The US Dept. of Defense Inspector General’s office announced that it intends to conduct an audit of the DoD’s CMMC program imminently. The scope of the DOGIG audit is to be “the DoD’s Process for Accrediting Third-Party Organizations to Perform Cybersecurity Maturity Model Certification 2.0 Assessments,” according to a September 21 public memo.

The memo targets DoD offices, specifically that of the Chief Information Officer, John Sherman, as well as the Undersecretary of Defense for Acquisition and Sustainment, currently overseen by Dr. William LaPlante. It also will include the DCMA.

It is not clear what triggered the audit, but the DODIG’s office has been kept abreast of probes into the CMMC scheme and problems surrounding the sole source contract awarded to The Cyber AB, formerly the CMMC Accreditation Body. Oxebridge has provided white papers and written testimony to various government offices and agencies, including the House Armed Services Committee, DCMA, DLA, and the DODIG itself. The audit does not appear to be a routine step in the process of finalizing CMMC.

Of interest is the fact that the audit is not aimed at determining solely the potential value of CMMC 2.0 itself but, as the memo reads, focusing on how the DoD is managing the accreditation of CMMC C3PAOs, the certification bodies it intends to unleash to award CMMC ratings. This, then, suggests the focus will be on the DoD’s selection and management of The Cyber AB. That body, however, will not be audited by the DODIG, since it is a private organization.

Previously, the DODIG was alerted to concerns that the DoD’s office for Acquisition and Sustainment, under former leader Katie Arrington, awarded the Cyber AB its sole-source contract while ignoring conflicts of interest and potential felony breaches of law. The Cyber AB at the time falsely asserted it was a not-for-profit organization in order to gain a CAGE code, which it later used to obtain the sole-source contract. Falsification of CAGE code “certs and reps” documentation is a felony, but Arrington’s office — and, since then, that of Sherman — have refused to investigate.

The resulting AB was then led by Arrington’s friend and former business associate Ty Schieber, but — again — her office refused to investigate. Schieber was later thrown out when he attempted to create a “Diamond” program for donors which gave the appearance of a pay-to-play scheme.

Protected by Arrington and Sherman, the Cyber AB has gone on to amass millions of dollars in revenue through the sale of dubious “badges” given to persons and organizations, despite its sole purpose being to accredit C3PAOs. To date, it has not accredited a single body.

Oxebridg also argues that the Cyber AB is in direct violation of major portions of its sole-source contract with DoD, specifically as it pertains to spinning off its credentialing body, CAICO, and obtaining ISO 17011 accreditation.

Of concern as well is the fact that the DoD contract requires the Cyber AB to undergo ISO 17011 audits by a group called IAAC, which is a Mexican organization. The IAAC is itself a regional body for a higher organization, the IAF, which counts Italy and china as major players with ultimate authority. Oxebridge had previously alerted the DODIG that this essentially grants the final authority of all CMMC-related matters to foreign actors, including nations that the CMMC program is supposed to protect the US from.

CMMC is not expected to be approved by Congress unless the DoD removes the requirements for foreign actor oversight.

Prior filings by Oxebridge contributed to a decision to launch a GAO audit of the CMMC program in 2021, which called on the DoD to make changes. Those changes resulted in CMMC 2.0, but the DoD has refused to rein in Cyber AB conflicts of interest or to prove the body for potential violations of law.

Arrington had falsely claimed that CMMC certifications could begin as early as 2019 or 2020. To date, no accredited CMMC certificate or rating has been issued, as there are still no fully-accredited bodies or auditors.

The DODIG memo gives the DoD five days to arrange personnel to support the audit, which is expected to commence within the next week or two.

The full memo may be read here (PDF).

Advertisements
Aerospace Exports Inc

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.