Gap, readiness, mock: which CMMC assessment do you need?
“Readiness” is a word that providers use in three materially different ways. A gap assessment, a readiness review, and a mock assessment look similar on a one-page sales sheet and feel completely different when you are paying for them. Choosing the wrong one is a quietly common way to overspend.
This guide is a short field guide to telling them apart and picking the one that matches where you are.
Gap assessment: for “we don’t know what we don’t know”
A gap assessment is a structured comparison of your current state against the relevant baseline. For Level 2, that baseline is the NIST SP 800-171 security requirements. Its job is to produce a list of things you are missing or doing partially, in enough detail to plan against.
Gap assessments are most useful early. They are also where some providers do their cheapest work: a generic questionnaire walkthrough that names 110 controls and finds “30 gaps,” without ever opening your actual configuration. A useful gap assessment looks at evidence, not just answers; it leaves you with a remediation plan, not just a heatmap.
Ask the provider: “Will you reach into our tenants and evidence, or is this an interview-only exercise?”
Readiness review: for “we’ve been working on this for months”
A readiness review assumes the gap work is largely done. It is a rehearsal: someone with assessor mindset stress-tests your SSP, POA&M, evidence, and operational reality against the NIST SP 800-171A assessment objectives (cite [1]) and tells you where a real C3PAO is likely to push back.
Done well, a readiness review is the highest-impact pre-assessment investment for buyers approaching a formal engagement. Done badly, it is a re-skinned gap assessment that finds the same handful of gaps the original gap assessment already documented. The single best filter is whether the reviewer is willing to identify the specific items that would cause an assessor to score you a “Not Met.”
Mock assessment: for the week before you book a C3PAO
A mock assessment is the closest civilian-side rehearsal of an actual C3PAO certification. It is structured around the real assessment method, runs against your real evidence, and is meant to surface the findings you do not want to first hear from your certifier.
C3PAO firms vary on whether they will perform a mock assessment for clients they expect to certify later. Schellman, for example, is publicly authorized to perform CMMC Level 2 and Level 3 assessments (cite [2]); their willingness to also pre-assess the same client is a provider-by-provider question. Either way, an honest C3PAO will tell you, up front and in writing, where their advisory line is.
A fourth thing called readiness: continuous
Vendors increasingly market “continuous” or “managed GRC” offerings. Summit 7’s Commander Managed GRC, for example, is marketed for “continuous NIST SP 800-171 coverage” (cite [3]). These are not assessments. They are subscription engagements aimed at keeping evidence current between gap, readiness, mock, and the next recertification cycle.
Continuous offerings can be valuable. They can also be a graceful way for a provider to monetize the same evidence-collection conversations across many quarters. As with any subscription, the question is whether you would re-buy it knowing what you know after twelve months, not whether it sounds reassuring at the first sales call.
Picking one
A rough rule that works for most buyers:
- You don’t have an SSP, or the SSP is much newer than the environment it describes: gap assessment.
- You have an SSP and POA&M, you’ve been remediating for at least two quarters: readiness review.
- You have a target C3PAO in mind and are 30 to 90 days away from booking: mock assessment.
- You’ve passed and want to stay passed: managed GRC / continuous, applied skeptically.