CyberGAP L1 & 2 on by Armada Cyber Defense is free, self-service tool for DoD contractors to perform gap analyses against CMMC Level 1 and Level 2 controls. It uses plain-language questions to assess your current cybersecurity practices, auto-calculates an SPRS-style score, identifies gaps, and generates reports with remediation roadmaps.
What CyberGAP L1 & L2 does
CyberGAP L1 & 2 performs a free, automated self-assessment of your organization’s cybersecurity maturity against CMMC Level 1 and Level 2 requirements. It guides users through plain-language questions for each control, calculates an SPRS-style score, identifies gaps, and generates remediation reports. CyberGAP evaluates implementation status (MET, NOT MET, or NA) across relevant CMMC domains, automating what would otherwise be manual spreadsheet work.
- For Level 1, it checks 17 basic practices from FAR 52.204-21, ensuring no gaps (pass/fail only and no POA&Ms).
- For Level 2, it covers all 110 NIST SP 800-171 Rev 2 controls across 14 families, allowing limited POA&Ms and producing weighted scores (-203 to +110).
Key Capabilities by Level
| Function | CMMC Level 1 | CMMC Level 2 |
|---|---|---|
| Primary Goal | Safeguard Federal Contract Information (FCI) with basic hygiene | Protect Controlled Unclassified Information (CUI) with documented processes |
| Controls Checked | 17 practices (e.g., AC.L1-3.1.1: Authorize access; SI.L1-3.14.5: Scan files/systems) | 110 requirements (e.g., AC.L2-3.1.1-22: Advanced access; IR.L2-3.6.1: Incident response planning) |
| Scoring Output | 100% MET/NA required; simple pass/fail report | SPRS score + gap analysis; POA&Ms for unmet items (180-day limit) |
| Domains Covered | 6 families (Access Control, Awareness, Media Protection, Physical Protection, System Integrity) | 14 families (+ Audit, Configuration Management, Incident Response, Risk Assessment, etc.) |
Detailed Purpose and Benefits
The tool exists to streamline CMMC readiness scoping and gap analysis for organizations handling Federal Contract Information (FCI) at Level 1 or Controlled Unclassified Information (CUI) at Level 2. It breaks down the 17 Level 1 practices (FAR 52.204-21) or 110 Level 2 controls (NIST SP 800-171) into user-friendly, plain-language questions that anyone in IT/security can answer by reviewing policies, interviewing staff, or checking configs/logs. Ultimately, it generates an SPRS-eligible score and report to submit via PIEE, helping maintain contract eligibility while guiding remediation, acting as a lite version before full GRC platforms like CyberComply.
- Cost-Free Baseline: No signup fees or subscriptions; instant access to professional-grade assessment worth thousands in consulting time
- Time Efficiency: Completes in hours/days vs. weeks for manual processes; auto-scores and prioritizes fixes.
- Actionable Outputs: Detailed PDF reports with gap lists, remediation templates, and progress tracking that is directly upload-able to SPRS for annual affirmations.
- Risk Reduction: Prevents surprises in C3PAO audits by surfacing issues early; Level 1 ensures 100% compliance, Level 2 flags POA&Ms (limited to 180 days).
- Scalability Path: Seamless import to Armada’s CyberComply for evidence management, SSPs, and mock audits are ideal for growing from self-assessment to certification.
How to Use It:
- Access and Register: Visit official website, enter your organization details and select Level 1 or Level 2. No cost or credit card needed.
- Scope Your Assessment: Define your authorization boundary. Document network diagrams if needed.
- Answer Controls: For each domain, respond YES/NO/NA to implementation questions like “Do you limit system access to authorized users?” Examine policies, configs, logs, and interview admins.
- Review Results: Get instant gap report, SPRS score, and prioritized fixes. Export PDF for SPRS upload via PIEE (requires Cyber Vendor User role).
- Remediate and Reassess: Fix gaps, re-run assessments (Level 1 expires yearly). Migrate to CyberComply for task dashboards and evidence.
