21 Questions to Gauge your CMMC Readiness

Most of you do not need a CMMC gap analysis. You might as well put your money, if you got any, in a pile and light a match. Connecticut has thousands of contractors that will EVENTUALLY require a CMMC assessment.

Yet 2026 far off, and for those who want to work in the Defense contracting space you just need to have complete a self assessment and uploaded SPRS score.

You don’t need a perfect score, a seventy, or a 110. You can have a negative score. Most of you do, but you just need a score.

So when folks call offering a CMMC Gap Analysis hang up the phone. You don’t need that right now.

Currently as a business owner you need to focus on growing the System Security Plan (SSP) and shrink the Plan of Action and Milestone (POA&M). The first document describes what you do right and the second what you need to improve.

For many of the companies in Connecticut you do not have the basics in place to even invest in a gap analysis. Garbage in, garbage out (besides you should begin with a scoping assessment anyways..but that’s for later after the basics)

21 Questions to Ask Yourself

  1. Do we have a System Security Plan?
  2. Do we know who is charge of security?
  3. Do we know who is the data owner in my company?
  4. Do we know how much revenue we make from contracts with the 7012 clause?
  5. Do we know how Controlled Unclassified Information resulting from contracts with the 7012 clause move through our company?
  6. Do we have a policy on how to write policy?
  7. Do we have an inventory of any device, cell phone, or computer that connects to the internet from our networks?
  8. Do we have a physical security floor plan?
  9. Do we  have a network diagram?
  10. Do we have a list of third party vendors or service providers that touch our network and devices?
  11. Do we document how to build our network and add new users?
  12. Do we have an employee handbook?
  13. Do we have an IT or Acceptable Use policy?
  14. Do we have a company training program?
  15. Do we know what users logged on when an what they are allowed to see?
  16. Do we have a Controlled Unclassified Information policy?
  17. Do we have procedures in place to implement policies?
  18. Do we budget to ensure these procedures occur?
  19. Have we read NIST-SP-800-171?
  20. Do we have a POA&M?
  21. Do we know what risks and threats our company faces when handling Controlled Unclassified Information?


You will need cybersecurity experts. You do not need a gap analysis. Not yet.

For now, Grow the SSP and Shrink the POA&M.

Featured Image: A student in the Turbine Systems Technician Electrical “C” School asks a question. flickr photo by Official U.S. Navy Imagery shared under a Creative Commons (BY) license

Comments (2)


  • Greg McVerry

Leave a comment

Your email address will not be published. Required fields are marked *