• Frequently asked questions

    What is CMMC?

    Cybersecurity Maturity Model Certification (CMMC) is a new certification process to measure a company's ability to protect sensitive government data. It is a unified standard for implementing cybersecurity across the defense industrial base. The certification is a way for DoD - and, soon after, probably civilian agencies as well - to address intellectual property theft, cybercrime and national security threats of the type evidenced by recent cybersecurity attacks. Once fully implemented, CMMC will be an acquisition foundation, required for almost every contractor transacting business with the U.S. Government. 

    Are there different levels of certification?

    CMMC has five maturity levels - from basic cybersecurity hygiene at Level 1 to very robust requirements at Level 5. These certification levels reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information, primarily Controlled Unclassified Information or "CUI" on its information systems. Access to more sensitive information will require higher certification levels, and higher certification levels will require compliance with more processes and controls. 

    How will companies be assessed?

    Government contractors will be required to obtain an independent, third-party certification of compliance with the CMMC level corresponding to the type of government information the contractor is likely to handle.

    How is CMMC being implemented?

    The current CMMC contract clause can be found at DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements), but, while the DoD continues to roll out CMMC under a limited number of acquisitions, in the meantime contractors (and their subcontractors) are now required to conduct self-assessments on their implementation of NIST SP 800-171 standards and report the results in the DoD's Supplier Performance Risk System (SPRS) pursuant to DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) and DFARS 252.204-7020 (DoD Assessment Requirements). Each solicitation requiring CMMC compliance will provide the required CMMC level, and only contractors certified to that CMMC level (or higher) will be eligible for award. 

    Are there any exceptions to CMMC?

    CMMC applies to all contractors, regardless of size. There is no commercial item exception, either. There is a narrow exception for contractors who only sell commercial off the shelf (COTS) products as defined in FAR 2.101. However, contractors should exercise caution here as services are not included in the definition of COTS. 

    What is immixGroup doing about CMMC?

    As a leading public sector distributor, we are actively finalizing our preparations for CMMC compliance and certification and plan on obtaining a Level 3 certification. We fully anticipate on day one being ready to continue to support our manufacturers, partner-resellers and their government customers with DoD business. immixGroup has been closely monitoring and blogging about these requirements since the government first introduced the precursor to CMMC back in October of 2016 through DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which requires contractors to self-comply with (or at least have a Plan of Action and Milestones for meeting) the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."