Between self-assessed and a real assessor's score, on the same environment.
The real SPRS score most contractors don't see coming.
Self-assessed scores run 100 points higher than what a real assessor finds. Most contractors don't learn this until their C3PAO walks in — and by then there's no time to fix it. We produce the SPRS score that holds up to assessor scrutiny, plus the documented foundation to close every gap before certification.
UK government cleared engineering team · Cyber AB Registered Practitioner registration in progress · Senior-only delivery — no junior handoffs after SOW signature
In NIST 800-171A. We test all of them — not just the 110 controls.
Kickoff to defensible report. Six weeks for multi-site or complex cloud.
Major C3PAOs are sequencing 2026 capacity now. The companies that start now get assessed. The rest wait.
Six deliverables. Built to hold up.
Not a 200-page audit dump. Each deliverable is structured around what a C3PAO assessor will actually ask for — and what your implementation team needs to act on.
Real SPRS Score
Scoring · 110 controlsCalculated using the official DoD methodology. Every one of the 110 controls scored, with the per-control deduction documented so you can defend each line. Submission-ready for SPRS upload — the number you submit is the number an assessor will find on the day. No optimistic rounding.
System Security Plan
Policy · 14 domainsMinimum viable SSP covering all 110 controls. The foundation document the C3PAO reads first — and the same one every other deliverable hangs off. Written in plain language, not legalese, so your team and your assessor read the same thing. Refined further during Implementation.
Plan of Action & Milestones
Remediation tracking · POA&MPOA&M for every non-implemented or partial control, mapped to specific assessment objectives. Prioritized by risk and effort — not just by compliance gap. High-impact, low-effort items first. Closure dates your team can actually hit.
CUI Scoping Artifacts
Data flow · Asset inventoryCUI boundary diagram, data flow inventory, and asset inventory by CMMC scoping category. The artifacts that make your SPRS score defensible at the assessment. Without them, scope drifts during Implementation and assessors find what your team missed.
Customer Responsibility Matrix
CSP controls · Inherited & sharedPer cloud platform in your scope (GCC High, Azure Government, AWS GovCloud). Documents which controls inherit from your CSP, which are shared, and which are entirely on you. Documents zero CUI exposure on Ancitus systems — recognized by every assessor we've worked with.
Prioritized Remediation Roadmap
Execution plan · Implementation-readyThe synthesis output. What to fix, in what order, with effort estimates. Structured around an implementation-ready execution plan — not a recommendation list. Your team can act on it Monday, or hand it to whichever consultancy delivers Implementation.
Four weeks. End to end.
Standard engagements run four weeks from kickoff to final report walkthrough. Six weeks for environments with multi-site or complex cloud topology. The principal is in every meeting — no junior handoffs after SOW signature.
01
Week 1
Discovery & CUI Scoping
Kickoff call, environment walkthrough, CUI inventory and boundary, asset categorization by scoping category. We work inside your tenant under your access from day one.
02
Week 2
Control Assessment
Walk through all 110 controls against your environment. Document existing implementations, evidence collection, and partial-implementation states. Stakeholder interviews where needed.
03
Week 3
Objective Testing & SPRS Scoring
All 320 assessment objectives tested with evidence verification. SPRS score calculated using the official methodology. Initial gap findings shared with you in real time as we work.
04
Week 4
Reporting & Walkthrough
Full deliverable package compiled. Executive walkthrough with you and your leadership team. Recommendations, prioritized roadmap, and next steps — including whether Implementation is the right next move.
After the report
You walk away with a defensible starting point. Continue with Ancitus, hand to your in-house team, or take it to another consultancy. No commitment to the Implementation engagement.
Three things most gap assessments miss.
CMMC gap assessments are commodity-priced because most are commodity-quality. Three things separate a defensible gap assessment from a checklist exercise.
Evidence-driven, not checklist-driven.
A checklist tells you what's missing. An evidence-driven assessment tells you whether what you have actually works. The C3PAO assessment is evidence-driven — your gap assessment needs to be too. We test all 320 objectives against your real environment, not a self-attestation form.
320 objectives, not 110 controls.
Most gap assessments evaluate the 110-control level. The C3PAO assesses at the 320-objective level. The gap is where assessors find failures — an assessor finds 30+ objectives without evidence on assessment day. We bake the objective-level discipline in from week one.
Principal on every meeting.
Most CMMC firms front the sale with a senior partner and hand the gap assessment to junior consultants. We don't. The principal runs every kickoff, every interview, every walkthrough. Senior engineers with active UK government clearance handle every technical evaluation. Zero juniors learning on your CUI environment.
Six gap-stage pitfalls. All preventable.
Patterns we see when contractors come to us mid-stream — most having already paid for one gap assessment that didn't hold up. Each is preventable. Only if someone on your team knows what to look for.
Self-assessing at 95 when the real score is 50.
Self-assessed SPRS scores average ~100 points higher than what a real assessor finds. Most contractors don't know how wrong their score is until they're already losing time at the C3PAO.
Scoping CUI too narrowly.
"CUI" gets defined too narrowly by scoping. Three months into Implementation, a system finds CUI is processed out of scope. Entire control assessment has to be re-run. Remediation budget doubles.
Documenting 110 controls, not 320 objectives.
The gap report looks clean on the surface — every control is "documented." Then the C3PAO finds 30+ objectives without evidence because the assessor tests at the objective level, not the control level. The discipline must be baked in at the gap stage.
Skipping the CUI flow inventory.
Gap reports without CUI movement documentation skip the implementation-test boundary. Configuration changes happen in the wrong order. Network follows. The flow inventory is the boundary that makes everything else defensible.
Generic checklist instead of evidence-driven assessment.
A checklist gap report tells you what's missing without testing whether what you have actually works. The C3PAO assessment tests how your policies operate, not how your policies are written. A checklist-based gap report doesn't translate.
Treating the gap report as the destination.
Some firms deliver a gap report and walk away. The buyer is then stuck owning a 200-page document they don't know how to operationalize. The gap report has value only if the path from finding to remediation is clearly mapped and executable.
"Gap assessments fail because someone documents the obvious without testing the boundary." — Deepak Pal Singh, Founder & Principal
Fixed fee. Scoped before SOW.
Every CMMC Gap Assessment is fixed-fee, scoped on the Discovery Call, locked within one business day of the call. No hourly billing, no scope creep, no surprise invoices. Pricing depends on environment complexity, headcount, and number of locations.
Next step
A 30-minute Discovery Call.
No pitch. No slides. We review your situation, scope the engagement, and give you a candid read on the work involved. Final pricing within one business day of the call — before any SOW gets drafted.
Book a Discovery Call- ✓ Fixed fee, locked before any work begins. The number on the SOW is the number you pay.
- ✓ No commitment to Implementation. Gap Assessment stands on its own. Take the deliverables to any partner — including back to your existing MSP.
- ✓ Discovery Call is free. If we're not the right fit, we'll tell you on the call and recommend a path that is.
If we miss something material
We revise the gap analysis at no additional charge. If we miss a CUI flow, an asset, or a control objective that's material to your SPRS score, we go back in, find it, document it, and update your deliverables. That's our standard — written into every Gap Assessment SOW.
Nine questions. Honest answers.
In rough order of how often they come up on Discovery Calls. The top group covers the four questions that determine whether an engagement is even possible — including the one most consultancies hide.
The basics — Where they actually arise
Q01 Will my real SPRS score be significantly lower than what I self-reported?
Probably. Self-assessed SPRS scores run an average of 100 points higher than what a real assessor finds. Most contractors over-credit themselves on documentation rigor, MFA coverage, log review cadence, and CSP boundary clarity — exactly the areas a C3PAO walks through line by line.
Our Gap Assessment recalculates your real SPRS score using the official DoD methodology. We document the per-control deduction so you can defend each line. Your real score is the number that holds up to assessor scrutiny — not the optimistic one.
Q02 Do you need access to our CUI to perform the gap assessment?
No. We work inside your environment using your authenticated access to your tools. We never copy CUI to our laptops, our SharePoint, or our email. Our Customer Responsibility Matrix documents exactly what we touch — and what stays on your side, untouched.
The Gap Assessment evaluates whether your CUI handling is correct, scoped, and documented. We don't need to read or remove your CUI to test that. We test how it moves, where it sits, and whether your controls protect it.
Q03 You're based in the UK. Does that work for US defense contractors?
Yes for most contractors handling FCI or standard CUI — IT services, software, professional services, training, admin support, cyber, data services. We work inside your tenant under your access; nothing leaves your environment.
The exception is ITAR or EAR-controlled technical data. State Department rules treat foreign-national access to those systems as a "deemed export" — even if no data ever moves. The 2022 UK Open General License covers some categories without prior approval; others still need formal licensing.
We work through this on the Discovery Call. If your environment is genuinely incompatible with non-US delivery, we'll say so and refer you to a US-based RP we trust — rather than take a Gap Assessment that becomes useless to you.
Q04 Why 320 objectives instead of just 110 controls?
Because the C3PAO assesses at the 320-objective level. NIST 800-171 has 110 controls. NIST 800-171A — the assessment companion — breaks each control into the specific assessment objectives that examine, interview, and test it. That's 320 separate things an assessor checks.
Most gap assessments stop at the 110-control level because checklists are easier to build that way. An assessor will find 30 or more objectives without evidence on the day if your gap assessment didn't test at the objective level. We bake the objective discipline in from week one.
The engagement — Timing, cost, and commitment
Q05 What does it cost?
Fixed fee, scoped on the Discovery Call, locked within one business day. Pricing depends on environment complexity, contractor size, and number of locations. Final pricing within one to three business days of the Discovery Call.
The Gap Assessment stands on its own. No commitment to Implementation. Take the deliverables to any partner. We don't bill by the hour and we don't have a "discovery" phase that quietly extends.
Q06 How quickly can you start?
SOW signature within one business day of the Discovery Call. Kickoff within one business week of SOW signature for standard engagements — sooner if your assessment timeline is tight. We hold capacity for active engagements, not for backlog. Once you're in, we move.
Q07 What if we've already started CMMC work with another firm?
Common situation. The Gap Assessment is exactly the right starting point — we audit where you are, what you have, and what's been done correctly. Often 30 to 50 percent of the work is reusable. We tell you what to keep, what to redo, and what's missing. No re-billing for work you've already paid for once.
If your prior engagement produced a gap report that didn't hold up, we'll tell you why — specifically. Then we either rebuild from your existing assets or start clean, whichever is cheaper for you.
Q08 What if you miss something material?
We revise it at no extra charge. If we miss a CUI flow, an asset, or a control objective that's material to your SPRS score, we go back in, find it, document it, and update the deliverables. That commitment is written into every Gap Assessment SOW.
We'd rather take the financial hit on a missed scoping call than build a business that survives by selling rework.
Q09 Can you handle our environment if it's unusual — multi-site, foreign-owned, or hybrid cloud?
Yes. Multi-site adds two weeks to the engagement and is priced accordingly. Foreign-owned (FOCI) adds a CFIUS-aware boundary review to scoping; we've worked through this pattern before. Hybrid cloud — GCC High plus AWS GovCloud, or Azure Government plus an on-premises enclave — is handled in the Customer Responsibility Matrix with one CRM per platform.
If your environment is genuinely unusual and we don't think we're the right fit, we'll say so on the Discovery Call. We'd rather refer you to a specialist than take an engagement we can't deliver well.
Discovery call
Let's see where you really stand.
Thirty minutes. No pitch. We'll review your situation, give you a candid read on the work involved, and recommend a path — even if that path isn't us.
Book a Discovery Call