October 24, 2022

Last Updated on January 18, 2024

Is There a Path for Non-US Companies to be CMMC Certified?

The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) has sparked questions and concerns since its inception in January 2020. Though it’s not yet possible to be officially certified compliant, CMMC v2 requirements are expected to materialize in government contracts around July 2023.

Now is the time to move forward decisively with CMMC compliance and certification if you plan to continue doing business in the defense sector.

To answer the top CMMC questions that he and others have been hearing from SMBs in the US defense industrial base (DIB), George Perezdiaz, Pivot Point Security’s Federal Risk practice lead, joined a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.

“Under implementation”

According to the official CMMC website, the path to CMMC compliance for non-US companies is “under implementation.” For now, “the DoD intends to maintain its existing cybersecurity requirements (as defined in FAR 52.204-21 and DFARS 252.204-7012), and enforce them where applicable.” Which certainly includes non-US firms that handle controlled unclassified information (CUI).

As George notes, “The main goal of the CMMC program is to establish that cybersecurity baseline to protect CUI regardless of what side of the border it resides on.”

“I’m pretty sure that if you’re helping with mission-critical programs, the DoD will be more than happy to assess your security controls and potentially issue that CMMC certification,” George adds.

What about processing ITAR data?

ITAR data must be protected with stronger controls than CUI, leading to additional security, reporting, and legal requirements for orgs wherever they’re located.

“You will definitely have additional requirements as soon as you start handling/processing ITAR information,” confirms George.

But isn’t ITAR access restricted to only US citizens? The correct, and broader, term is “US persons.” That includes non US citizens such as Green Card holders, political refugees and others.

Authorized persons can access ITAR data from within or outside the US, as long as the data doesn’t leave the US.

“You can be a non US person and have a license that authorizes you as an individual or a company to access your controlled information,” explains George. “But the connection has to be end-to-end encrypted, which becomes really, really challenging to achieve.”

The bottom line is that handling ITAR data presents even more hurdles for non-US orgs. But it should be doable if the environment is architected properly.

“Anything is doable, right?” offers George. “You just have to have the right amount of money and the will to do it correctly.”

What’s next?

To hear all of George Perezdiaz’s CMMC answers, click here.

Do you have the senior leadership support you need to succeed with CMMC? This post explains: Why is Management Buy-In a Challenge for CMMC Compliance?