What is the difference between a CCSS readiness assessment and a CCSS gap assessment?

What is the difference between a CCSS™ Readiness Assessment and a CCSS Gap Assessment?

What is the difference between a CCSS Readiness Assessment and a CCSS Gap Assessment?

A CCSS Gap Assessment is typically performed by a CCSS Implementer (CCSSI). The objective is to identify where a system does not currently meet CCSS requirements and develop a plan to address those gaps. The gap assessment focuses on security controls, operational practices, processes, and documentation that must be implemented or improved before pursuing CCSS system certification.

A CCSS Readiness Assessment is performed by a CCSS Auditor (CCSSA). The objective is for a CCSSA to evaluate whether a system is prepared for a formal CCSS audit. The assessment focuses on the quality and completeness of audit evidence, documentation, and control implementation, helping entities identify issues that could impact audit success. It also considers whether sufficient evidence exists to demonstrate that controls have operated effectively over the preceding 12 months, consistent with CCSS audit expectations. For an initial CCSS audit, the CCSSA may exercise leniency where a control has not yet been operational for the full 12-month period.

In short:

CCSS Implementers (CCSSIs) help entities understand what must be built, documented, or improved to align with CCSS requirements.
CCSS Auditors (CCSSAs) help entities determine whether they are prepared to undergo a formal CCSS audit, and then perform that audit.

A Gap Assessment answers: “What requirements are we not meeting?”

A Readiness Assessment answers: “Are we ready for an audit?”

Date Updated: June 26, 2026
Article Number: 21
Back to FAQ