Get Support
Book Discovery Session

Good vs. Bad: 5 Things to Look for When Buying a Gap Assessment

Peerless Tech Solutions
January 29, 2021

As regulatory changes go into effect like NIST, CMMC, and the DFARS Interim Rule, contractors need to prioritize compliance and data security before they fall behind and risk losing business deals.

A compliance gap assessment / gap analysis is a valuable process that identifies cybersecurity strengths and gaps in internal systems to help contractors effectively meet federal regulations and maintain cybersecurity compliance in the long term. Like an actual audit, a gap assessment needs to be comprehensive, accurate, and actionable to drive success, so you should make sure you're working with an experienced, reliable provider instead of an opportunistic, low-cost, quick-turnaround practice that's only been in business since DFARS changes were announced or CMMC went into effect.

In this post, we'll walk you through some common red flags to avoid and provide a checklist for what you should look for when choosing a gap assessment.

How Do I Spot a 'Bad' Compliance Gap Assessment Provider?

As cybersecurity compliance regulations continue to grow and evolve, new providers and "experts" continue to come out of the woodwork, making promises to you that they just can't keep. These types of compliance providers claim to offer professional gap assessments and exhaustive compliance solutions — but they don't have the chops to back it up.

When you begin your search for a Managed Security Service Provider (MSSP) and gap assessment, watch out for the following red flags:

  • New companies that boast about being "cybersecurity experts" but don't have any proof to show. You'll want to ask for examples of their gap assessment reports and check for reviews, case studies, or testimonials associated with their brand. They need to demonstrate comprehensive knowledge of government regulations, experience conducting cybersecurity assessments, and provide a contractual guarantee of following the extensive NIST SP 800-171A guidelines and the official DoD Assessment Methodology. They will discuss and determine with you the system boundary / CUI boundary that is critical to the scope of compliance. If they can't demonstrate all of the above, you're likely walking into a scenario that ends in mediocre, inaccurate, and incomplete results that should not be reported to the government.

  • Generic reporting and overly simple readouts that don't include anything more than checkboxes marked yes or no. Oftentimes, they will only evaluate security controls at a high level, failing to address the mandatory objectives required for each control. These companies are doing the bare minimum, or worse. A compliance report without recommendations won't help you create an actionable plan for compliance and will not meet government regulations. Prioritize finding a provider that is committed to delivering accurate, actionable results and roadmaps for the future.

  • Companies that do not ask about or understand your business and system environment. This is a good indication they are looking to sell you quick, cookie-cutter services that are not customized to your needs and do not reflect the level of detail required by cybersecurity regulations. Every business has unique challenges, and your MSSP should take the time to understand your business before attempting to offer solutions. Steer clear of companies that claim they can produce a gap assessment through automation / scanning your environment or a quick, two-hour phone call. They are not offering you a proper gap assessment and it will not meet government requirements.

What Makes a 'Good' Compliance Gap Assessment?

As a DoD contractor, your cybersecurity and compliance efforts are met with a complex, ever-evolving list of regulations, system changes, and data guidelines.

A trusted Managed Security Service Provider (MSSP) can support your goals by identifying the most direct path to full compliance, along with ongoing strategies that will keep teams running smoothly and out of the red as new regulations come into play.

The first step to fostering success on your compliance journey is the gap assessment. A professional, actionable gap assessment must include the following:

#1 Comprehensive Assessment

The gap assessment must provide a clear baseline to show you 1) where you are today and 2) where you want to go. It must include a full, comprehensive report of your system security vulnerabilities against NIST SP 800-171, CMMC, and DFARS 252.204-7012.

Each security control should have its own line item, with a clear breakdown for each control of all the mandatory control objectives that you do and do not meet. Government regulations (DFARS) require that the assessment follow the extensive NIST SP 800-171A assessment guide and the official DoD Assessment Methodology. Your MSSP should provide a contractual guarantee of following these to ensure that the compliance you report to government is complete, accurate, and meets the latest regulatory requirements.

Peerless - DoD Self-Assessment for NIST SP 800-171 v1.2.1c_SAMPLE

#2 System Security Plan (SSP)

A System Security Plan (SSP) is a required document that identifies the implementation status of current controls and planned controls in your systems. The status of each control and its objectives is determined through comprehensive evaluation of the documented policies, implemented technologies, and system functionality that you have in place. Critically, the SSP must also define the system boundary / CUI boundary that is in scope for compliance.

During a gap assessment, your provider should create an SSP that follows government requirements, accurately reporting your compliance with each security control. This comprehensive document establishes where you are in protecting Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and the cybersecurity of your organization.

#3 Plan of Actions and Milestones (POA&M)

Another required document is the Plan of Actions and Milestones (POA&M) that provides a comprehensive list of the changes necessary to fully implement any unmet control requirements. In other words, your POA&M / POAM is a step-by-step plan to reach complete compliance. It will help you understand which areas of your cybersecurity program need improvement and how to turn these insights into action. Providers should include a clear, actionable plan based on the gaps identified in the assessment.

Additionally, this plan informs how you'll meet a fully-compliant score of 110. This is the goal expected from DoD per DFARS 7012, is increasingly required by Prime contractors and partners, and may improve your positioning and/or eligibility for government contracts.

Sample POA&M_20210129

#4 SPRS Score Submission

After your gap assessment, you'll likely need to address several high-priority compliance activities right away. Namely, the DoD Self-Assessment and associated submission of your compliance score to the Supplier Performance Risk System (SPRS).Your MSSP should complete the required DoD Self-Assessment for you as part of your gap assessment and provide a 100% accurately calculated score. In doing so, they must carefully follow the DoD Assessment Methodology procedures and scoring rubric. Look for providers that have experience and credibility in conducting cybersecurity assessments, with complete transparency in proper calculation of the score you submit to the government.

#5 Remediation Recommendations

For DoD contractors, a gap assessment builds the foundation of your compliance roadmap and strategy. A fresh, expert perspective on compliance will get your business on track, even if you’ve worked with other MSSPs or consultants in the past. Your MSSP should not leave you in the dust after delivering the gap assessment and associated reports. When evaluating providers, ask how they will share the gap assessment results with you, provide recommendations, and offer a plan for remediation.

Your provider should take the time to discuss the results with you and provide clear recommendations for services and solutions that will turn SSPs and POA&Ms into projects, services, and improvements. When you invest time, effort, and money into compliance solutions, you need to be confident that your MSSP has the knowledge and experience to ensure those solutions will truly meet compliance requirements, are right for your business, are correct the first time, and will last.


Whether you're new to the world of NIST, CMMC, and DFARS or an established DoD contractor needing to meet changing regulations, a gap assessment is the critical first step towards achieving compliance.

Choose a robust gap assessment delivered by an experienced, reliable MSSP like Peerless that can offer ongoing support and guidance as you optimize your compliance operations. Your chosen MSSP should turn opportunities for improvement into new, streamlined solutions that protect sensitive data — and ensure your business stays ahead of the cybersecurity curve.

Contact us today to start your compliance journey.

New call-to-action

Don't Miss an Article!

You May Also Like

These Stories on Compliance

Subscribe by Email

Get The Latest From Peerless Right in Your Inbox