Quick Answer: If your offshore BPO handles Controlled Unclassified Information (CUI) on behalf of a US defense contractor, it enters your CMMC compliance boundary as a third-party service provider. You must verify the provider’s NIST SP 800-171 posture, access controls, and assessment path before signing – not after. Most offshore support functions do not involve CUI, but the determination requires a documented data-flow assessment, not assumptions.

At a Glance:

  • Who CMMC 2.0 applies to and when offshore BPOs enter the compliance boundary
  • Five due-diligence checks before selecting a CMMC-adjacent offshore provider
  • The questions to ask every BPO shortlist candidate
  • The pragmatic path forward depending on whether CUI is in scope

CMMC 2.0 compliance applies to any organisation in the US Department of Defense supply chain that handles Controlled Unclassified Information (CUI). If that organisation outsources customer service functions and CUI flows through those interactions – account queries, support tickets, system access – the offshore BPO becomes part of the compliance boundary. Most buyers haven’t considered this scenario during procurement. This piece is for US operations and compliance leads who are evaluating offshore support and want to understand the CMMC implications before committing to a provider.

This article does not constitute legal advice. Readers should consult qualified legal counsel for compliance decisions specific to their contracts and data environment.

What Is CMMC 2.0 and Does It Apply to Your Offshore Support Function?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework applies to US Department of Defense contractors and subcontractors at different maturity levels, based on the sensitivity of data they handle. Level 1 (Foundational) applies to any business that handles Federal Contract Information (FCI). Level 2 (Advanced) applies to organisations handling CUI, requiring compliance with all 110 security practices in NIST SP 800-171. Level 3 applies to the most sensitive national security programmes and is not typical scope for customer service outsourcing scenarios.

Not all US businesses fall under CMMC requirements. The framework specifically targets the Defense Industrial Base (DIB) – companies that participate in DoD contracts as primes or subcontractors. For those organisations that are in scope, however, the compliance boundary extends beyond internal systems to include any third-party service provider (TPSP) that processes, stores, or transmits covered information. This is where offshore customer service enters the picture.

Organisations in other regulated industries – financial services, insurance, and healthcare – face similar third-party compliance requirements when outsourcing. See our banking and financial services BPO guide for a parallel framework.

When Does an Offshore BPO Become Part of Your CMMC Compliance Perimeter?

An offshore BPO enters your CMMC compliance perimeter the moment its agents access, process, or transmit CUI – regardless of where those agents are located. The threshold isn’t geography; it’s data contact. If support agents can see contract data, procurement records, or any information classified as CUI within your systems, the BPO is in scope as a third-party service provider under DFARS 252.204-7012 and CMMC Level 2 requirements.

Concrete examples include: support agents with access to a CRM platform that holds CUI; agents handling support tickets that reference contract or procurement data; or agents processing account queries on behalf of a DoD-contractor entity. In these scenarios, the BPO isn’t simply a vendor – it’s an extension of your compliance perimeter.

If the support function is entirely public-facing – FAQ responses, general product support with no access to contract data or controlled systems – it’s less likely to trigger CMMC obligations. But “less likely” isn’t a compliance strategy. The buyer’s CMMC assessor or legal counsel must make this determination based on a documented data-flow assessment, not assumptions about what agents “probably won’t see.”

The risk isn’t theoretical. During a CMMC assessment, auditors will request your System Security Plan (SSP), which must document all systems where CUI resides and all personnel – internal or external – with access. If offshore support agents have access to in-scope systems and that relationship isn’t documented and controlled according to NIST SP 800-171 requirements, the gap becomes a finding. Findings can delay certification or disqualify you from contract awards.

What Should You Verify Before Selecting an Offshore BPO for a CMMC-Adjacent Function?

Before selecting an offshore provider for any support function, US buyers in the defense supply chain should complete five documented due-diligence steps. Skipping any one of them can create an undocumented gap in your SSP – and gaps are findings.

1. Data flow mapping

Document where CUI exists in your support workflow before issuing an RFP. Map every system, database, and communication channel that support agents will touch. If CUI genuinely does not enter the support function, document that explicitly in your SSP. If it does, you’ve just defined your compliance requirement.

2. Third-party assessment requirements

CMMC Level 2 requires assessment by a Certified Third-Party Assessment Organization (C3PAO). If a BPO is in scope as a TPSP, they must either hold their own CMMC certification at the appropriate level or operate under your organisation’s assessment boundary with documented controls. A provider without an assessment path puts your compliance at risk.

3. Access control architecture

Under NIST SP 800-171, offshore agents must only have access to the minimum data required to perform their function – the principle of least privilege. Role-based access controls (RBAC), multi-factor authentication (MFA), and audit logging are required. You’ll need to verify that the BPO’s identity and access management (IAM) infrastructure can enforce and document these controls, not just describe them in policy.

4. Physical security and data residency

Where is data stored? Who has physical access to facilities where agents work? What happens in the event of a security incident? CMMC assessors will ask these questions about your TPSPs. If the BPO can’t answer them with documentation, that’s a disqualifying gap – not a negotiation point.

5. Foreign national access controls

This is the most sensitive area. DoD regulations – particularly under the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) – may restrict CUI access by foreign nationals depending on the specific contract. This isn’t a blanket prohibition on offshoring. It is a specific legal question that requires counsel review before you move forward.

For a parallel compliance model covering data-residency, access-control, and third-party due-diligence requirements in financial services outsourcing, see our banking and financial services BPO overview.

What Questions Should You Ask Every Offshore BPO Provider About CMMC Readiness?

When evaluating offshore providers, ask these questions early in the due-diligence process – not after shortlisting. A provider who can’t answer clearly either hasn’t worked with regulated US clients before or hasn’t invested in the infrastructure to do so safely.

  • Do you have a CMMC assessment or a current NIST SP 800-171 self-assessment – for example, a completed System Security Plan – on file?
  • What access controls govern agent access to client systems, and can you provide documentation of your IAM policies?
  • How do you manage foreign national access to US client data, particularly data that may fall under ITAR or EAR restrictions?
  • What is your incident response protocol for a security event involving a US client, and does it align with DFARS 252.204-7012 breach-notification requirements (72-hour reporting window)?
  • Do you have an existing relationship with a C3PAO or CMMC consultant who can support joint assessments?

These aren’t “nice to have” questions – they’re table stakes. The answers, and the documentation behind them, determine whether the provider can even be considered for a CMMC-adjacent engagement.

What Is the Practical Path Forward: Restructure the Function or Find a CMMC-Ready Provider?

Most offshore customer service functions do not involve CUI at all. The first step is a clean data-flow assessment, not an assumption that offshoring is prohibited. If your support function handles general product questions, billing inquiries for commercial accounts, or tier-1 troubleshooting with no access to contract data or defense-related systems, you’re likely outside the CMMC boundary. Document that conclusion with your legal and compliance team, then proceed under a standard data-processing agreement with appropriate access controls.

If CUI is in scope, you have two paths. The first is restructuring the function to remove CUI from the outsourced workflow – for example, by having US-based personnel handle all CUI-adjacent tickets while offshore agents handle the non-CUI volume. The second is working with a provider who can demonstrate CMMC-readiness under legal and assessor guidance.

The second path is more complex, but it’s not impossible. It requires a provider with mature security infrastructure, documented System Security Plans, experience working within US regulatory frameworks, and a willingness to undergo third-party assessment. Fewer offshore providers have invested in this infrastructure than the market implies – which makes pre-qualification due diligence non-negotiable, not optional.

For buyers evaluating offshore support options, Afrishore’s business process outsourcing services overview covers the due-diligence and compliance questions we address with regulated US clients. The key is starting the conversation early, before assumptions about data flows become contract commitments.

Frequently Asked Questions

Does CMMC 2.0 apply to all offshore BPO providers?

No. CMMC requirements apply specifically to organisations in the US Defense Industrial Base (DIB) that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Offshore BPOs only enter the compliance boundary if they process, store, or transmit covered data as a third-party service provider. A BPO handling only public-facing or general product support with no access to CUI is unlikely to be in scope, but that determination must be documented in a formal data-flow assessment. Organisations in other regulated sectors – financial services, insurance, healthcare – face similar third-party oversight requirements; see our banking and financial services BPO overview for a parallel framework.

What is the difference between CMMC Level 1 and Level 2 for outsourcing decisions?

Level 1 (Foundational) applies to contractors handling Federal Contract Information and covers 17 basic cybersecurity practices. Level 2 (Advanced) applies to organisations handling CUI and requires compliance with all 110 security practices in NIST SP 800-171. If your offshore support function involves CUI, Level 2 is the relevant standard. Your offshore provider must either hold their own CMMC certification or operate within your assessment boundary with documented controls.

Can a non-US BPO provider become CMMC certified?

CMMC certification is not geographically restricted. Non-US organisations can pursue certification through a Certified Third-Party Assessment Organization (C3PAO). However, the process involves significant infrastructure investment: documented System Security Plans, access control architecture, and incident response protocols. Buyers should ask any offshore provider whether they have an active assessment path with a C3PAO before shortlisting them for CMMC-adjacent work.

What is the principle of least privilege in a BPO context?

Under NIST SP 800-171, the principle of least privilege requires that each user – including offshore support agents – only has access to the minimum data and systems necessary for their specific function. In practice, this means role-based access controls (RBAC) that restrict agent access to the precise CRM fields, ticket categories, or data sets their role requires. Buyers should verify that the BPO’s IAM infrastructure can enforce and document these controls, not just describe them in policy.

What happens if an offshore BPO is found out of scope during a CMMC assessment?

If a CMMC assessment finds that an offshore BPO handles CUI without documented controls – and that relationship isn’t captured in your System Security Plan – it becomes an audit finding. Findings can delay CMMC certification, result in remediation requirements, or in serious cases disqualify you from DoD contract awards. The risk is compounded by DFARS clause 252.204-7012, which requires contractors to report cyber incidents affecting covered defense information within 72 hours.

Is South Africa an acceptable jurisdiction for CMMC-adjacent outsourcing?

CMMC compliance is determined by the provider’s security posture and assessment status, not their geographic location. South Africa is not subject to US export control restrictions that apply to adversarial nations and is not on ITAR prohibited-country lists. The critical questions are whether the provider has invested in the access control infrastructure, system documentation, and assessment pathway that CMMC requires – not where they are located. Organisations should engage qualified legal counsel for jurisdiction-specific analysis before making a compliance determination. For an overview of South Africa’s infrastructure, regulatory environment, and operational scale in the global outsourcing market, see BPO in South Africa.

Where to Find the Standards Referenced in This Article

This article is intended for educational purposes and does not constitute legal advice. Organizations subject to CMMC requirements should consult with qualified legal counsel and Certified Third-Party Assessment Organizations (C3PAOs) before making outsourcing decisions.

Primary sources:

  1. CMMC 2.0 Assessment Guide (DoD) – Official Level 2 assessment criteria
  2. NIST SP 800-171 Rev. 2 – 110 security requirements for CUI protection
  3. DFARS 252.204-7012 – Safeguarding covered defense information and cyber incident reporting requirements.