Chapter 5 Β· Helper 3

Real-World Examples

Gap analysis scenarios and exam situations.

Real-World

DoD Contractor Gap Analysis (CMMC)

A defense contractor must comply with Cybersecurity Maturity Model Certification (CMMC) to win government contracts. They hire a consultant to conduct a gap analysis against NIST SP 800-171. The analysis reveals: all 14 control families have some level of compliance, but "System and Communications Protection" and "Audit and Accountability" are completely absent. The gap analysis report maps each NIST control to a red/yellow/green status and provides a remediation plan with a 12-month timeline and estimated $2.3M investment.

Exam Scenario

What Comes FIRST in a Gap Analysis?

A question asks: "An organization wants to conduct a gap analysis of its security posture. What is the FIRST step?"

Answer: Define the baseline (desired state). Without knowing where you want to be, you cannot measure any gap. You must choose a baseline framework first. This is the most commonly tested gap analysis concept on CompTIA exams.

Real-World

Breaking Down NIST 800-171 Access Control

The NIST 800-171 "Access Control" family seems like one requirement. But in a gap analysis, it breaks down into: (1) Limit access to authorized users, (2) Limit access to authorized transactions and functions, (3) Control the flow of CUI, (4) Separate duties, (5) Use least privilege, (6) Use non-privileged accounts for non-security functions, (7) Prevent non-privileged users from executing privileged functions, and more. Each sub-requirement is assessed independently β€” a location may be green for user registration but red for privileged access management.

Exam Scenario

Gap Analysis vs. Penetration Test

Students sometimes confuse these two. Key difference:

An organization might do a gap analysis to set priorities, then a pen test to validate specific technical controls.

Real-World

The Report That Saved the Budget

A regional bank conducted a gap analysis and produced a red/yellow/green matrix. The board had previously rejected security budget requests as "abstract." The matrix made the problem visual: 4 out of 9 branches were red in patch management and incident response. The board immediately approved a $1.2M security investment β€” the visual gap analysis report accomplished what years of technical memos had failed to do. This illustrates why the final report must communicate both the GAP and the PATH to closure.