CMMC Readiness Gap Analysis

Overview

Map controls to NIST SP 800-171 practices, identify CMMC coverage gaps, and build a prioritized remediation roadmap for Level 1 or Level 2.

Getting Started

Add your source materials to the project workspace, then activate the CMMC Readiness Gap Analysis skill. The agent will guide you through the process step by step.

Example Conversation

You: We need a CMMC Level 2 readiness gap analysis. I’ve added a spreadsheet of our current controls and which 800-171 practices we think they map to. Can you run a gap check and list what’s missing?
Agent: I’ll load your mapping and run the CMMC gap check for Level 2. I need the path to the file that lists your controls and their practice IDs (e.g. 3.1.5, 3.5.3).
You: It’s control-mapping.md in the workspace root.
Agent: [Runs cmmc_gap_check] Level 2 coverage is 67% (74 of 110 practices referenced in the document). Gaps: 36 practices have no reference — including 3.4.4 (change control), 3.5.7 (MFA for non-privileged), 3.8.5 (media sanitization), and several in 3.12 and 3.13. Practice 3.12.4 (System Security Plan) is not in the gap list because it’s referenced, but note: 3.12.4 cannot be on a POA&M for Level 2; it must be fully implemented. I’ll draft a short readiness report with the full gap list and a prioritized remediation section. Should I group gaps by domain for the roadmap?

Sample Output Excerpt

Below is a representative excerpt from a CMMC readiness gap analysis.

CMMC Level 2 Readiness — Gap Summary

Domain	Practices in scope	Referenced	Gaps
Access Control (3.1)	9	8	3.1.6
Audit (3.3)	9	9	—
Configuration Management (3.4)	9	6	3.4.4, 3.4.7, 3.4.8
Identification and Authentication (3.5)	14	11	3.5.7, 3.5.10, 3.5.12
System and Communications Protection (3.12)	15	12	3.12.6, 3.12.9, 3.12.11

POA&M-ineligible: Practice 3.12.4 (System Security Plan) must be fully implemented before certification; it cannot be on the POA&M.

Remediation roadmap (excerpt)

Priority	Practice	Gap	Recommended action
1	3.12.4	SSP	Ensure SSP is complete and current (use CMMC SSP skill).
2	3.5.7	MFA non-privileged	Extend MFA to all user accounts per policy.
3	3.4.4	Change control	Document change control process and evidence.

Built-in Scripts and Validation

The skill includes a gap-check tool the agent runs against your practice-mapping file.

Validation tools

Tool	Purpose
cmmc_gap_check	Parses a Markdown or JSON file for NIST 800-171 practice IDs (3.x.y). For Level 2, reports coverage percentage (how many of the 110 practices are referenced), lists all practices with no reference (gaps), and flags POA&M-ineligible practices (e.g. 3.12.4 System Security Plan) that must be fully implemented before certification. For Level 1, reports coverage against the 17 foundational practices. Run after each update to the mapping document.

Tool

Purpose

cmmc_gap_check

Parses a Markdown or JSON file for NIST 800-171 practice IDs (3.x.y). For Level 2, reports coverage percentage (how many of the 110 practices are referenced), lists all practices with no reference (gaps), and flags POA&M-ineligible practices (e.g. 3.12.4 System Security Plan) that must be fully implemented before certification. For Level 1, reports coverage against the 17 foundational practices. Run after each update to the mapping document.