If you are a defense contractor in New Mexico and a CMMC clause just appeared in a contract, or a prime sent you a cybersecurity requirement you were not expecting, the first question is usually practical: where do we start?

For many small and mid-sized contractors, the answer is a CMMC gap assessment.

If you prefer to listen, click below:

A gap assessment does not certify you. It does not make the work disappear. It gives you a clear, defensible view of your current position, the requirements that apply to your organization, and the work required before you can move toward self-assessment or certification.

CMMC compliance starts with knowing where you stand

Many contractors supporting work tied to Kirtland Air Force Base, White Sands Missile Range, Holloman AFB, Cannon AFB, Sandia National Laboratories, Los Alamos National Laboratory, or other parts of the Southwest defense ecosystem do not arrive at CMMC from a position of readiness. They arrive because a contract, subcontract, prime contractor request, or flowdown requirement suddenly made compliance urgent.

The instinct is often to start fixing things immediately: buy a tool, update passwords, call the IT provider, or start writing policies. Some of that work may be necessary. But without understanding your actual compliance position, you can easily spend time and money on the wrong problems.

A CMMC gap assessment helps replace guesswork with a structured view of what is required, what is already in place, and what still needs to be addressed.

What is a CMMC gap assessment?

A CMMC gap assessment is a structured evaluation of your current environment against the cybersecurity requirements your contract or expected contract path demands.

For many organizations handling Controlled Unclassified Information (CUI), that means evaluating against the 110 security requirements in NIST SP 800-171 Revision 2, which currently form the basis of CMMC Level 2. For organizations that only handle Federal Contract Information (FCI), the required CMMC level may be different. The right starting point is to understand what information your systems process, store, or transmit, and what level your contract or prime is requiring.

A gap assessment typically produces a clear picture of three things: where you are today, where you need to be, and what work stands between those two points.

What a CMMC gap assessment should cover

1. Assessment scope

Before you can evaluate compliance, you need to know which systems, users, locations, vendors, and workflows are part of the environment being assessed. Which systems process, store, or transmit CUI? Which assets protect those systems? Which external providers can access or support them?

This is often where contractors find the first surprises. A business may believe CUI is limited to one folder or one project, only to discover that email, file sharing, endpoints, cloud platforms, vendors, or remote access practices make the assessment scope larger than expected.

2. Requirement-by-requirement review

For CMMC Level 2, the assessment is built around the 110 NIST SP 800-171 Revision 2 security requirements, organized across 14 requirement families such as access control, incident response, configuration management, media protection, audit and accountability, and system and communications protection.

A useful gap assessment walks through those requirements and determines whether each one appears to be met, partially met, or not met based on the current environment and available evidence. The purpose is not to make the organization feel behind. The purpose is to identify the work clearly enough that leadership can make decisions.

3. Documentation and evidence review

CMMC readiness is not only a technology issue. Contractors also need documentation and evidence that reflect how the environment actually operates.

A gap assessment should review whether the organization has a System Security Plan (SSP), whether that SSP is accurate, whether policies and procedures exist where needed, and whether there are records that support the organization’s claims. In a formal assessment, saying “we do this” is not enough. The organization needs to show that the practice is implemented and maintained.

4. Gap prioritization

Not every gap carries the same compliance impact, security risk, cost, or implementation effort. Some gaps may require policy cleanup. Others may require architectural changes, stronger identity controls, logging improvements, vendor changes, or a different approach to how CUI is handled.

The best output of a gap assessment is not a long spreadsheet of problems. It is a prioritized path that helps the organization understand what to fix first, what can come later, and what dependencies need to be managed.

What a gap assessment is not

A CMMC gap assessment is not a certification. It does not create a passing score, and it does not by itself make an organization compliant.

It is also not the same as a formal CMMC certification assessment. For CMMC Level 2 Certification, the assessment is conducted by an authorized C3PAO, or in some cases by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), depending on the requirement. A gap assessment is preparation. It helps determine whether you are ready for the required assessment path and what needs to be corrected before you get there.

A gap assessment is also not a one-time checkbox. Contractors change systems, add users, switch vendors, take on new projects, and receive new contract requirements. The real value comes when the assessment leads to an ongoing compliance program that can be maintained, not a document that sits unused after the first review.

Why New Mexico defense contractors should pay attention now

CMMC implementation is now underway. Phase 1 began on November 10, 2025 and runs through November 9, 2026. During this phase, applicable solicitations primarily focus on CMMC Level 1 and Level 2 self-assessments, with annual affirmations submitted in SPRS. Broader Level 2 certification requirements begin in Phase 2 on November 10, 2026, although DoD may require Level 2 certification earlier for selected procurements.

For contractors and subcontractors, the practical point is simple: when CMMC requirements appear in a solicitation, contract, subcontract, or prime contractor flowdown, the organization needs to understand what status is required and whether its systems can support that requirement.

That matters for the small and mid-sized companies that make up much of the defense supply chain. A 30-person engineering firm supporting work connected to White Sands may not have a compliance department. A fabrication shop with a subcontract tied to Kirtland may not have an in-house CISO. A technical services company supporting a prime may have good IT practices but limited documentation. These organizations can still make progress, but they need a practical starting point.

A CMMC gap assessment gives leadership that starting point. It shows which requirements are already supported, which gaps need attention, and what level of remediation, documentation, and operational change may be required before the company can make defensible compliance claims.

How Much Does a CMMC Gap Assessment Cost?

CMMC gap assessment pricing varies widely because not every “gap assessment” means the same thing.

Some firms offer lightweight readiness reviews or automated checklist assessments for a few thousand dollars. Those may be useful for very small organizations trying to get an early sense of where they stand, but they are not the same as a detailed Level 2 gap assessment that reviews scope, systems, documentation, evidence, technical controls, and remediation priorities across the 110 security requirements in NIST SP 800-171.

For most defense contractors working toward CMMC Level 2, a serious gap assessment is a professional services engagement, not a quick scan.

At TK Compliance, CMMC gap assessments typically start around $20,000 for the simplest organizations. Most organizations we work with should expect a range of roughly $35,000 to $60,000, depending on scope and complexity.

The cost usually depends on several factors:

• How much of your environment is in scope. The more systems, users, locations, cloud platforms, vendors, and business units that store, process, transmit, or protect Controlled Unclassified Information (CUI), the more work is required to define the assessment boundary and evaluate the environment.

• Whether your CUI boundary is already understood. If your organization already has a clear system boundary, documented asset inventory, known data flows, and a current System Security Plan (SSP), the assessment can move faster. If the first phase of work is figuring out where CUI actually lives, the project becomes more involved.

• The maturity of your documentation. CMMC is not only about whether tools exist. It is also about whether your practices are documented and supported by evidence. Missing, outdated, or inaccurate policies, procedures, SSPs, Plans of Action and Milestones (POA&Ms), access records, configuration records, and incident response documentation can significantly expand the assessment effort.

• The complexity of your IT environment. A small company using a controlled cloud environment, standardized endpoints, and a limited number of applications is different from an organization with legacy servers, multiple networks, unmanaged devices, third-party providers, engineering systems, remote users, and mixed cloud/on-premises infrastructure.

• The level of control-by-control validation required. A high-level readiness conversation is one thing. A detailed review aligned to NIST SP 800-171 and CMMC Level 2 expectations requires interviews, evidence requests, documentation review, technical validation, scoring, gap analysis, and a prioritized remediation roadmap.

• Whether the assessment is only diagnostic or includes remediation planning. Some assessments stop at “met / not met.” A more useful engagement explains what the gaps mean, which gaps matter most, what needs to happen next, and how the organization can move toward a defensible compliance posture.

The most important thing is not to choose a gap assessment based on the lowest quoted price. A cheap assessment that misses scope, overlooks evidence, or gives leadership a false sense of readiness can become expensive later — especially if the organization discovers those problems during a prime review, customer request, SPRS submission, or formal C3PAO assessment.

A good gap assessment should leave you with a clear answer to three questions:

1. What is actually in scope?

2. Where do we currently stand against the applicable CMMC requirements?

3. What must we do next, in what order, to move toward a defensible compliance position?

That is the work you are paying for. Not a checklist. Not a certificate. Not a generic report.

Clarity.

What happens after a CMMC gap assessment?

A well-run CMMC gap assessment should leave you with a clearer view of your current compliance position and a prioritized plan for moving forward.

For many SMB defense contractors, the next phase includes a combination of technical remediation, documentation work, and operational changes. Technical remediation may include identity management, endpoint security, logging, access control, configuration management, or secure cloud practices. Documentation work may include creating or repairing the SSP, policies, procedures, and evidence collection. Operational changes may include training staff, tightening vendor access, defining responsibility for recurring tasks, and making sure the organization actually follows the practices described in its documentation.

The goal is not to look compliant for one assessment day. The goal is to build a compliance posture that can be explained, evidenced, maintained, and updated as contracts and systems change.

Where TK Compliance fits

TK Compliance helps defense contractors and subcontractors in New Mexico and the Southwest understand and prepare for CMMC requirements. Our work is focused on the practical readiness issues contractors face: assessment scope, security gaps, documentation, evidence, technical remediation planning, and the steps required to move toward a defensible compliance position.

We do not replace a formal C3PAO assessment when certification is required. Instead, we help organizations understand what their contract path appears to require, where they stand today, and what needs to happen before they pursue self-assessment or certification.

If you received a CMMC flowdown requirement and are not sure what it means for your organization, the right first step is not necessarily a new tool or a rushed project. It is a clear conversation about your contract requirement, your environment, and your readiness.

Schedule a CMMC discovery call

You do not need to have all the answers before you call. You just need to know that a CMMC requirement may affect your business and that you need a practical way to understand what comes next.

Schedule a CMMC discovery call with TK Compliance

• 800-710-3785

• info@tkcompliance.com

TK Compliance serves defense contractors and subcontractors across New Mexico and the Southwest, including organizations supporting work tied to Kirtland AFB, White Sands Missile Range, Holloman AFB, Cannon AFB, Sandia National Laboratories, Los Alamos National Laboratory, and the broader regional defense supply chain.

Source References

• DoD CIO, About CMMC: confirms Phase 1 began November 10, 2025, focuses primarily on Level 1 and Level 2 self-assessments, and outlines the phased implementation plan.

• eCFR, DFARS 252.204-7021: confirms contract requirements for current CMMC status, annual affirmation in SPRS, flowdown to subcontractors, and CMMC UID/reporting obligations.

• DoD CIO CMMC FAQ / CMMC 101 materials: confirm Level 2 is aligned with NIST SP 800-171 Revision 2, includes 110 requirements, and that Level 2 may be self-assessed or C3PAO-assessed depending on the contract requirement.

Disclaimer

The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information tha

t may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. TK Compliance is not liable for improper use of this information.

This article explains the most important CMMC-related terms in plain English and points you directly to the official government sources that define them.