Can subsidiaries with different CAGE Codes share a SPRS Score?

old.reddit.com / @/u/AConsulting1, https://old.reddit.com/user/AConsulting1

Hello, I would appreciate some help on the following.

Background:
My company along with 6 of our subsidiaries are working on becoming ITAR compliant and is in the process of implementing GCC High.

  • We are planning to create just one GCC High tenant with separate domains for ourselves along with our subsidiaries.
  • We (my company and the 6 subsidiaries) have individual CAGE Codes
  • My company as well as our subsidiaries are all located in the US, however in different states.
  • We do not plan on storing any CUI, FDI, or CDI on site. (No papers, nor servers)

My understanding:
My research so far indicates that as long as the business processes as well as the system environment around CUI, FDI, and CDI is identical between ourselves, we can create a joint SSP and submit our joint self-assessment score under our (parent company) CAGE Code while including our subsidiaries' CAGE Codes in the details of the assessment. (Sources: KLC Consulting, SPRS NIST SP 800-171 Entry Tutorial)

Questions:

  • Is my understanding correct?
    • (Can the subsidiaries be grouped together and have a join SPRS score so long as the business process and system environment is the same?)
  • Aside from the business processes and environment being the same, are there any other items we must take into consideration in order to submit a joint SPRS score?

Thank you!

submitted by /u/AConsulting1
[link] [comments]

published about 1 month ago


Previous

CCP training reviews
published about 1 month ago

Next

Background Check for certification
published about 1 month ago
See all items from the same source