CMMC 2.0

Phy-Cy.X Security Group, LLC one of the 1st CMMC RPO in Kansas.

As CMMC progresses on, effective Nov 30, 2020 an interim DFARS rule is being integrated where all DOD contractors whom currently self attest to NIST 800-171 will need to have a BASIC assessment conducted and score provided to the Supplier Performance Risk System in order to remain eligible for contract awards. Call us today to see how we can help you conduct a NIST assessment utilizing the Assessment Methodology to generate your score and post to the SPRS.


The DOD has recently updated CMMC to version 2.0. There were significant changes to the framework and the way certification is obtain. The framework has been updated to reflect three levels vice five levels as was present in version 1.0.

Level 1 has been updated to self-assessment and no longer needs a third party (C3PAO) audit to obtain certification.

Level 2 has been aligned with NIST 800-171 where the additional 20 items have been removed. Self-assessment was the hope but according to the DOD CIO, companies who fall under CMMC L2 will be required to be certified by a C3PAO.

Level 3 is currently in development but should be expected to align with NIST 800-172 with some additional requirements. This level will only be for those most critical contracts.