Every dot on the picture above indicates is an international location involved in manufacturing the F-35, Joint Strike Fighter.  Every dot also indicates at least one company that may need an international CMMC Conformity Assessment.

While the requirement to comply with DFARS Clause 252.204-7012 and NIST SP 800-171 may be bound by international law when it comes to direct awardees and tier 1 team members, this is not the case further down the Prime’s supply chain.

DoD Prime contractors want their supply chain, regardless of country, to be compliant with DFARS Clause 252.204-7012, NIST SP 800-171, and be CMMC certified as soon as the DRAFT 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Program rule is published and becomes enforceable.

This is simply due to the current contractual flow down requirements in:

• 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems for CMMC Level 1
• DFARS Clause 252.204-7012 paragraph (m) and DFARS Clause 252.204-7020 paragraph (g) for CMMC Levels 2 and 3

Peak InfoSec will support our United States based companies by conducting site surveys of their international locations per DoD and Cyber Accreditation Body (Cyber-AB) published guidance to authorized C3PAOs.

Peak InfoSec will also conduct, where allowed by the international company and its country, CMMC Conformity Assessments for companies whose headquarters and work is done outside of the United States.  Conversely, Peak InfoSec will also conduct site surveys for its locations within the United States that are in scope.

As we explained in the As the CMMC Churns, “CMMC Rule, an Executive Summary” episode, market pressure will be the primary driver forcing companies to CMMC certified.  Market pressure is not milted to just the United States.

If you are interested in discussing our international CMMC support for your business, please fill in the form below.

• Canadian Program for Cyber Security Certification (CPCSC): Beginning at the end of 2024, suppliers seeking to bid or work on select Government of Canada defence contracts must become certified under the Canadian Program for Cyber Security Certification (CPCSC).