Plain-English readiness guide · primary sources
What is a CMMC gap assessment? (and how to do one for free)
A CMMC gap assessment compares your current cybersecurity posture to the 110 NIST SP 800-171 requirements and identifies which controls are implemented, partially implemented, or missing. The result is a prioritized remediation roadmap and an estimated SPRS score. A gap assessment is the practical first step before any C3PAO assessment — and Muster's free Muster Score is one.
What a gap assessment covers
A gap assessment for CMMC Level 2 is scoped to the 110 NIST SP 800-171 Rev 2 requirements across 14 families. It does four things: defines what is in scope, rates every requirement, sorts the gaps by what you can defer, and estimates the score you would post to SPRS.
| It covers | What that means |
|---|---|
| Scope your CUI boundary | Define the systems, people, and data flows that store, process, or transmit CUI. The boundary is what the assessment applies to — getting it right keeps the work focused and the score honest. |
| All 110 requirements, 14 families | Walk every one of the 110 NIST SP 800-171 Rev 2 requirements across the 14 families and decide where you stand on each: implemented, partially implemented, or not implemented. |
| POA&M-eligible vs. must-fix output | Sort the gaps. Some 1-point items can sit on a Plan of Action & Milestones for conditional Level 2; six requirements are never POA&M-eligible and must be fully met. The output tells you which is which. |
| An estimated SPRS score | Apply the DoD Assessment Methodology — start at 110 and deduct the weighted value of each unmet requirement — to estimate the self-assessment score you would post under DFARS 252.204-7019. |
Sources: CMMC Level 2 maps to the 110 NIST SP 800-171 Rev 2 requirements across 14 families. Scoring follows the DoD Assessment Methodology v1.2.1 (32 CFR 170.24) — start at 110, with 44 requirements worth 5 points, 14 worth 3, and 51 worth 1; requirement 3.12.4 (the SSP) is unscored but mandatory. POA&M eligibility is set by 32 CFR 170.21. See the Level 2 requirements guide for the full family-by-family breakdown.
Gap assessment vs. C3PAO assessment
These are easy to conflate, but they are different stages with different stakes. A gap assessment is preparation — a self-assessment you run to find and close gaps. The C3PAO assessment is the formal certification. A gap assessment posts no certificate; only an authorized C3PAO can certify you.
| Gap assessment | C3PAO assessment | |
|---|---|---|
| What it is | A self-assessment that measures current posture against the 110 requirements. | A formal third-party assessment conducted by an authorized C3PAO. |
| Who performs it | You (optionally with an RPO or consultant). No external authority involved. | An accredited C3PAO assessor, independent of your organization. |
| Output | A remediation roadmap and an estimated SPRS score — preparation, not a verdict. | A pass/fail certification decision recorded in the CMMC ecosystem. |
| Does it certify you? | No. A gap assessment is not a certification and posts no certificate. | Yes. Only an authorized C3PAO can issue a CMMC Level 2 certification. |
| When you do it | First — to find and close gaps before spending on a formal assessment. | After remediation, when you believe you can meet the required level. |
A gap assessment (self-assessment) is the basis of the SPRS score posted under DFARS 252.204-7019; it is not a C3PAO certification.
Self-assessment vs. hired RPO or consultant
You can run a gap assessment yourself for free, or pay an RPO or consultant to run it for you. The honest trade-off is cost and speed against an outside set of eyes — a self-assessment is only as accurate as the inputs you give it.
| Self-assessment | Hired RPO / consultant | |
|---|---|---|
| Cost | Free with a self-serve tool like the Muster Score — no signup, no engagement fee. | Commonly reported at $5,000–20,000 for a consultant gap assessment; rates typically $250–400/hr. |
| Speed | Same day. You work through the requirements at your own pace in the browser. | Days to weeks, gated by scheduling, scoping calls, and interview availability. |
| Accuracy | Depends on honest, informed inputs — only as good as your answers about your own systems. | An experienced assessor can probe and validate answers, surfacing gaps you might rate too generously. |
| Best for | Getting an honest baseline fast, and knowing your gap before you spend. | Complex environments, or when you want an outside review before the formal C3PAO assessment. |
Cost figures are typical/commonly reported practitioner estimates, not regulatory requirements. Muster's free Muster Score is a self-serve gap assessment — free, no signup, and it runs entirely in your browser.
How to do a gap assessment for free with Muster
Scope your CUI boundary
Identify the systems, people, and locations that handle CUI. Everything inside that boundary is in scope for the assessment; drawing it deliberately keeps the work focused and your score defensible.
Walk the 110 requirements
Go through every one of the 110 NIST SP 800-171 Rev 2 requirements across the 14 families, in plain English. Muster guides you question by question — no compliance background required.
Mark each one implemented, partial, or missing
For each requirement, record honestly where you stand. Honest inputs are the whole point — over-rating yourself only moves the gap downstream to a formal assessment that will catch it.
Get your estimated SPRS score
Muster applies the DoD Assessment Methodology — start at 110, deduct each unmet requirement at its weighted value — to compute the self-assessment score you would post under DFARS 252.204-7019.
Split gaps into POA&M-eligible vs. must-fix
The output separates 1-point items that can sit on a Plan of Action & Milestones for conditional Level 2 from the six requirements that are never POA&M-eligible and must be fully implemented.
Draft your SSP and POA&M
Turn the results into a System Security Plan and a POA&M. Muster drafts these documents from your answers; you review, complete, and attest to them — Muster does not certify you.
The Muster Score runs in your browser — there is no file upload and no need to send any CUI. When you have your number, the SPRS calculator shows the math behind the score, and the POA&M template helps you document the gaps you intend to defer.
Straight answers
How long does a gap assessment take?
It depends on how you run it and how well you know your environment. A self-directed gap assessment with a guided tool like the free Muster Score can be done in a single sitting — you walk the 110 NIST SP 800-171 requirements at your own pace and get an estimated SPRS score the same day. A consultant-led gap assessment typically runs over days to weeks, gated by scoping calls and staff interviews.
Do I need to hire someone to do a gap assessment?
No. A gap assessment is a self-assessment, so you can run it yourself — that is exactly what Muster's free Muster Score is. Hiring a Registered Provider Organization or consultant (commonly reported at $5,000–20,000) can help in complex environments or when you want an outside review before a formal assessment, but it is not required. The accuracy of a self-assessment comes down to answering honestly about your own systems.
What comes after a gap assessment?
You use the output to close gaps. The remediation roadmap shows which controls to fix; you draft a System Security Plan (mandatory under 3.12.4) and a POA&M for the gaps eligible to defer. When your posture meets the required level, you proceed to a formal C3PAO assessment for Level 2 certification. The gap assessment is the preparation; the C3PAO assessment is the certification.
Is a gap assessment the same as certification?
No. A gap assessment is a self-assessment that estimates your posture and SPRS score — it is the basis of the score you post under DFARS 252.204-7019, not a certification. Only an authorized C3PAO can issue a CMMC Level 2 certification. A gap assessment, a SPRS score, and a CMMC certification are three different things; treating a self-assessment as a certification is exactly the kind of overstatement to avoid.
This is compliance information, not legal advice. A gap assessment is a self-assessment, not a certification; only an authorized C3PAO can certify CMMC Level 2. For questions about your specific obligations, consult qualified counsel.
Related guides
How long does CMMC Level 2 take?
A realistic 12–24 month timeline, phase by phase (gap assessment, remediation, the C3PAO waitlist, the assessment, conditional closeout) — and what actually sets your finish date.
How to submit your SPRS score
The step-by-step PIEE → SPRS submission walkthrough, the email alternative, and why the score you post is a representation to the government you have to stand behind.
What counts as CUI?
What CUI actually is for a defense contractor — technical data, drawings, export-controlled material — the three questions everyone asks, CUI vs. classified, and what to do when you receive it.
NIST 800-171 SSP template
What an SSP must contain per 3.12.4, what assessors flag first, and a free blank template (Markdown or Word) — no email gate.
Tools: SPRS score calculator · scoring methodology · CMMC Phase 2 deadline
Your gap assessment is the free Muster Score.
Walk the 110 NIST SP 800-171 requirements in plain English and get your estimated SPRS score and a prioritized remediation roadmap — in your browser, no signup, no CUI.
Run your free gap assessmentThe free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.