Gap assessments, SSP development, and C3PAO assessment preparation — built around NIST SP 800-171 Rev 3 and the 32 CFR Part 170 final rule.
The CMMC final rule — 32 CFR Part 170 — took effect December 16, 2024. After years of CMMC 1.0 and CMMC 2.0 iterations and extended comment periods, the rule is now in force. Defense contractors handling Controlled Unclassified Information (CUI) are no longer operating under an aspirational compliance framework. They are operating under a live contractual requirement with phased enforcement and real consequences for non-compliance: loss of contract eligibility.
The phased rollout matters, but it creates a false sense of runway. Phase 1 began at rule effective date and covers DoD's internal processes. Phase 2 — when CMMC Level 2 self-assessment requirements begin appearing in solicitations and contracts — is already underway. Phase 3 introduces CMMC Level 2 certification (C3PAO assessment) requirements. Phase 4 is full implementation across all applicable contracts. The timeline compresses fast for companies that haven't started. If your contract is in Phase 2 and you're starting a gap assessment today, you may already be behind the cycle for an assessment-ready documentation package.
The scoping problem is the most consistently underestimated challenge. Most contractors assume their CMMC environment is limited to their primary workstations and file servers. In practice, CUI flows into email systems, collaboration platforms, cloud storage, contractor-managed external services, and backup systems — all of which are potentially in scope. "Security protection assets," systems that protect CUI without directly processing it (firewalls, authentication systems, monitoring tools), are also in scope under the CMMC assessment guide, even though they don't touch CUI directly. Defining the scope incorrectly, in either direction, invalidates the assessment.
The SPRS score requirement is an existing obligation that predates CMMC and is already required for any contractor with a DFARS 252.204-7012 clause in their contracts. Many contractors have never submitted a score. That is a current compliance gap, not a future one — and auditors are aware of it. Getting current on SPRS is typically the first action item following a gap assessment.
Every engagement starts with an accurate picture of where you stand. Every deliverable is built to hold up under C3PAO scrutiny — not just to satisfy an internal audit.
Identifying where CUI lives, where it moves, and which systems are in scope. Correct scoping is the foundation of everything that follows — an oversized scope is unmanageable, an undersized scope is a failed assessment.
All 110 controls assessed against your current environment, with written findings, implementation status, and severity ratings. Deliverable includes an assessment-ready gap report with control-level documentation.
Complete SSP documentation covering all in-scope systems, services, and boundaries. Includes system descriptions, control implementations, and inherited control documentation for cloud service providers.
Plan of Action & Milestones development with realistic remediation timelines and resource estimates. Structured to satisfy C3PAO reviewers who will scrutinize whether the POA&M reflects achievable remediation plans.
Evidence package assembly, mock assessment, and assessor interview preparation. The goal is to walk into the C3PAO assessment with no surprises — every control mapped to documented evidence, every assessor question anticipated.
Acceptable use policies, incident response plans, configuration management procedures, and access control policies — written to the level of specificity that NIST SP 800-171 Rev 3 organization-defined parameters require.
A defined progression from current-state assessment through documentation and remediation to C3PAO readiness — with clear deliverables at each phase.
CUI data flow mapping, system boundary definition, and 110-control gap assessment against NIST SP 800-171 Rev 3. Includes asset inventory review, external service provider analysis, and "security protection asset" identification. Stakeholder interviews and documentation review typically span 2–4 weeks. Deliverable: written gap report with control-level severity ratings and preliminary SPRS score calculation.
SSP development across all in-scope systems, POA&M creation for identified gaps, and policy and procedure drafting for controls requiring documented implementations. Remediation prioritization based on C3PAO assessment weighting — high-severity gaps that affect multiple controls addressed first. Deliverable: complete SSP, POA&M, and policy documentation package ready for assessor review.
Evidence organization and mapping to SSP control implementations, mock assessment walkthrough against the CMMC Assessment Guide, C3PAO selection guidance, and assessor interview preparation. Includes review of any open POA&M items for assessor impact. Deliverable: evidence package, mock assessment findings, and C3PAO readiness statement.
Full 110-control assessment, scoping analysis, written gap report with severity ratings.
Complete System Security Plan and Plan of Action & Milestones documentation package.
Evidence package assembly, mock assessment, and assessor interview preparation.
DIBCAC engagement prep and enhanced controls gap analysis against NIST SP 800-172.
Engagements are scoped and quoted after an initial call. Most companies combine gap assessment and SSP development into a single engagement. Schedule a call →
What's the difference between CMMC Level 1, Level 2, and Level 3?
Level 1 covers 17 basic safeguarding requirements derived from FAR 52.204-21, applies to contractors handling Federal Contract Information (FCI), and is annual self-assessed. Level 2 covers all 110 NIST SP 800-171 Rev 3 requirements and applies to contractors handling Controlled Unclassified Information (CUI). Some Level 2 contracts allow annual self-assessment with SPRS score submission; others — particularly those involving critical programs and technologies — require a triennial third-party assessment by a C3PAO. Level 3 adds requirements drawn from NIST SP 800-172, applies to the highest-priority CUI programs, and requires a government-led assessment by DIBCAC. If you're handling CUI, you're almost certainly a Level 2 contractor.
How do I know if I need a C3PAO assessment vs. self-assessment for Level 2?
The DoD determines this at the contract level. If your contract or solicitation specifies "CMMC Level 2 Certification," you need a C3PAO triennial assessment. If it specifies "CMMC Level 2 Self-Assessment," annual self-assessment with SPRS score submission is sufficient. In practice, the distinction is written into the contract's CMMC requirements table. If you're bidding on a solicitation that doesn't specify yet, your CMMC level will be stated in the solicitation once Phase 2 and Phase 3 requirements are fully embedded. Note that many prime contractors are also flowing down C3PAO certification requirements to their subcontractors regardless of what the prime contract formally requires — check your prime's subcontractor agreements.
What is SPRS and do I need it right now?
The Supplier Performance Risk System (SPRS) score is a self-reported assessment of your NIST SP 800-171 compliance, scored from -203 to 110 based on unimplemented controls and their associated weights. If you have a DFARS 252.204-7012 clause in any of your contracts — which applies to virtually every defense contractor handling CUI — you are already required to have a current SPRS score submitted. This is not a future CMMC requirement; it's an existing requirement that predates CMMC and has been in force since November 2020. Many contractors have never submitted a score, or submitted an artificially inflated score based on incomplete assessments. Auditors know this. Getting an accurate, defensible SPRS score is typically the first deliverable from a gap assessment.
How long does a CMMC Level 2 gap assessment take?
Typically 2–4 weeks for a company with 50–200 employees and a reasonably defined IT environment. The timeline depends most heavily on how well-documented your current systems are and how available key stakeholders (IT, operations, contracts) are for interviews. If you have existing SSP documentation from a previous assessment or DFARS compliance effort, the gap assessment can move faster. The output is a written gap report at the control level — severity-rated, with implementation status documented — that you can use immediately for remediation planning and SSP development.
Fulcrum Advisory delivers gap assessments and compliance documentation built to hold up under C3PAO scrutiny — developed by practitioners who have operated under live DCSA compliance requirements, not just studied the framework.
Schedule a Call32 CFR Part 170 took effect December 16, 2024. What's actually changed from CMMC 2.0 and what your first 90 days should look like.
Scope errors are the leading reason CMMC assessments fail or run dramatically over budget. Here's what to get right before the assessment begins.