Control Gap

A control gap is a specific, named deficiency: a control that the security review identifies as required, and that the system does not have in place or cannot evidence. The gap is the unit of work between the security review and production readiness.

Control gaps come in three shapes. Implementation gaps: the control is required, not implemented, and no evidence exists. Evidence gaps: the control may be implemented, but no documentation or test result demonstrates it operating. Coverage gaps: a control exists in part but does not cover the full surface (e.g., output filtering applied to one channel but not another).

Each gap has an owner — a named individual or role accountable for closing it. A gap owned by 'engineering' is unowned. A gap owned by 'the Engineering Director' is owned. Defining the owner forces a real accountability decision.

Each gap has a target date and a status. The target date should be realistic and tied to the lifecycle gate at which the control must be in place. Status (open / in progress / resolved) updates as work proceeds. A gap that has been open for six months without movement is not a gap; it is an accepted residual risk that should be moved to the residual risk section of the disposition with an explicit acceptance.

Control gaps inform the clearance decision. A system with no critical control gaps may receive Proceed clearance. A system with critical gaps planned but not yet closed may receive Conditional clearance with the gaps as conditions. A system with critical unmitigated gaps may receive Hold.