How CMMC Is Impacting Defense Contractors Across the Globe
The Department of Defense’s Cybersecurity Maturity Model Certification 2.0 program—dubbed CMMC 2.0—is the Pentagon’s biggest effort to improve cybersecurity and better protect department information in decades. The program provides DOD with improved confidence that GovCons and subcontractors are meeting the requirements for processing controlled unclassified information, or CUI. It’s also a requirement for bidding on contracts.
CMMC 2.0 doesn’t just impact U.S. GovCons, its ramifications extend to contractors beyond U.S. shores. Time is also running out for international GovCons to get compliant as CMMC 2.0 officially takes effect November 10.
But international contractors are in luck: Potomac Officers Club sat down for an exclusive interview with Rich Zaremba, SAP NS2’s chief customer officer, to discuss the international implications of CMMC and the critical questions international GovCons are asking. Watch the full video below.
Get the latest on the international requirements in CMMC 2.0 at the Potomac Officers Club’s 2025 GovCon International and Global Defense Summit on Oct. 16! Hear directly from leading DOD and industry experts at the “Partner to Win: Designing Secure, Interoperable IT for Coalition Space Operations” panel discussion. Strike up collaborations with other GovCon titans and snag that big contract. Sign up today and boost your international revenues in FY 2026!
What Are International GovCons Asking About CMMC 2.0?
SAP NS2 is seeing many international partners with U.S. subsidiaries trying to figure out these CMMC 2.0 regulations. Zaremba said SAP NS2 is helping customers determine where their controlled and classified data is stored, how they secure it and how to run systems like enterprise resource planning software that have both CUI and classified information.
“In the U.S., we have our own enclaves that meet all the security and compliance requirements. This way they can meet those [CMMC Third-Party Assessor Organization, or CP3AO] security audits that are required to be CMMC 2.0-certified.”
CMMC 2.0’s Unique Requirements
SAP NS2 is also educating international GovCons on the unique requirements of CMMC 2.0, what they need to look for in their contracting and on their cloud addendums. Zaremba said SAP NS2 can speak the language they need to help them understand CMMC 2.0.
“Our subset of general terms and conditions from greater SAP has all the specific language for them to go point to their C3PAO and to their legal and compliance officers to show that, if I do a contract with SAP NS2, here’s the [general terms and conditions] and here are the cloud addendums,” Zaremba said. “This ensures [they] are putting their data in a place that meets all the requirements to house and hold controlled and classified information, which then helps the global contracting process.”
It’s important for international companies to be CMMC 2.0-certified for the same reason as U.S. companies—without it, they won’t be able to do business with DOD. Zaremba said both U.S. and international GovCons will need a clause that requires contractors to prove that they have CMMC 2.0 certification.
Are you a GovCon technology professional with an international portfolio? Then the Potomac Officers Club’s 2025 GovCon International and Global Defense Summit on Oct. 16 is a can’t-miss event! Discover new business opportunities at the “Partner to Win: Designing Secure, Interoperable IT for Coalition Space Operations” panel discussion. Check out the latest offerings from leading sponsors including SAIC, Exiger and Vantor. Secure your seat today for this event specifically designed for GovCon executives!
SAP NS2’s Special CMMC 2.0 Expertise
Furthermore, international GovCons will have to decide on its priorities for ERP: will it host its financial, logistics and manufacturing information in a single global environment where all the compliance is met? Or, Zaremba said, will they isolate the environments and network and have the international subsidiary live separate from its global environment? Zaremba said whichever international GovCons choose, SAP NS2’s contracting language supports that enablement.
SAP NS2 is in a unique position for CMMC 2.0 certification because it hosts CUI data as a cloud service provider and it has been through the CMMC 2.0 process as a defense contractor. Zaremba said this is an invaluable resource for an international GovCon looking to go through the CMMC 2.0 process.
Zaremba said international companies who come to SAP NS2 for CMMC 2.0 certification can expect these types of questions:
- Do you have a missed 853?
- How do you store your data?
- What was your challenge with the contract?
- Did that not come into scope for you?
“Having that interaction every day, or when you’re on that [CMMC 2.0] journey provides a benefit,” he said. “It absolutely brings a return on investment when you’re selecting a vendor to house your controlled and classified data to really know your heartbeat of your organization is your ERP.”
Watch the full interview with Zaremba on YouTube and be sure to subscribe to Executive Mosaic’s channel for a steady stream of relevant, thought-provoking GovCon content.
Category: Articles
