shopping Consultants)
You paid for the assessment. You got the report. You have a list. Now you're looking at findings across every control family, no clear starting point, and a prime that wanted a status update last week.
By Droptine Group · 5 min · Government Contractors
TL;DR
- The gap list tells you what's wrong — it doesn't fix anything, and paying someone to rediscover the same gaps is the most common money wasted after an assessment.
- Triage findings into three buckets (threatens eligibility now / quick wins / structural work) before spending anything.
- Scope comes before implementation: half the cost of a bad readiness project is securing systems that never needed to be in scope.
The Gap-List Trap
The assessment was supposed to move things forward. Instead, you have a long report that categorizes everything and sequences nothing.
That report has real value — it's an honest picture of where things stand. But the assessment vendor's job ended when they delivered it. They found gaps. Closing them is different work.
The trap is treating the report as a plan. A diagnosis doesn't become a treatment because you paid someone to repeat it.
The version of this that burns the most budget: hiring a second vendor to run their own discovery phase, rebuild the same findings list in their format, and hand it back before any implementation has started. You've now paid twice to be told what's wrong.
If you have a findings list, that part is done. Start from it.
Triage the Findings
Before you spend anything on implementation, sort the gaps into three buckets.
Threatens eligibility now.
These are findings that, if an assessor walked in today, could result in failing your assessment or losing the ability to handle CUI. Things like missing access controls on systems where CUI lives, no multi-factor authentication on accounts that reach in-scope data, uncontrolled media with sensitive information. Rank this bucket by consequence, never by effort.
Quick wins.
Findings that can be closed in a day or a week without major infrastructure changes. Policy gaps where a document is missing but the underlying practice exists. Configuration settings that weren't turned on. Logging that was never enabled. These generate early momentum and let you show your prime that the list is shrinking.
Structural work.
Changes that require planning, procurement, or significant time — replacing systems, redesigning network segments, standing up new infrastructure. These go into a sequenced plan with milestones, not a sprint.
You won't finish the third bucket quickly. You should be clearing the first bucket as fast as reasonably possible.
Check Your Scope Before Spending
One of the most reliable ways to overrun a readiness budget is implementing controls on systems that were never in scope.
CUI scope — which systems, people, and processes are actually in your assessment boundary — is determined by where CUI lives and how it flows through your organization. If your contracts have CUI, and that CUI only ever touches three systems and two people, your boundary might be much smaller than a systems inventory of the whole company would suggest.
A smaller scope is a smaller project. And a smaller project costs less to implement and less to maintain.
Before any implementation work begins, ask: where does CUI actually live in our environment? Who touches it? Which systems process, store, or transmit it? If you can defensibly reduce the boundary, do that first. An honest scope conversation at the start is less expensive than implementing controls on systems that didn't need them.
This is also where it's worth double-checking what the gap assessment scoped. If they assessed systems that are genuinely out of scope, their findings on those systems may not need to be your problem.
Implement in an Order You Can Defend
Once scope is settled and findings are triaged, implementation follows the sequence: eligibility-threatening gaps first, quick wins woven in, structural work on a declared timeline.
Document as you go. This isn't optional.
Your System Security Plan has to describe what actually exists in your environment — not what a template says exists, not what you plan to have someday, but what's configured and running right now. When an assessor reviews your SSP and then looks at your systems, those two things need to agree. If the SSP describes a control and the system doesn't implement it, that's a finding.
Keep the SSP current. Every time a control is implemented, the SSP gets updated. Every time a system changes, the SSP reflects it. The documentation burden feels like overhead until the assessment, at which point it's the difference between a passing review and a corrective action plan.
The Plan of Action and Milestones (POA&M) is where you document what isn't done yet and when you'll close it. A live, current POA&M shows an assessor a managed process. One that doesn't match reality shows the opposite.
Keep Your Prime in the Loop
Silence is the worst update you can give a prime.
Most primes asking about CMMC status aren't looking for a perfect answer. They're looking for evidence that you have a handle on the situation and a path to getting there. A sequenced plan with visible milestones — "eligibility gaps closed, quick wins through, structural work on a schedule" — is a credible answer.
Progress reported against a sequence is far more persuasive than a general assurance that things are "moving forward."
If you have a C3PAO relationship or a C3PAO assessment planned, your prime may have specific questions about your timeline. The gap assessment report and a current POA&M are the starting documents for that conversation.
When to Bring in Help
Assessment and implementation are different skills, and the gap between them is where most contractors stall.
An assessment firm's strength is finding gaps and documenting them in a defensible format. Implementation requires someone who can configure actual controls on real systems, write documentation that describes what was configured, and stay current as things change.
Whoever you hire for implementation should be doing that work — configuring systems, writing documentation, managing controls — not producing another assessment in a different format. If a vendor's proposal leads with a lengthy discovery phase and a new findings document before any implementation begins, you've found an assessment firm selling implementation hours.
The right engagement starts from your existing findings, scopes the boundary, builds the sequence, and starts closing gaps — in that order.
Turning a findings list into implementation is exactly the work Droptine does.
Keep going
Cybersecurity for Government Contractors
Scope, controls, documentation, and what readiness actually requires.
Useful in theory. More useful applied to your business.
If this article described something you recognize, a 30-minute conversation will tell you how much of it applies to you.