• What is CMMC 2.0?

    Many contractors have been preparing for the Cybersecurity Maturity Model Certification (CMMC) – a program developed by the Department of Defense (DoD) to ensure adequate cybersecurity protections in the government’s supply chain. DoD made several updates to the model in version 2.0:

    Levels 2 and 4 have been removed, so there are now only three instead of five levels of compliance as follows:

    • CMMC 2.0 Level 1, Foundational – Requires implementation of the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submission of an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).   
    • CMMC 2.0 Level 2, Advanced – Requires implementation of the 110 controls in NIST SP 800-171 and submission of an annual self-assessment or, if required to handle “critical national security information” (currently undefined), a triennial independent assessment performed by a CMMC Third Party Assessment Organization (C3PAO).  
    • CMMC 2.0 Level 3, Expert – Requires implementation of the 110 controls in NIST SP 800-171 and a subset of controls from NIST SP 800-172 and a triennial government-led assessment. Requirements for level 3 are still being developed. 

    CMMC-unique practices and all maturity processes have been removed. The new levels will align to NIST practices reducing the number of controls formerly required under the initial framework. For example, Level 2 now only has 110 practices, down 20 from the prior Level 3 requirements. 

    Under some circumstances, Plans of Action & Milestones (POA&Ms) and waivers may be allowed, providing greater flexibility than the prior model and allowing for certification even where some gaps remain in a contractor’s compliance with the controls.  



    Why is CMMC 2.0 important to both OEMs and channel partners?

     Once implemented, DoD customers will be required to do business only with OEMs and resellers that are certified at the appropriate CMMC 2.0 level. 

    CMMC applies, with limited exception, to all links in the DoD supply chain, including prime contractors and subcontractors such as OEMs and resellers.



    How is immixGroup supporting CMMC 2.0 requirements?

    immixGroup is actively finalizing its preparations for CMMC 2.0 compliance and certification, and we are planning to obtain Level 2 certification. immixGroup fully anticipates that on day one we will be ready to continue supporting our OEMs, partner/resellers and their government customers with mission-critical DoD business. 

    immixGroup continues to monitor and communicate developments to our partner community as the CMMC 2.0 rollout progresses. We are here to help our OEMs sort through any confusion or concerns about these new obligations and the certification process.


    Questions? View our FAQ or contact us here.