Hello, I would appreciate some help on the following.
Background:
My company along with 6 of our subsidiaries are working on becoming ITAR compliant and is in the process of implementing GCC High.
- We are planning to create just one GCC High tenant with separate domains for ourselves along with our subsidiaries.
- We (my company and the 6 subsidiaries) have individual CAGE Codes
- My company as well as our subsidiaries are all located in the US, however in different states.
- We do not plan on storing any CUI, FDI, or CDI on site. (No papers, nor servers)
My understanding:
My research so far indicates that as long as the business processes as well as the system environment around CUI, FDI, and CDI is identical between ourselves, we can create a joint SSP and submit our joint self-assessment score under our (parent company) CAGE Code while including our subsidiaries' CAGE Codes in the details of the assessment. (Sources: KLC Consulting, SPRS NIST SP 800-171 Entry Tutorial)
Questions:
- Is my understanding correct?
- (Can the subsidiaries be grouped together and have a join SPRS score so long as the business process and system environment is the same?)
- Aside from the business processes and environment being the same, are there any other items we must take into consideration in order to submit a joint SPRS score?
Thank you!
[link] [comments]