Know Where You Stand Before the Assessor Does CMMC Level 2 requires documented compliance with all 110 controls in NIST SP 800-171. Most small defense contractors don’t know which controls they satisfy and which they don’t. Our gap assessment tells you exactly where you stand — and what to fix before a C3PAO assessor arrives.
Without CMMC certification, your company cannot bid on DoD contracts that require it. That scope is expanding to cover most defense work.
C3PAO assessments require scheduling months in advance. Companies that wait until a contract requires CMMC discover they can’t get assessed in time to bid.
CMMC Level 2 requires a System Security Plan documenting how each of the 110 controls is implemented. Assembling this without preparation takes months.
Most companies believe they satisfy more controls than they actually do. Gap assessments routinely uncover 20-40 partially or fully unaddressed controls.
Our gap assessment evaluates your current state against all 110 controls across every domain. You already have Control 3.8.3 (Media Protection — data sanitization) documented from your DTS data destruction service. Here’s what the rest covers.
Who can access CUI, under what conditions, and with what authentication.
Logging, audit trail retention, and accountability for system activity.
Baseline configurations, change control, and least-functionality settings.
User identity, MFA requirements, and password management.
Incident handling capability, reporting, and testing.
System maintenance controls, remote maintenance security.
CUI on physical and digital media — including 3.8.3 (sanitization) you already have documented.
Screening individuals with CUI access, termination procedures.
Physical access to CUI systems and facilities.
Periodic risk assessments, vulnerability scanning, remediation.
Periodic evaluation of controls, plan of action management.
Network segmentation, boundary protection, encryption in transit.
Malware protection, security alerts, software patching.
Security awareness training for all personnel with CUI access.
Every control rated: Satisfied, Partially Satisfied, or Not Satisfied. Evidence citations for satisfied controls.
Gaps ranked by risk and remediation complexity. A clear order of operations for closing findings before assessment.
System Security Plan template pre-populated with your satisfied controls. You complete the narrative. We provide the structure.
Plan of Action and Milestones document for identified gaps — required for your CMMC assessment package.
For each satisfied control, what documentation the assessor will look for and how to organize it.
Email access as you work through the remediation roadmap and SSP development.
- Intake questionnaire + 2 working sessions
- 110-control gap assessment report
- Satisfied / partial / not satisfied rating per control
- Priority remediation roadmap
- 30-day email support
- Everything in Gap Analysis
- SSP draft template pre-populated
- POA&M document for identified gaps
- Evidence documentation guidance per control
- 60-day email support
- Annual SSP review and update
- POA&M progress review
- Control re-assessment for changed areas
- Updated compliance documentation
We provide readiness assessment and documentation support — not a formal CMMC certification. CMMC Level 2 certification must be conducted by an accredited C3PAO (CMMC Third-Party Assessment Organization). Our service prepares you to pass that assessment by identifying gaps, building your documentation package, and establishing evidence for satisfied controls. Companies that go through a readiness assessment before their C3PAO review consistently achieve better outcomes and fewer findings.
Your DTS data destruction certificate already documents Media Protection Control 3.8.3 — one of the 110 NIST SP 800-171 requirements. That’s the starting point. Our CMMC Readiness Assessment covers the other 109 and builds the documentation package around your existing evidence. DTS data destruction clients receive a 10% discount on any CMMC Readiness tier.
Start with a free 20-minute call. We’ll ask a few questions about your environment and tell you honestly whether a formal gap assessment makes sense for your situation and timeline.
Diversified Tech Solutions · Johnson City, TN · avery@diversifiedtechsolutions.com
CMMC Readiness Assessment available remotely to defense contractors nationwide.
