Some of our customers ask “Do I really need a Gap Assessment (Self-Assessment) if my information systems are CMMC compliant? The short answer is YES—a self-assessment is required under CMMC regulations prior to undergoing a third-party certification assessment, regardless of the current compliance status of your information systems (e.g. FedRAMP cloud services (GCC/GCCH). The self-assessment is the process by which organizations determine their Supplier Performance Risk System (SPRS) score, a key requirement for demonstrating CMMC compliance. Additionally, organizations must maintain a System Security Plan (SSP) and, for Level 2 and Level 3 assessments, a Plan of Action and Milestones (POA&M) if any security requirements are not fully implemented. These administrative components are fundamental to CMMC compliance and exist in addition to the 110 security controls outlined in NIST SP 800-171. The self-assessment, SSP, and POA&M collectively account for three of the 110 security controls. Furthermore, all processes, procedures, and documentation must align with CMMC regulations and industry best practices.
A common misconception is that technological compliance alone is sufficient to meet CMMC or NIST SP 800-171 Rev. 2 requirements. However, CMMC compliance extends beyond technology to include operational and administrative controls, as detailed in Title 32, Part 170 of the Code of Federal Regulations (CMMC Final Rule) and NIST SP 800-171 Rev. 2. In addition to CFR 32, DoD Federal Acquisition Regulation (DFAR) 252.204-7012, also requires that any Cloud Service Provider (CSP) must meet FedRAMP Moderate requirements and an Incident Response Program must be established to respond to incidents within 72 hours.
CMMC 2.0 Framework: Compliance Levels
CMMC 2.0 consists of three levels:
CMMC applies across technology, operations, and administration. Notably, only 30-40% of the 110 security controls are purely technical; the majority involve processes, procedures, governance, and documentation.
While implementing security policies (i.e., Group/Local Policies, Conditional Access Polices, Intune, etc…) encryption, multi-factor authentication (MFA), vulnerability scanning, system patching, and other system-hardening measures is critical, technical controls alone are not sufficient for full CMMC compliance.
CMMC mandates that all security controls be fully implemented, assessed, and documented, which also encompasses operational and administrative security controls.
If deficiencies are identified during a Level 2 or Level 3 assessment, the DoD requires a POA&M that outlines the specific gaps. These deficiencies must be remediated within six months, or the organization risks losing eligibility for DoD contracts.
Cybersecurity compliance is not solely a technical endeavor—administrative and operational controls are equally critical. Before implementing any technical solution, organizations must first review requirements to ensure alignment with compliance mandates and policy frameworks. A risk assessment should be conducted to determine how new technologies impact compliance, compatibility, and system security while preventing the introduction of new vulnerabilities. In some cases, processes and procedures may need to be revised before deploying technical solutions.
A holistic approach to cybersecurity and compliance is essential. Administrative requirements should be among the first steps organizations take before identifying technical solutions. Once technical solutions are selected, they must be validated against compliance requirements, assessed for cost implications, and analyzed for their impact on compliant operations. Ultimately, a thorough self-assessment (Gap Assessment) is not just recommended—it is a fundamental requirement for CMMC certification and maintaining contract eligibility.
No need to worry—Peerless is here to address all of these challenges. We offer comprehensive solutions and services tailored to meet CMMC 2.0 requirements. Our team includes expert compliance assessors who will evaluate your company against 110 security controls and 320 security objectives outlined in NIST SP 800-171 and NIST SP 800-171A to include additional CMMC, FARs, and DFARS requirements. Additionally, our Tier 3 engineers specialize in remediation projects, providing technical solutions to meet your compliance needs.
We prioritize building long-term partnerships rather than just offering one-time engagements. To further support your compliance journey, we also provide a Shared Responsibility Matrix (SRM) to help organizations clearly define security ownership and compliance responsibilities. Let us help you achieve and maintain compliance with confidence. Explore our menu of solutions and services designed to meet CMMC 2.0 requirements: