My company has been reached out to by several of our clients regarding if we can perform CMMC penetration testing for them in the future, now that official documents and guidelines have been released.

If I’m being honest, my company is highly technical offsec professionals from the ground up, and policy like this just isn’t in our wheelhouse. The only reason I’m researching this is because they are long term clients, and we’d like to help them out, or even use pentesting already performed to meet the requirements.

From what I see, in table one of the document I’m looking at, Level 3 requires penetration testing at least annually.

My main question is, does my company need any certifications to perform this testing? Also, do the testers performing this testing need to be USA-based? We have some international testers.

Sorry if these are basic questions. As I mentioned, this isn’t our forté. Thanks in advance.