UPDATE: As CMMC progresses on, effective Nov 30, 2020 an interim DFARS rule is being integrated where all DOD contractors whom currently self attest to NIST 800-171 will need to have a BASIC assessment conducted and score provided to the Supplier Performance Risk System in order to remain eligible for contract awards. Call us today to see how we can help you conduct a NIST assessment utilizing the Assessment Methodology to generate your score and post to the SPRS.


Are you a DoD contractor, sub-contractor, or sell products utilized in defense programs? If so, are you ready for CMMC? The Department of Defense has updated and released CMMC Version 1.02, 8 March 2020. All those who supply products to the DoD must comply and be certified under CMMC to win new contracts and for some, to maintain ones already awarded. Fortunately, Phy-Cy.X is here to assist as we offer our consulting, managed services and assessment offerings to tackle this endeavor. Additionally, Phy-Cy.X has applied for certified status ensuring we remain the resident experts on CMMC subject matter for our fellow organizations whom desire compliance assistance! NOTE: CMMC AB does not allow for both support and audit by the same organization. For those organizations Phy-Cy.X provides CMMC consulting and management services, we will find the best audit organization for your desired level of certification.

Certification levels (1-5)

Level 1 only requires practice (technical) activities, while certification Levels 2 -5 contain both practice and process (documentation) requirements. In total there are 17 domains covering down on 17 line items for Level 1 up to 173 line items for Level 5.

Level 1 – Focuses on basic cyber hygiene as specified within 48 CFR 52.204-21. No process requirement.

Level 2 – Focuses on intermediate cyber hygiene. Standard operating procedures, policies and plans are established.

Level 3 – Focuses on good cyber hygiene that meets NIST SP 800-171 Rev 1. Review of adherence to policy and procedures and adequate resources.

Level 4 – Substantial and proactive cybersecurity program. Review for effectiveness and informs management of issues.

Level 5 – Ability to optimize capabilities to repel advanced persistent threats (APT). Standardization across all organizational units and improvements shared.