Keeping in mind the definition of an assessment from https://peakinfosec.com/faq-items/what-is-an-assessment/,
“The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.”
The key difference is the intent of the assessment. Additionally, every authorized CMMC 3rd Party Assessment Organization (C3PAO) may have tweaked definitions.
The short answer is gap assessments are used where consultative advice is given to correct identified deficiencies.
A Mock Assessment does not give any consultative advice or recommendations but is not intended to be used for a certification event. Mock Assessments are commonly used with Pre-Assessment Readiness Reviews (PARR) and Certification Assessment Readiness Reviews (CARR) prior to the form Conformity Assessment.
The Conformity Assessment is the formal event led by a C3PAO or Defense Industrial Base Cybersecurity Assurance Center (DIBCAC) assessors that results in a formal scoring and submission to formal reporting mechanisms like the Supplier Performance Risk System (SPRS).
Here is a table view of the differences:
| Gap | Mock | Conformity | |
| Identifies deficiencies | Yes | Yes | Yes |
| Provides recommended remediations | Yes | No | No |
| Used in consultative engagements | Yes | No | No |
| Used to gauge an organization’s readiness for a formal certification event | No | Yes | No |
| Used in a JSVA | No | No | Yes |
| Used for a CMMC formal assessment | No | No | Yes |
| Results are submitted to SPRS | No | No | Yes |
| Results are submitted to CMMC eMASS | No | No | Yes |
Social Contact