CyberGAP L1 & L2 by Armada Cyber Defense

William
Cyber defence
CyberGAP L1 & L2 on by Armada Cyber Defense is free, self-service tool for DoD contractors to perform gap analyses against CMMC Level 1 and Level 2 controls. It uses plain-language questions to assess your current cybersecurity practices, auto-calculates an SPRS-style score, identifies gaps, and generates reports with remediation roadmaps.

What CyberGAP L1 & L2 does

CyberGAP L1 & L2 performs a free, automated self-assessment of your organization’s cybersecurity maturity against CMMC Level 1 and Level 2 requirements. It guides users through plain-language questions for each control, calculates an SPRS-style score, identifies gaps, and generates remediation reports. CyberGAP evaluates implementation status (MET, NOT MET, or NA) across relevant CMMC domains, automating what would otherwise be manual spreadsheet work.
    • For Level 1, it checks 17 basic practices from FAR 52.204-21, ensuring no gaps (pass/fail only and no POA&Ms).
    • For Level 2, it covers all 110 NIST SP 800-171 Rev 2 controls across 14 families, allowing limited POA&Ms and producing weighted scores (-203 to +110).

    Key Capabilities by Level

    FunctionCMMC Level 1CMMC Level 2
    Primary GoalSafeguard Federal Contract Information (FCI) with basic hygieneProtect Controlled Unclassified Information (CUI) with documented processes
    Controls Checked17 practices (e.g., AC.L1-3.1.1: Authorize access; SI.L1-3.14.5: Scan files/systems)110 requirements (e.g., AC.L2-3.1.1-22: Advanced access; IR.L2-3.6.1: Incident response planning)
    Scoring Output100% MET/NA required; simple pass/fail reportSPRS score + gap analysis; POA&Ms for unmet items (180-day limit)
    Domains Covered6 families (Access Control, Awareness, Media Protection, Physical Protection, System Integrity)14 families (+ Audit, Configuration Management, Incident Response, Risk Assessment, etc.)

    CyberGAP L1 & 2 by Armada Cyber Defense

    Detailed Purpose and Benefits

    The tool exists to streamline CMMC readiness scoping and gap analysis for organizations handling Federal Contract Information (FCI) at Level 1 or Controlled Unclassified Information (CUI) at Level 2. It breaks down the 17 Level 1 practices (FAR 52.204-21) or 110 Level 2 controls (NIST SP 800-171) into user-friendly, plain-language questions that anyone in IT/security can answer by reviewing policies, interviewing staff, or checking configs/logs. Ultimately, it generates an SPRS-eligible score and report to submit via PIEE, helping maintain contract eligibility while guiding remediation, acting as a lite version before full GRC platforms like CyberComply.
      • Cost-Free Baseline: No signup fees or subscriptions; instant access to professional-grade assessment worth thousands in consulting time
      • Time Efficiency: Completes in hours/days vs. weeks for manual processes; auto-scores and prioritizes fixes.
      • Actionable Outputs: Detailed PDF reports with gap lists, remediation templates, and progress tracking that is directly upload-able to SPRS for annual affirmations.
      • Risk Reduction: Prevents surprises in C3PAO audits by surfacing issues early; Level 1 ensures 100% compliance, Level 2 flags POA&Ms (limited to 180 days).
      • Scalability Path: Seamless import to Armada’s CyberComply for evidence management, SSPs, and mock audits are ideal for growing from self-assessment to certification.
      Also Read: Cyber Liability Insurance & Information Security

      How to Use It:

        • Access and Register: Visit official website, enter your organization details and select Level 1 or Level 2. No cost or credit card needed.
        • Scope Your Assessment: Define your authorization boundary. Document network diagrams if needed.
        • Answer Controls: For each domain, respond YES/NO/NA to implementation questions like “Do you limit system access to authorized users?” Examine policies, configs, logs, and interview admins.
        • Review Results: Get instant gap report, SPRS score, and prioritized fixes. Export PDF for SPRS upload via PIEE (requires Cyber Vendor User role).
        • Remediate and Reassess: Fix gaps, re-run assessments (Level 1 expires yearly). Migrate to CyberComply for task dashboards and evidence.

        Final Thoughts

        Cyber insurance is essential for businesses to protect against costly cyberattacks like ransomware and data breaches, covering recovery, legal fees, and lost income that standard policies often miss. Tools like CyberGAP L1 and L2 from Armada Cyber Defense offer free self-assessments to check compliance with key cybersecurity standards, such as CMMC for defense contractors, highlighting gaps for quick fixes. Together, they provide a smart strategy: use compliance tools to strengthen defenses and lower premiums, then secure insurance via brokers for full financial safety, so start with a risk check today to stay ahead of 2026 threats.

        FAQ’s

        What is CyberGAP?

        A no-cost online questionnaire that scores your CMMC Level 1 (17 controls) or Level 2 (110 controls) gaps for SPRS submission.

        Is it free or paid?

        Completely free; no login required for basic use, generates instant reports

        What’s the difference between L1 and L2 in CyberGAP?

        L1 self-assesses basic FCI protections whereas L2 dives into full NIST 800-171 for CUI, flagging POA&Ms.

        How long does it take?

        It takes about 5-15 minutes per level.

        About The Author

        William

        William is a seasoned cybersecurity expert with over 10 years of experience safeguarding businesses from ransomware, data breaches, and advanced persistent threats. Specializing in threat detection, incident response, and compliance frameworks like CISSP and CMMC, they deliver practical strategies to build resilient digital defenses for enterprises and government agencies.

        See author's posts

        Related Posts