Good morning all,
I have yet to find any clarifications from the CMMC-AB about how it will handle assessing US companies with international business units that take part in US DoD contracts (under ITAR agreements), when the enterprise network shares resources and systems across the globe. My presumption would be that, if the offshore business unit touches CUI/FCI (which, if it is taking a part of a DoD contract, almost a definite), it falls under the umbrella of needing to be assessed, but part of that assessment is also* a physical on-site evaluation. Has anyone heard anything to clarify this?
*This is actually a presumption as well, since the CMMC-AB has not specified.
The company I work for is outside the US and I've also not managed to find any publicly available clarifications regarding CMMC assessments so have recently been in touch with someone on the CMMC-AB industry working group, and they have advised on 10-Mar-2021 that at present:
(a) there are no immediate plans to authorise any non-US CMMC assessors. They would need to be trained by the CMMC-AB in the US and go through an assessment by the DCMA who are only just starting to assess the small group of US C3PAOs;
(b) there is no immediate need to have a CMMC assessment and none of the pilot programmes are likely to impact the international DIB. From December 2020 subcontractors with contracts containing DFARS 252.204-7012 have to submit their NIST 800-171 compliance results into SPRS.
The intention really is that as you say there is a move from self-assessments to third party audit but for non-US DIB subcontractors it could be some time yet before this will be enforced, they are focusing on a roll-out in the US first. For now for non-US entities the process remains self-assessment but with additional controls (NIST 800-171 R2), posting the results into SPRS which allocates a risk score, and I guess we have to 'watch-this-space' to find out when this changes, and in the meantime ensure the documentation and evidence of compliance is up to speed ready for when the time comes a full third party audit is required.
For non-US locations that belong to US-based entities you may have to prepare and show evidence of compliance from your non-US locations as part of your CMMC assessment when the time comes - though you could vastly simplify this be ensuring you limit the scope of systems and people that would have access to CUI/FCI, such as by only storing it on centralised infrastructure at your main US-based location and to control/limit remote access to it.
Hope this helps.
Further to my previous reply, the CMMC Centre of Excellence (CoE) has partnered with CREST among a few other organisations, to manage the accreditation of organisations who provide CMMC certifications.
At some point later this year we can probably expect to see CMMC listed in the 'Find a Supplier' section of their website under the heading 'Regulator and Government Schemes'.
This is not entirely correct, "to manage the accreditation of organisations who provide CMMC certifications." The organizations that provide CMMC certifications are C3PAO's and only the CMMC AB manages the accreditation of those organizations in partnership with the DoD.
Apologies to all, I'm not able to delete my above misinformed post so I'll add another to correct it - @TXWayne you are absolutely correct and I've jumped the gun here - the CREST announcement is misleading but you are right, only the CMMC AB manages the accreditation and at present they don't intend to delegate this to third parties outside the U.S. Sorry for any confusion I may have caused, I continue to watch this space.