AI Gap Analysis

Professional+

Claude AI risk-ranked gaps with remediation guidance

12
Critical Gaps
21
High Priority
−63 pts
SPRS Impact

SPRS Recovery Potential

Score impact per gap resolved

Resolving top 5 gaps recovers +17 SPRS pts current score −63 → projected −46

3.5.3Multifactor Authentication
Critical
·SPRS weight: 5·+5 pts if fixed
Est. effort
3-5 days
AI Analysis
The organization has not deployed multifactor authentication for privileged account access to organizational systems. Based on the current configuration of Microsoft Entra ID, single-factor authentication is permitted for 23 administrative accounts, creating a critical exposure to credential-based attacks. This control carries the maximum SPRS weight of 5 points and is among the first controls a C3PAO assessor will verify. Immediate remediation is recommended: enable Conditional Access policies requiring MFA for all privileged roles before any assessment activity begins.

Remediation Steps

  1. 1Enable Conditional Access policy requiring MFA for all admin roles in Microsoft Entra ID
  2. 2Enroll all 23 privileged accounts in Microsoft Authenticator or equivalent FIDO2 key
  3. 3Configure break-glass accounts with hardware security keys as backup
  4. 4Document MFA exemptions with business justification and ISSO approval
  5. 5Validate enforcement via sign-in logs verify zero successful single-factor logins for privileged accounts
3.11.2Vulnerability Scanning
Critical
·SPRS weight: 5·+5 pts if fixed
Est. effort
2-4 weeks
AI Analysis
Tenable.io data shows 47 unresolved critical vulnerabilities across 12 endpoints, with 3 assets exceeding 90 days without a successful scan. NIST 800-171 control 3.11.2 requires periodic scanning of organizational systems and corrective action for identified vulnerabilities. The current scan coverage of 78% is insufficient 5 systems in the CUI boundary have not been scanned in the current quarter. The remediation roadmap should prioritize CVE-2023-44487 (HTTP/2 rapid reset) and CVE-2024-3400 (PAN-OS), which are actively exploited in the wild.

Remediation Steps

  1. 1Deploy Tenable agents to the 5 unscanned CUI-boundary systems within 14 days
  2. 2Remediate CVE-2023-44487 and CVE-2024-3400 as P0 items patch or mitigate within 72 hours
  3. 3Establish a weekly scan cadence with auto-ticketing for critical/high findings
  4. 4Define SLAs: Critical ≤ 15 days, High ≤ 30 days, Medium ≤ 90 days
  5. 5Document accepted risks with ISSO signature for any vulnerabilities not remediated within SLA
3.13.8Data in Transit Encryption
High
·SPRS weight: 3·+3 pts if fixed
Est. effort
1-2 weeks
AI Analysis
Network traffic analysis from the CrowdStrike Falcon integration reveals that 4 internal services are transmitting CUI over unencrypted HTTP connections on port 80. While TLS is enforced on public-facing endpoints, internal service-to-service communications within the CUI enclave do not use encrypted channels. This is a common gap for organizations migrating from legacy infrastructure. CMMC Level 2 requires all CUI to be protected during transmission using FIPS 140-2 validated cryptography. A zero-trust network architecture with mutual TLS would address this gap comprehensively.

Remediation Steps

  1. 1Inventory all internal services transmitting on port 80 or other unencrypted protocols
  2. 2Migrate the 4 identified services to TLS 1.2+ - TLS 1.3 preferred
  3. 3Configure HTTP Strict Transport Security (HSTS) headers on all web services
  4. 4Enforce TLS via network policy (firewall rules blocking port 80 internally)
  5. 5Document FIPS 140-2 validation for all cryptographic modules used

Sign up to unlock AI gap narratives

Get Claude AI-generated remediation plans ranked by SPRS score impact tailored to your actual control data.

Get Started Free

Free forever · No credit card · Setup in 5 min