The US Dept. of War has announced that, effective immediately, third-party certification to CMMC is suspended, pending a 60-day review. The signals telegraphed by the Office of the Chief Information Officer (CIO) hint that this may likely lead to a permanent cancellation of the CMMC third-party certification program.

Compliance with NIST 800 and other cybersecurity requirements will still be required, and this development only relates to third-party CMMC Level 2 certifications which were to be performed by CMMC C3PAOs and accredited by the Cyber AB. This will return the defense industrial base to self-attestation, the very thing that CMMC argued was not working.

The CMMC scheme has been repeatedly called a “grift,” created by Trump appointee Katie Arrington and then managed by Stacy Bostjanick. The scheme was rife with scandal and controversy from the beginning, as Arrington used her position in the DoD to mandate the creation of a private company — which later became the Cyber AB — and then used procurement rule tricks to create a law that mandated all defense companies buy the services of that company. The Cyber AB was immediately led by Arrington’s former boss and personal friend, Ty Schieber.

Schieber lied on the CAGE code application for the Cyber AB, claiming it was already a 501(c)(3) not-for-profit organization when it would not obtain that status until many years later. Arrington personally interceded to block complaints made to the DOD Inspector General’s office and Defense Logistics Agency which called for an investigation into the false claims made by Scheiber, which come with felony criminal charges.

From that point on, the scheme has been rife with conflicts of interest, fraud, and scandal. Both Arrington and Bostjanick later left the Federal government to work for companies selling the CMMC program that they created.

Since 2019, Oxebridge worked to reform and, eventually, cancel the CMMC program. It filed white papers, complaints, DODIG whistleblower reports, and articles outlining the fraud and grift surrounding the program. The company’s white papers provided step-by-step plans for reforming both the CMMC auditing practices and the Cyber AB’s conflicted structure. Some of the Cyber AB’s original Board members, including Schieber, were eventually ousted based on Oxebridge’s reporting.

Oxebridge provided reports to the House Armed Services Committee and Senate Armed Services Committee, resulting in a GAO audit of the program. Oxebridge urged the GAO to cancel the program at that time, but instead it recommended a “reboot” which resulted in CMMC 2.0.

An estimate of costs related to CMMC preparation for third-party certification, along with the costs of C3PAO audits, is just under $5 billion to date. If the DoD goes through with its cancellation, that money will be entirely lost. There does not appear to be any way that victims will be able to sue to recoup that money.

Oxebridge is concerned over possible suicides related to the development. Many individuals used their savings, mortgaged their homes, and left jobs to pursue a career as a CMMC assessor, fueled by false promises repeatedly made by Arrington and her followers. Those individuals may not be left with nothing and no way to get back the money they spent. Oxebridge urges victims to use the US Suicide Prevention and Crisis hotline by calling or text 988.

Oxebridge is working with third party organizations to create an “off-ramp” program to help such individuals find new work in related cybersecurity fields, or transition to the more stable ISO 27001 certification scheme.

The DoD’s move has been called a massive “rug pull” on the CMMC subreddit, where victims are sharing their stories of lost investments.

There is no immediate plan on what will be done for companies that spent hundreds of thousands of dollars to obtain third-party certification.

The full Dept. of War announcement may be read here.

Advertisements

ISO 17000 Series Consulting