This tool is provided exclusively to Globe-America Readiness & Governance clients. Use it to assess your current policy documentation against all 14 NIST 800-171 domains required for CMMC Level 2. Results feed directly into your SSP gap analysis and policy development work plan.
Tier 1 — Gold
Globe-America Consulting
Policy Gap Checker
CMMC Level 2 requires formal, documented policies and procedures across all 14 NIST SP 800-171 Rev 2 control families — 110 controls, 320 assessment objectives. For each domain below, select the current status of your policy documentation. The tool generates a prioritized gap report and recommended action plan you can take directly into your SSP development work.
Why Policy Documentation Matters for CMMC
C3PAO assessors review your policy documents as the primary evidence that controls are implemented. A technical control without a supporting policy is an assessment finding — even if the control works. CMMC Level 2 assessors use a three-part test: examine (review documentation), interview (question staff), and test (verify technical implementation). Missing policies fail the examine step before the test even begins.
🏢
Organization Name
Your organization name will appear on the generated report and in the email summary sent to Globe-America.
Instructions
For each policy document listed under its NIST 800-171 domain, select its current status: Complete (formally documented, approved, and current), Partial (draft exists or partially documented), Missing (does not exist), or N/A (not applicable to your environment). When finished, click Generate Gap Report.
✉
Report sent to Globe-America. Your policy gap report has been submitted. Eddie White will review your results and follow up with recommendations.
📊
Complete the Policy Checker and click Generate Gap Report to see your results here.
NIST 800-171 Rev 2 Policy Requirements Reference
Policy vs. Procedure — Know the Difference
A policy states the organization's intent and rules — the "what" and "why." A procedure describes the step-by-step process for carrying out the policy — the "how." CMMC Level 2 requires both for each control domain. C3PAO assessors will ask for both during assessment. Having a policy without a procedure — or vice versa — is an incomplete implementation.
Ready to Build Your Policy Suite?
Globe-America Consulting develops formal, audit-ready policy and procedure documentation for all 14 NIST 800-171 domains as part of every Readiness & Governance engagement. Schedule a Readiness Consultation to review your gap report and confirm your policy development roadmap.
What Drives the Price Range
Low end ($24,000) — Entering Tier 2 with a solid Tier 3 foundation already in place — SPRS submitted, SSP drafted, policies documented. Focus is governance tightening, CUI scoping, and internal readiness reviews.
High end ($52,000) — Complex contract vehicles across multiple primes, broader CUI footprint requiring enclave strategy, mature but misaligned control implementations needing rework, and C3PAO assessment timeline demanding structured pre-assessment preparation and mock assessments.
This tool produces a preliminary policy gap assessment for planning purposes only. It does not constitute a formal CMMC assessment, auditor review, or legal determination. Policy adequacy is ultimately determined by a qualified C3PAO assessor during a formal assessment. All content is based on NIST SP 800-171 Rev 2, the CMMC Assessment Guide Level 2 v2.13, and related DoD guidance current as of March 2026. Globe-America Consulting is not a law firm and this tool does not constitute legal advice.
