Hi @N_Bakewell,
The company I work for is outside the US and I've also not managed to find any publicly available clarifications regarding CMMC assessments so have recently been in touch with someone on the CMMC-AB industry working group, and they have advised on 10-Mar-2021 that at present:
(a) there are no immediate plans to authorise any non-US CMMC assessors. They would need to be trained by the CMMC-AB in the US and go through an assessment by the DCMA who are only just starting to assess the small group of US C3PAOs;
(b) there is no immediate need to have a CMMC assessment and none of the pilot programmes are likely to impact the international DIB. From December 2020 subcontractors with contracts containing DFARS 252.204-7012 have to submit their NIST 800-171 compliance results into SPRS.
The intention really is that as you say there is a move from self-assessments to third party audit but for non-US DIB subcontractors it could be some time yet before this will be enforced, they are focusing on a roll-out in the US first. For now for non-US entities the process remains self-assessment but with additional controls (NIST 800-171 R2), posting the results into SPRS which allocates a risk score, and I guess we have to 'watch-this-space' to find out when this changes, and in the meantime ensure the documentation and evidence of compliance is up to speed ready for when the time comes a full third party audit is required.
For non-US locations that belong to US-based entities you may have to prepare and show evidence of compliance from your non-US locations as part of your CMMC assessment when the time comes - though you could vastly simplify this be ensuring you limit the scope of systems and people that would have access to CUI/FCI, such as by only storing it on centralised infrastructure at your main US-based location and to control/limit remote access to it.
Hope this helps.
