International companies working with the U.S. Department of Defense must comply with the Cybersecurity Maturity Model Certification (CMMC) regardless of their home country's standards. There is no reciprocity, and all contractors must follow the same process and requirements as U.S.-based companies.
Short Answer: Yes. There Is No Reciprocity.
A common question from foreign defense contractors working with the U.S. Department of Defense is: If we already meet our country’s cybersecurity standards, do we still have to comply with the DoD’s Cybersecurity Maturity Model Certification (CMMC)?
The answer from the DoD is definitive: Yes, you do.
What does the DoD say about International Reciprocity with CMMC?
At CS2 Reston in May 2025, James Gillooley of the DoD's CMMC PMO was unequivocal: “No reciprocity. Period.”
In other words, no countries’ standards — no matter how stringent — will exempt companies from needing to comply with CMMC. Each company, regardless of location, must meet the same CMMC Compliance through the same process as U.S.-based contractors.
Watch the full session at CS2 on-demand here:
CMMC Is a Globally Accessible Program for DoD Contractors
Rather than attempt bilateral agreements across dozens of nations, the DoD has made CMMC a globally accessible program. As Matt Travis, CEO of the Cyber AB, explained:
“I think the department structured this intentionally during the rulemaking process. Instead of having all these bilateral reciprocity agreements, which would be problematic in terms of not everyone being on the same level, they decided to open up the program internationally.”
This means international companies can:
- Become C3PAOs if they meet all U.S. CMMC requirements,
- Train assessors through the same process used in the U.S.
- Participate in assessments of both foreign and U.S.-based contractors.
However, the process and requirements are the same — including assessments conducted in English and passing the same Foreign Ownership, Control, or Influence (FOCI) screens required of U.S. firms.
As an illustration, Matt further explained:
“There’s nothing precluding a company in Italy from becoming a C3PAO. You could have an Italian C3PAO that would be eligible to not only conduct Level 2 certification assessments for Italian companies within the DIB, but they could ostensibly do it for US companies. It’s a free trade zone in CMMC.”
What About Clearances for Foreign Assessors?
The U.S. does maintain bilateral security clearance agreements with a classified list of countries. According to Gillooley, when a non-U.S. citizen from one of those countries applies to be a CMMC assessor, the DoD can verify their clearance through official channels:
“I can reach out to my counterpart in those countries and get that person cleared or check that they have a clearance in their home country. And that satisfies the Tier 3 requirement based off of the bilateral security agreement.”
This only applies to assessors, not to companies hoping to bypass CMMC entirely.
The DoD CIO’s CMMC FAQ Says the Same Thing: No Reciprocity
The official DoD FAQ reinforces this policy:
"Foreign partners need not establish unique assessment, training, or a non-U.S.-based CMMC program… Non-U.S. companies may then choose to use either an approved U.S.-based or foreign-based C3PAO to assess them.”
In other words, foreign companies can use the existing CMMC framework, and they must comply fully, just like U.S. contractors.
Bottom Line: CMMC is an Operational Reality Both Here and Abroad
“You've had these requirements since 2017. CMMC is an operational reality…The DOD keeps saying it. It's not going away. This administration is not going to kill it,” said Gillooley. “So be prepared, implement NIST SP 800-171 and get your assessments as soon as possible. And don't count on a self-assessment.”
CMMC is not just for U.S.-based contractors; it also applies to international DoD contractors. There is no exemption based on national equivalency, no streamlined recognition for allies, and no alternative compliance pathway.
If your company handles CUI for the U.S. Department of Defense, you are required to meet CMMC requirements no matter where you're headquartered.
If you need help navigating the complexities of CMMC as an international company, reach out to us below.
