ComplianceArmor

Compliance Gap Analysis Tool Identify Gaps and Generate Remediation Plans in Minutes

Evaluate all 110 NIST SP 800-171 controls, calculate your SPRS score, and produce a prioritized remediation roadmap -- so you know exactly where you stand before your C3PAO assessment.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience | All 14 Control Families
Start Your Gap Analysis Call 919-348-4912
The Essential First Step

What Is a CMMC Gap Analysis?

A structured evaluation measuring your current cybersecurity posture against every CMMC requirement. The gap analysis feeds directly into your POA&M and SPRS score.

What It Measures

  • All 110 NIST SP 800-171 security requirements individually assessed
  • Each control receives a status: Implemented, Partially Implemented, Planned, or Not Implemented
  • SPRS score calculated on the -203 to +110 scale with DoD weighting (1, 3, or 5 points)
  • Prioritized roadmap showing what to fix and in what order

Why It Matters

  • Required first step for CMMC Level 2 certification
  • DFARS 252.204-7019 requires accurate SPRS score reporting -- inaccurate scores risk False Claims Act liability
  • Traditional gap analyses cost $5,000 to $15,000 and take 2 to 4 weeks
  • ComplianceArmor delivers the same output in minutes with consistent, reproducible results
Assessment Capabilities

What the Gap Analysis Includes

Beyond a simple checklist. ComplianceArmor evaluates every dimension of your compliance posture and produces actionable intelligence across eight areas.

Control-by-Control Assessment

Evaluate all 110 requirements individually with detailed notes on evidence present and missing. Follows the same methodology a C3PAO assessor uses during formal evaluation.

SPRS Score Calculation

Automatic scoring on the -203 to +110 scale with correct DoD weighting. See exactly how each unimplemented control affects your total score. Link to our SPRS Calculator for scenario modeling.

Remediation Priority Matrix

Every gap ranked by risk impact, SPRS point value, implementation difficulty, and cost. High-risk, high-point, easy-to-implement controls appear at the top of your list.

POA&M Generation

Automatic Plan of Action and Milestones for every gap. Includes control number, weakness description, planned action, responsible party, target date, and milestone checkpoints. NIST SP 800-53A format.

Cost Estimation per Gap

Budgetary estimates covering technology costs, labor hours, and third-party services for each gap. Based on real-world pricing from hundreds of remediation engagements.

Timeline Recommendations

Estimated completion timelines based on your organization's size, complexity, and infrastructure. Identifies dependencies between controls to sequence work correctly.

Evidence Requirements per Control

Specifies exactly what documentation and artifacts a C3PAO assessor expects: policy documents, configuration screenshots, log samples, training records, and procedures.

Risk Rating per Gap

Each unimplemented control receives a rating (Critical, High, Medium, Low) based on exploitation impact, attack likelihood, and data sensitivity. Critical gaps appear prominently in executive summaries.

SPRS Scoring

Understanding Your SPRS Score

The numeric representation of your implementation status across all 110 NIST SP 800-171 requirements. Required under DFARS 252.204-7019 for every defense contractor handling CUI.

+110

Full Implementation

All 110 controls implemented. Ready for C3PAO assessment.

+80

Near-Complete

Minor gaps remain. Typically addressable in weeks of focused work.

+50

Moderate Gaps

POA&M entries needed. Two to four months of remediation expected.

0

Significant Gaps

Major remediation required across multiple domains. Four to eight months.

-203

Theoretical Minimum

No controls implemented. Comprehensive security program build needed.

ComplianceArmor calculates your score in real time as you assess each control. Model "what-if" scenarios by toggling controls to see which remediation actions have the greatest score impact. Use our SPRS Calculator for quick scenario modeling.

By Framework Level

Gap Analysis by CMMC Level

ComplianceArmor supports all three CMMC maturity levels. Level 2 is most common for defense contractors handling CUI.

Level 1 -- Foundational

17 Practices

Protects Federal Contract Information (FCI). Annual self-assessment. No POA&M allowed. Typical remediation: 2 to 4 weeks. Cost range: $3,000 to $10,000.

Level 2 -- Advanced

110 Requirements (NIST SP 800-171)

Protects CUI. C3PAO third-party assessment every 3 years. POA&M allowed with 180-day limit. Typical remediation: 3 to 9 months. Cost range: $50,000 to $500,000+.

Level 3 -- Expert

134 Requirements (includes NIST SP 800-172)

Protects critical CUI and high-value assets. DIBCAC government assessment every 3 years. No POA&M allowed. Typical remediation: 12 to 18 months. Cost: $250,000 to $1,000,000+.

Deliverables

Gap Analysis Output Documents

Six standardized documents that guide your remediation effort and provide auditable evidence for your C3PAO assessment.

Gap Analysis Report (PDF)

Plan of Action & Milestones (POA&M)

Remediation Roadmap

SPRS Score Card

Evidence Checklist

Executive Summary

All documents generated in PDF and Excel formats. The platform maintains version history so you can track improvement over time and demonstrate progress to contracting officers.

Comparison

ComplianceArmor vs. Manual Gap Analysis

Why organizations choose automated assessment for their initial gap analysis, reserving consultant hours for complex remediation.

ComplianceArmor (Automated)

Minutes to Hours

Complete assessment depending on organizational complexity.

Included with Subscription

Run as often as needed at no additional cost.

Consistent Scoring

Deterministic algorithm applies identical logic every time. Exact DoD weightings.

6 Standardized Documents

Real-time dashboard with historical trend data and automated evidence mapping.

Manual Consultant Assessment

2 to 4 Weeks

Billable engagement with scheduling delays.

$5,000 to $15,000 per Assessment

Each re-assessment incurs new consulting fees.

Variable Scoring

Depends on consultant experience and interpretation. Manual calculation errors possible.

Varies by Consultant

Typically a report and recommendations memo. Manual tracking in spreadsheets.

The most effective strategy combines automated tooling for assessment and documentation with expert consulting for complex remediation. Petronella Technology Group provides both: ComplianceArmor handles the automated layer, while our CMMC Registered Practitioners provide strategic guidance and hands-on remediation.

Workflow

How ComplianceArmor Gap Analysis Works

A six-step workflow from initial assessment to a complete, actionable remediation package. Complete the entire process in a single session.

1

Select Your Target Framework

Choose CMMC Level 1, 2, or 3. ComplianceArmor loads the correct control catalog, scoring methodology, and evidence requirements.

2

Assess Each Control

Work through each requirement using the guided interface. Select implementation status, attach evidence, and add notes.

3

Review Your SPRS Score

Real-time calculation shows current score, maximum possible, and breakdown by control family.

4

Analyze Your Gaps

Prioritized list of every unimplemented control with risk rating, SPRS impact, cost estimate, and timeline.

5

Generate Your POA&M

Automatic Plan of Action and Milestones with weakness descriptions, corrective actions, and milestone dates.

6

Download Your Package

Export all six documents formatted for internal reviews, board presentations, and C3PAO pre-assessment coordination.

Top Findings

Most Common CMMC Gaps

Patterns from hundreds of gap assessments. ComplianceArmor flags these automatically and provides specific remediation guidance.

IA.L2-3.5.3 -- 5-Point Control, Critical Risk

Multi-Factor Authentication

Over 70% of organizations lack MFA for all privileged and remote access accounts. The single highest-impact remediation item in most assessments.

AU.L2-3.3.1 -- 3-Point Control

Audit Log Review

Most organizations generate logs but do not regularly review them. Without SIEM tooling or managed detection, this control remains unfulfilled.

CA.L2-3.12.4 -- Foundation Document

System Security Plan

Many organizations have no documented SSP or one that does not accurately reflect their current environment. The SSP is the primary reference for C3PAO assessment.

SC.L2-3.13.1 -- Boundary Control

CUI Flow Documentation

Organizations struggle to identify and document all ways CUI enters, traverses, and exits their environment. Without this mapping, boundary protection cannot be properly scoped.

IR.L2-3.6.3 -- Testing Requirement

Incident Response Testing

While most organizations have an incident response plan, fewer than 30% have tested it through tabletop exercises or simulated incidents in the past 12 months.

Full Coverage

All 14 NIST SP 800-171 Control Families

ComplianceArmor provides per-family scoring and gap counts so you can quickly identify which families need the most attention.

Access Control (AC) -- 22 req. Awareness & Training (AT) -- 3 req. Audit & Accountability (AU) -- 9 req. Configuration Mgmt. (CM) -- 9 req. Identification & Auth. (IA) -- 11 req. Incident Response (IR) -- 3 req. Maintenance (MA) -- 6 req. Media Protection (MP) -- 9 req. Personnel Security (PS) -- 2 req. Physical Protection (PE) -- 6 req. Risk Assessment (RA) -- 3 req. Security Assessment (CA) -- 4 req. System & Comms. (SC) -- 16 req. System & Info. Integrity (SI) -- 7 req.
Use Cases

Who Needs a CMMC Gap Analysis?

A recurring assessment tool that serves different purposes at different stages of the compliance lifecycle.

New to CMMC Compliance

Preparing for C3PAO Assessment

Post-Incident Reassessment

Bidding on New DoD Contracts

Annual Compliance Review

M&A Due Diligence

Supply Chain Validation

Learn more about the full CMMC gap assessment process and how Petronella Technology Group's Registered Practitioners can guide your organization through remediation.

Why Petronella Technology Group for CMMC Gap Analysis

Petronella Technology Group, Inc. has been delivering cybersecurity, compliance, and managed IT services since 2003. As a CMMC Registered Practitioner Organization (RPO), we combine deep expertise with the practical experience of guiding hundreds of defense contractors through compliance.

Our founder, Craig Petronella, holds over 23 years of experience in cybersecurity and compliance. The team includes CMMC Registered Practitioners, certified security professionals, and compliance specialists working with defense contractors, manufacturers, and federal subcontractors across the Defense Industrial Base.

CMMC-RPO BBB A+ Since 2003 23+ Years Experience Raleigh, NC
FAQ

Frequently Asked Questions

Common questions about CMMC gap analysis and how ComplianceArmor addresses them.

How long does a CMMC gap analysis take with ComplianceArmor?
Small organizations (under 50 employees) typically complete the assessment in two to four hours. Mid-sized organizations (50 to 200) need four to eight hours. Large environments may take one to two business days. This compares to the two-to-four-week timeline of consultant-led assessments.
What is the difference between a gap analysis and a C3PAO assessment?
A gap analysis is an internal evaluation identifying compliance gaps before formal assessment. A C3PAO assessment is the official third-party evaluation resulting in CMMC certification. Think of the gap analysis as a practice exam. ComplianceArmor uses the same framework and methodology that C3PAOs follow.
How is the SPRS score calculated?
The score starts at 110 and subtracts weighted points for each unimplemented requirement. Controls are weighted at 1, 3, or 5 points based on security significance. The theoretical minimum is -203. ComplianceArmor applies exact DoD weightings automatically. Use our SPRS Calculator for quick modeling.
Can I use ComplianceArmor's gap analysis output for my C3PAO assessment?
Yes. ComplianceArmor generates documentation in the formats C3PAO assessors expect, including SSP supplements, POA&M, and evidence mapping. While the gap analysis is not a substitute for formal assessment, the documentation becomes part of your evidence package.
What happens if our gap analysis reveals a low SPRS score?
A low score is not unusual early in the CMMC journey. The priority matrix shows which controls to address first for maximum improvement. Many organizations improve from below zero to above +80 within three to six months. Petronella Technology Group's CMMC compliance services can accelerate remediation.
How often should we run a gap analysis?
At four key points: (1) at the start of your CMMC effort for a baseline, (2) quarterly during active remediation, (3) before scheduling your C3PAO assessment as a readiness check, and (4) annually after certification. ComplianceArmor allows unlimited assessments at no additional cost.
Does ComplianceArmor support frameworks other than CMMC?
The core gap analysis engine supports CMMC Level 1, 2, and 3 (NIST SP 800-171 and 800-172). Because CMMC L2 maps directly to NIST SP 800-171, the output also serves DFARS 252.204-7012 compliance. The ComplianceArmor platform also includes modules for HIPAA, SOC 2, and other frameworks.
What do we need to prepare before running a gap analysis?
Gather your current SSP (if it exists), network architecture diagrams, systems inventory for CUI processing, existing security policies, evidence of implemented controls, and a list of security personnel. ComplianceArmor provides a pre-assessment checklist. You can also run the assessment and flag controls for follow-up.

Ready to Assess Your CMMC Compliance?

Know your SPRS score, identify every gap, and get a prioritized remediation plan in minutes. Contact Petronella Technology Group to start your ComplianceArmor gap analysis.

Schedule Your Free Consultation Call 919-348-4912
Back to ComplianceArmor Overview