The following is a redacted example of a gap report produced during a UCS engagement. Sensitive fields have been removed. Company identity is fictional. Control findings and scoring are representative of a mid-size Virginia defense subcontractor entering Phase 2.
Apex Defense Solutions LLC is a Virginia-based engineering services firm operating under active DoD contracts requiring compliance with NIST SP 800-171 and CMMC Level 2. This assessment was conducted across 110 applicable practices covering 14 control domains. At the time of assessment, the organization had achieved full compliance on 35 practices, partial implementation on 36, and had not addressed 39 practices — yielding a calculated SPRS score of 47 out of 110.
The most significant deficiencies are concentrated in System and Communications Protection (SC), Access Control (AC), and Audit and Accountability (AU). Critical gaps include the absence of encryption on CUI-handling internal systems, active shared administrator credentials with no individual accountability, and audit log retention that falls materially below the 90-day minimum requirement. These three findings alone represent the highest-risk exposure to contract performance and assessment outcome.
With targeted remediation in the sequences documented in this report, the organization can project a score in the 85–95 range within a 60–90 day engagement window. The POA&M items identified are scoped for the existing IT team with selective vendor assist. No major infrastructure replacement is required. The primary effort is documentation, configuration hardening, and access model restructuring.
Score is self-attested per DFARS 252.204-7019 methodology. Assessment conducted March 2026. Contracting officer notification required for scores below 70.
| Domain | Family | Compliant | Partial | Non-Compliant | Risk |
|---|---|---|---|---|---|
| AC | Access Control | 8/22 | 7 | 7 | High |
| AT | Awareness and Training | 1/3 | 1 | 1 | Low |
| AU | Audit and Accountability | 2/9 | 4 | 3 | Medium |
| CM | Configuration Management | 2/9 | 3 | 4 | Medium |
| IA | Identification and Authentication | 4/11 | 4 | 3 | Medium |
| IR | Incident Response | 1/3 | 1 | 1 | Low |
| MA | Maintenance | 2/6 | 2 | 2 | Medium |
| MP | Media Protection | 3/9 | 3 | 3 | Medium |
| PE | Physical Protection | 4/6 | 1 | 1 | Low |
| PS | Personnel Security | 1/2 | 1 | 0 | Low |
| RA | Risk Assessment | 0/3 | 1 | 2 | Medium |
| CA | Security Assessment | 1/4 | 1 | 2 | Medium |
| SC | System and Communications Protection | 4/16 | 5 | 7 | High |
| SI | System and Information Integrity | 2/7 | 2 | 3 | Medium |
TLS 1.2 or higher not enforced on internal application servers handling CUI. Unencrypted channels identified on three endpoints.
Fourteen shared administrator credentials in active use across engineering and operations. No individual accountability trail.
No centralized log aggregation. Logs stored locally on endpoints; retention averages 11 days. CMMC requires 90-day minimum.
No documented baseline configuration exists for workstations or servers. Variance from standard not detectable or enforced.
MFA not enforced for any privileged accounts including domain admin, server admin, and remote access sessions.
| Item | Control | Weakness | Milestones | Resources | Scheduled | Status |
|---|---|---|---|---|---|---|
| POA-001 | SC.3.177 | CUI transmitted without encryption on internal network segments | Week 1: inventory affected systems · Week 3: TLS deployed · Week 4: scan and validate | Internal IT + vendor assist | Q2 2026 | Open |
| POA-002 | AC.2.006 | Shared administrator accounts without individual accountability | Week 1: audit accounts · Week 2: provision named accounts · Week 3: disable shared creds | Internal IT | Q1 2026 | Open |
| POA-003 | AU.2.041 | Audit logs not centralized; retention below 90-day requirement | Week 2: select SIEM · Week 4: deploy · Week 6: validate retention policy | Internal IT + MSSP | Q2 2026 | Open |
A 20-minute call is enough to identify your critical gaps before your assessor does.
Schedule Your Documentation Review