← Custodia

CMMC Gap Assessment for Level 1

A gap assessment tells you exactly where you stand against the 15 Level 1 requirements and what is missing. No jargon, no guesswork, just a clear punch list. Here is how to run one, and how to do it guided in minutes.

The answer in 50 words

A CMMC gap assessment compares your current setup against the 15 FAR 52.204-21 Level 1 requirements and lists what is missing. You define your FCI boundary, score each requirement MET or NOT MET, capture evidence, and get a ranked list of gaps with the fix for each.

How to run a Level 1 gap assessment in four steps

STEP 1

Define your FCI boundary

List the systems, apps, and people that store, process, or transmit Federal Contract Information. Everything in that boundary is in scope; everything outside is not. Getting this right keeps the assessment small and honest.

STEP 2

Score each of the 15 requirements MET or NOT MET

Walk all 15 FAR 52.204-21 requirements across access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Level 1 is binary: there is no partial credit and no POA&M.

STEP 3

Capture the evidence you already have

For each MET requirement, note the proof: a screenshot of enforced 2-Step Verification, your sharing settings, your visitor log. A gap is any requirement where you cannot yet show the evidence.

STEP 4

List the gaps and the fix for each

The output is a short, ranked punch list: the requirements that are NOT MET and the specific action that closes each one. That list is your path to a defensible affirmation.

CMMC gap assessment: FAQ

What is a CMMC gap assessment?

A CMMC gap assessment compares your current security posture against the CMMC requirements for your level and produces a list of what is missing. For Level 1, that means checking your environment against the 15 FAR 52.204-21 safeguarding requirements and listing every one you cannot yet meet or evidence. It is the step that tells you exactly how far you are from a clean self-assessment and what to fix first.

Is a gap assessment the same as the CMMC self-assessment?

They are closely related. The self-assessment is the formal MET or NOT MET determination you affirm to the government. A gap assessment is the honest pre-work: you find the NOT MET items, fix them, then run the self-assessment clean. In practice, a good platform does both in one flow, you assess, you see the gaps, you close them, and the finished result becomes your affirmation.

How much does a CMMC gap assessment cost?

A consultant gap assessment for Level 1 often runs several thousand dollars on its own, before any remediation. You can also self-assess the gaps for free with the requirement list and a spreadsheet. Custodia runs the gap assessment guided, with evidence review and the fix for each gap, inside the platform for $249/month with a 7-day free trial and no credit card.

What should a Level 1 gap assessment produce?

A defined FCI boundary, a MET or NOT MET call on all 15 requirements, the evidence for each MET item, and a ranked list of gaps with the specific remediation for each. From there you close the gaps, generate the System Security Plan and affirmation, and post to SPRS.

See your gaps in the next few minutes

Custodia runs the gap assessment with you, reviews your evidence, and turns the result into your SSP and affirmation. Start free for 7 days, no credit card.

Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)