International location involved in manufacturing the F-35, Joint Strike Fighter, which will require a CMMC Conformity Assessment

CMMC is a Global Compliance Requirement

Every dot on the picture above indicates is an international location involved in manufacturing the F-35, Joint Strike Fighter.  Every dot also indicates at least one company that may need an international CMMC Conformity Assessment.

While the requirement to comply with DFARS Clause 252.204-7012 and NIST SP 800-171 may be bound by international law when it comes to direct awardees and tier 1 team members, this is not the case further down the Prime’s supply chain.

DoD Prime contractors want their supply chain, regardless of country, to be compliant with DFARS Clause 252.204-7012, NIST SP 800-171, and be CMMC certified as soon as the DRAFT 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Program rule is published and becomes enforceable.

This is simply due to the current contractual flow down requirements in:

Peak InfoSec will support our United States based companies by conducting site surveys of their international locations per DoD and Cyber Accreditation Body (Cyber-AB) published guidance to authorized C3PAOs.

Peak InfoSec will also conduct, where allowed by the international company and its country, CMMC Conformity Assessments for companies whose headquarters and work is done outside of the United States.  Conversely, Peak InfoSec will also conduct site surveys for its locations within the United States that are in scope.

As we explained in the As the CMMC Churns, “CMMC Rule, an Executive Summary” episode, market pressure will be the primary driver forcing companies to CMMC certified.  Market pressure is not milted to just the United States.

If you are interested in discussing our international CMMC support for your business, please fill in the form below.

International Links to CMMC/NIST SP 800-171 Compliance Efforts

Key CMMC Sites

Key References

Key Acquisition References

Other Key Sites

An Authorized CMMC 3rd Party Assessment Organization (C3PAO)