The Chinese ISO certification body Beijing Zhongshiu Brilliant Certification (ZSBC) has begun marketing certirfication services to the US Dept. of Defense’s nascent “CMMC” program for cybersecurity. The DoD has insisted that CMMC was created to protect the US Defense Industrial Base (DIB) from Chinese hackers, but has not taken steps to prevent China from actually offering the services.
In a post on China’s Xiaohongshu social media platform, ZSBC listed a host of various ISO certifications if offered and closed with a reference to the DoD’s CMMC program.
ZSBC is accredited in China by the China National Accreditation Service (CNAS), an official IAF member.
The risk that any CMMC certificates issued by China will be recognized as valid is low, but not zero. Under the ISO 9001 scheme, it is estimated that thousands of fake, unaccredited ISO 9001 certificates have been submitted in defense contract tenders, with the government then awarding contracts to the companies without ever verifying the veracity of the certificates.
Under the CMMC scheme, official certificates are supposed to be uploaded to e-Mass and then validated by the Cyber AB, and the Cyber AB is supposed to verify that any CMMC certification body is not owned by non-US persons. However, there still remain loopholes for Chinese — and other foreign actors — to utilize. For example, a Chinese company only needs to set up a US office using an American representative, and then operate out of a virtual mailbox or virtual office.
Ironically, the Cyber AB would be under financial pressure to avoid digging too deep into Chinese influence in the scheme. The DoD’s contract with the AB requires it to become ISO 17011 accredited by the IAF regional body, Inter-American Accreditation Cooperation (IAAC). That organization is a Mexican body, meaning that complaints and appeals for the CMMC scheme will be subject to final adjudication by non-US persons and foreign actors. China is an influential member of IAF. As an IAF member, China could attend IAAC audits of the Cyber AB itself, and the AB would not be allowed to refuse.
This page from the official CNAS website shows its influence over the IAF, with articles in English.
