Two IT workers review a gap analysis for CMMC on a tablet while standing in a server room.

How to Perform a Gap Analysis for CMMC and NIST SP 800-171

Performing a gap analysis on how well you protect and manage your data is an important part (and cost element) of your journey towards compliance with the Cybersecurity Maturity Model Certification (CMMC). It verifies which requirements you do and don’t meet under NIST SP 800-171, so that you can establish a roadmap for the changes you’ll need to make in order to pass an official audit. Here are the steps you should expect when performing a gap analysis for CMMC.

Define Objectives and Scope

Clearly define the objectives of the gap analysis, including the specific cybersecurity standards, frameworks, or regulations. Define the scope of the analysis, including the systems, hardware, software, processes, and assets that you’ll be evaluating.

For NIST, this involves meeting guidelines for protecting controlled unclassified information (CUI) in non-federal systems and organizations. For CMMC, it’s about meeting the requirements laid out under one of three distinct maturity levels.

Gather Relevant Documentation

Collect documentation related to your organization’s cybersecurity policies, procedures, controls, and previous assessments. This may include incident reports, audit findings, and compliance documentation.

For both NIST and CMMC, make sure to document two pieces of evidence per requirement that you claim to meet.

Perform a Baseline Assessment

Evaluate your organization’s current cybersecurity practices, controls, and processes against the selected standards or frameworks of your gap analysis for CMMC. Along with reviewing documentation, this may involve interviews with key stakeholders and walkthroughs of existing systems.

Identify Security Controls and Requirements

Break down those standards or frameworks into specific security controls, requirements, or best practices. These may include technical controls (access, encryption), administrative controls (policies, training), and physical controls (building security).

For NIST and CMMC, this means looking at controls and practices that are relevant to the protection of CUI. Controls are grouped into 14 families, with each addressing a different aspect of information security. 

Conduct Your Actual Gap Analysis for CMMC

Once you’ve compiled all of the data outlined above, it will finally be time to analyze and compare it against NIST (and, by extension, CMMC). This will give you a holistic view of your current cybersecurity posture, including the areas where you need to improve.

Prioritize Gaps and Risks

Once you know what requirements you lack, prioritize their necessity based on three factors: how severe they are, how they could potentially impact your organization, and how they could be exploited by threat actors. 

Consider both the technical aspects and the business implications for each factor. Not only will this help you understand which ones should be managed first, it will also give you an idea of the time, revenue, and resources involved to implement them — all of which will be summarized in the following plan.

Develop a Remediation Plan

Develop a detailed remediation plan to address these gaps and deficiencies. Your plan should include a timeline of specific actions you’ll be taking, what resources those actions will require, and which parties will be involved.

Under NIST and CMMC, remediation plans are often referred to as POA&Ms, or Plans of Action and Milestones. It’s worth noting that some (but not all) NIST/CMMC requirements may be substituted with POA&Ms if those plans adequately explain how you intend to meet compliance in the permitted periods of time. A Registered Provider (RP) like Brenda Doles can help you distinguish which requirements are eligible for POA&Ms, and how long you’ll have to complete them.

Implement Remediation Actions 

Execute your remediation plan by performing the necessary changes, improvements, and enhancements to your organization’s cybersecurity practices, controls, and processes.

Monitor and Measure Progress

Continuously monitor and measure your progress following your gap analysis. Track key performance indicators (KPIs) and metrics to verify that you meet the requirements for both CUI and the appropriate CMMC maturity level.

Review and Update

Regularly review and update your organization’s cybersecurity practices, controls, and processes to adapt to evolving threats, technologies, and regulatory requirements. Conduct periodic reassessments to ensure ongoing compliance.

Assistance With Your Gap Analysis for CMMC

When done well, a gap analysis for CMMC is an invaluable tool for enhancing your overall security posture and establishing a culture of cyber excellence.

Do you have questions about the steps above? Brenda Doles, a Registered Provider who has been certified by The Cyber AB, can help your team understand the nuances of gap analyses as they pertain to your specific business.

Contact her today to learn more about a customized program for compliance.

Check out our eBooks!

Get my weekly blog and other emails from me delivered straight to your inbox.

Join the Cyber CMMC Women's Group

8601 Robert Fulton Drive, Suite 130 | Columbia, Maryland 21046

Copyright © 2024 Healthcare Resolution Services, Inc.
All rights reserved. | Privacy Policy