If your organization handles federal contract data and you haven't formally assessed your cybersecurity posture against NIST SP 800-171, there's a very good chance you have gaps you don't know about. And in today's contracting environment, those gaps have consequences that go well beyond a compliance checkbox.
The question isn't whether a gap assessment is a good idea. It's whether you can afford to skip one.
Here's something many defense contractors don't fully appreciate: the cybersecurity obligations CMMC is designed to verify have been contractual requirements since 2016.
DFARS clause 252.204-7012 requires contractors and subcontractors to implement all 110 security controls from NIST SP 800-171 across any system that processes, stores, or transmits covered defense information — including on-premises servers, workstations, mobile devices, and cloud services. If that clause appears in your contract — and for most defense contractors, it does — you've been obligated to meet those standards for years.
Noncompliance with DFARS 252.204-7012 carries serious consequences: contract risk including lost awards, cure notices, or termination; False Claims Act liability if compliance is misrepresented; operational disruptions; and lasting reputational damage in the defense sector.
What CMMC adds is verification. While DFARS 252.204-7012 mandates NIST SP 800-171 controls, CMMC proves you implemented them. The certification process requires you to demonstrate — not just assert — that your controls are operational. That's a fundamentally different standard than self-attestation, and it's why so many organizations are discovering significant gaps only when they're standing at the edge of an assessment.
A gap assessment puts that discovery on your terms, before the contract is on the line.
A gap assessment is a structured evaluation of your current cybersecurity posture measured against the requirements of NIST SP 800-171. It doesn't assume anything about where you stand — it finds out.
NIST SP 800-171 covers 110 requirements across 14 control families, including access control, incident response, and system integrity. A thorough gap assessment works through each of those families and documents which requirements are fully implemented, which are partially addressed, and which are missing entirely. The output isn't just a score — it's a roadmap.
The most challenging areas for contractors typically include System and Communications Protection, Audit and Accountability, Configuration Management, Access Control, and Incident Response. These aren't obscure edge cases. They're the core control families that govern how your network is configured, who has access to what, how activity is logged, and what happens when something goes wrong. Gaps in these areas are both common and consequential.
The gap assessment also produces two documents that are themselves required under DFARS and CMMC: a System Security Plan (SSP), which describes how each control is implemented in your environment, and a Plan of Action and Milestones (POA&M), which tracks gaps and the remediation work underway. Both must be current and accurate to support an assessment, and both start with knowing where you actually stand.
Every defense contractor handling CUI is required to post a NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS) — the government's primary tool for evaluating cybersecurity readiness across the defense industrial base. Under DFARS 252.204-7019 and 7020, subcontractors must have a current NIST 800-171 assessment posted in SPRS before contract award.
The problem is that many organizations posted an optimistic score years ago and haven't revisited it since. Systems change. Vendors change. Employees change. A score that was accurate two years ago may no longer reflect your actual posture — and when a prime contractor or contracting officer pulls your SPRS record to evaluate your readiness, what they see matters.
A formal gap assessment brings your SPRS score into alignment with reality, and gives you a defensible, documented basis for whatever number you report.
For manufacturers in the defense supply chain, the gap assessment question comes with an additional layer of complexity. Operational technology environments — factory floor systems, production control networks, specialized equipment — often sit in a gray zone between traditional IT and what NIST 800-171 was designed to address.
That ambiguity doesn't create an exemption. It creates a scoping challenge. Understanding which systems fall within your CMMC assessment boundary, and which don't, is one of the most important decisions in the compliance process — and one of the first things a gap assessment helps you work through.
Getting the scope wrong in either direction has costs. Scope too broadly, and you're implementing controls on systems that don't need them. Scope too narrowly, and you leave CUI-adjacent systems unprotected — and fail your assessment.
The contractors who come to a CMMC assessment with confidence aren't the ones who started preparing last month. They're the ones who did a gap assessment, addressed what they found, and built a compliance program around actual knowledge of their environment rather than assumptions.
If you're not sure whether your organization meets its DFARS 252.204-7012 obligations, the place to start is simple: review your contracts for the clause, identify what CUI your organization handles and where it lives, and determine which systems are in scope. That's the foundation of everything that follows. Federal Register
At Dragnet, our Gap and Risk Assessment service is designed to give defense contractors and manufacturers a clear, honest picture of where they stand — and a structured path to where they need to be. No guesswork. No surprises at assessment time.
Schedule a CMMC Discovery Call →