I wrote recently that the US Dept. of Defense will require all CMMC Third Party Assessment Organizations (C3PAOs) to obtain ISO 17020 accreditation. As with anything CMMC-related, that’s where any clarity ends and the thick fog of confusion rolls in.
Keep in mind, there’s no official place this DOD ruling is yet codified. Presumably, it will appear in the no-bid contract the DOD awarded to the CMMC-AB, but that wouldn’t be an official regulation of any sort. There’s also a growing theory that the contract will be thrown out entirely (I’ll discuss that in a future article), making anything that contract says moot anyway.
(Meanwhile, the DOD and CMMC-AB are refusing to release the contract for public review — an act which itself may be illegal, by the way — prompting journalists to demand it under the Freedom of Information Act. The CMMC-AB issued a bizarre statement on LinkedIn trying to toss the DOD under the bus (they really are great “partners,” aren’t they?), saying the DOD is processing the FOIA:
Guess what? Either party could release it right now and stop this silliness.
Ignoring that — we can assume at some point the DOD will issue something that formally declares the ISO 17020 requirement — we have two new problems that the CMMC-AB has not addressed: who will accredit the C3PAOs, and what will be the scope of that accreditation.
Who You Gonna Call?
ISO 17020 accreditation must be granted by a formal “accreditation body.” Right now, that includes companies like ANAB, A2LA, UKAS and others. The company CyberPros from Frederick MD took steps to prepare itself by getting ISO 17020 accredited by A2LA, for example.
The problem is that these bodies are all signatory members of the International Accreditation Forum (IAF) scheme, currently overseen by China. The IAF scheme was intended to ensure oversight of the accreditation bodies themselves, but was developed for private industry, and not anything related to national defense. It was originally run, largely, by the US, but within the last ten years, China stepped in to take over the IAF and has injected tremendous corruption into it. That may be bad for private, commercial industry, but it’s a national nightmare for anyone operating in the cybersecurity world. In a practical sense, it means IAF “peers” will conduct oversight audits of the bodies like A2LA or ANAB, and can gain access to confidential company information in the process. Do we really want China looking at CMMC audit results which will include “nonconformities” detailing a DIB company’s weaknesses?
But it always made sense that the CMMC-AB would become an accreditation body itself (it’s in their name, after all). I then provided them guidance on how they can do this outside of the IAF scheme, so that China wasn’t poking around the audit records of DIB companies. But this ran afoul of CMMC-AB’s “master plan” to certify every goddamn thing on the planet so they could rake in money from every direction. Like idiots, the CMMC-AB pursued a model where they would be locking themselves into doing grunt work (certifying people, providing training, etc.) rather than the more elegant — and infinitely more profitable — model whereby they license and accredit other people to do it for them. This decision, prompted by greedy narcissists, has led them to pursue increasing their staff and resources, and to spend more money than they needed to while delaying the rollout of critical things they should have been doing. They also could have avoided the inevitable breakup they are facing, when they are forced to confront the fact that accreditation bodies are prohibited from certifying people.
BTW, the Dept. of Defense buried news about the breakup of the CMMC-AB on its updated FAQ page, where it now declares that personnel certification will be performed by a new group called “CAICO,” this forcing the CMMC-AB to divest its training programs:
But because the CMMC-AB prioritized generating pennies now, rather than dollars later, they rolled this entire CMMC scheme out in a botched sequence. Rather than putting the cart before the horse, they first rolled out the cart, then tied a pickle jar to it, wired it up to a potato battery, and then told the horses they could all run free in a downtown liquor store.
What should this have looked like? For our Q001 accreditation scheme, we did the following, in the following sequence:
- Developed & published the standard.
- Developed & published the audit scoring model.
- Developed & published the rules for conducting Q001 audits, including scoring.
- Developed & published the accreditation rules for certification bodies.
- Developed & published all the applicable accreditation body rules.
- Made a bunch of cool logos.
The CMMC-AB has prioritized the “cool logos” step, and skipped or ignored the rest. It’s a debacle. They still have no idea what a CMMC appraisal will look like, but have minted a host of consultants, auditors and others despite this glaring mistake.
Worse, the DOD and CMMC-AB have insisted — as of last month, mind you — that CMMC appraisals would begin for the 15 pilot clients as early as January 2021. You read that right: that’s this very month, as you read this. Clearly, the infrastructure isn’t in place, but they are claiming it will launch in mere hours. (It won’t, but whatever.)
So if a C3PAO cannot issue CMMC ratings until after they are ISO 17020 accredited, who will accredit them?
Some C3PAOs went ahead and obtained ISO 17020 accreditation from third parties like ANAB and A2LA. Makes sense.
But a recent CMMC-AB Town Hall event included this slide, which appears to suggest that not only will the CMMC-AB become an official ISO 17020 accreditation body, but that only ISO 17020 accreditation issued by the CMMC-AB itself would be recognized:
Worse, the CMMC-AB has set the ridiculous timeline for this to occur in “27 months” — that puts their rollout of ISO 17020 for C3PAOs out to March of 2023. But remember, they are supposed to be starting CMMC appraisals right now. If so, that would mean that for the next two years, the CMMC-AB will be allowing C3PAOs to issue CMMC ratings while not complying with ISO 17020. That will put any CMMC certificate issued in the next two years under a cloud of suspicion because they will not have been issued under any recognized rules governing conflicts of interest, impartiality or confidentiality.
In short, the first CMMC certifications will be junk certifications, indicative of nothing. So to you DIB companies readying up your press release machines to declare yourselves “the first!“, you’re on notice. You’re not going to want to brag about it.
Any ISO 17020 accreditation scope contains two parts: what are you inspecting clients to, and what type of inspections you are conducting.
For the “what,” it’s fairly easy: C3PAOs will be inspecting against CMMC requirements, in order to generate a CMMC maturity level. But there’s more to it. In order to get accredited under ISO 17020 for performing CMMC inspections, the rules for how to conduct CMMC inspections have to be published. Once they are published, the accreditation body (whether ANAB, A2LA or the CMMC-AB itself) will audit the C3PAO to them, in order to issue accreditation.
But the CMMC-AB hasn’t published these rules, and has no timeline on when it might do so. It’s not even talking about this.
I am not referring to the CMMC Assessment Guide published by Carnegie Mellon, either. Those are not hard and fast accreditation rules, they are “guidance” only. Instead, I am referring to the CMMC-AB developing and publishing official rules that it will then audit C3PAOs to, such as:
- Minimum audit duration
- Audit team composition
- Rules for assigning technical experts
- Rules for witness audits (by CMMC-AB itself)
- Technical resource requirements for C3PAOs (IT, etc.)
- hiring and training requirements for C3PAO auditors
Without those rules finished, published and accepted, no one can ever accredit any CMMC C3PAO for ISO 17020, period.
What companies like CyberPros did, then, was to undergo ISO 17020 accreditation for NIST 800-171 instead. Which is great — and CyberPros deserves mad props for pushing ahead despite the chaos — but it won’t cut it in the end. Instead, they will have to undergo a special “scope extension” audit to add accreditation for CMMC inspections, but only after the CMMC-AB procedures are released.
Say it again: being accredited for NIST 800 or FedRAMP or some other thing will not mean you are accredited to conduct CMMC appraisals.
Fight For Your Right to Third-Party
The second part of the scope question is related to what type of inspections would be conducted by the C3PAOs, as this also affects the scope of their ISO 17020 accreditation.
The ISO 17020 standard includes three options:
- Type A: where the C3PAO performs wholly third-party audits, and is unrelated at all to the DIB company being assessed, and where a certificate is issued at the end.
- Type B: where the C3PAO performs first-party or second-party audits, but where it is independent of the functions being assessed.
- Type C: where the C3PAO performs first-party or second-party audits, but where it is dependent of the functions being assessed.
For those following along at home:
First-Party Inspection: This is an inspection conducted by a company of itself, for internal use only. This could be contracted to a third party, but doing so does not make them third-party inspections. No certificate is issued. For Type B inspections, the internal function doing the inspection would be wholly independent of the function being inspected (say, different divisions or plants.) For Type C inspections, the internal function is somehow controlled or beholden to the function being inspected, so has the greatest risk of conflicts of interest.
Second-Party Inspection: This is an inspection of a company’s supplier, conducted by the company. It is generally done to vet the supplier. It may also be contracted to a third party, but that does not make them third-party inspections. The distinctions between Type B and C fall into play when the “supplier” under inspection may be somehow related to the company performing the audit, such as a wholly-owned subsidiary, or branch.
Third-Party Inspection: This is an inspection done by a company entirely external to the company being inspected, and where an objective certificate or inspection report is issued afterward.
Clearly, the final CMMC assessments will be third-party audits, forcing C3PAOs to pursue ISO 17020 for Type A inspections. But this is already being debated, which is entirely frustrating. Now we’re back to long-winded, smoking jacket debates about “what is a party?” in order to figure this out. Sigh.
Largely, it comes down to who is paying for the audit, and then who uses the resulting outcome (the report).
Under FedRAMP, apparently, existing “3PAOs” have traditionally pursued a Type B scope, since they are conducting self-assessments and then providing the results to their customer, the government. Some are now arguing that this is what the CMMC scheme should adopt, since the Dept. of Defense is technically the “customer.” These folks argue that using the CMMC-AB accredited C3PAOs is just a way to subcontract this activity.
Perhaps under FedRAMP or NIST 800 that works — and I’m not sure it does — but under CMMC, it will not. CMMC certifications will be issued by a third-party (the C3PAO), with that certificate then used by multiple possible customers, not just the Dept. of Defense. There is no internal (first-party) element to it, and unless the Dept. of Defense wants to pay for audits (up front, not through maybe-kinda-sorta reimbursements later), then there’s no second-party element to it, either.
(The DOD’s current claims that CMMC implementation and audit costs will be an “allowable expense” are wholly unworkable, and the reality will eventually disappoint a lot of people.)
Mind you, all of this could have been avoided had CMMC-AB and DOD forced C3PAOs to pursue ISO 17021, and not ISO 17020, but someone over there — presumably the DOD’s Kevin Fahey and the CMMC-AB’s Jeff Dalton — thought they knew better. Now look at the mess they’ve created.
The fact that all of these questions were not only not answered before this scheme was launched, and that they are punting for another two years at least, is nothing short of a national disgrace. The Chinese and Russians must be loving the self-imposed anarchy created by The Dalton Gang since it gives them even more time to muck around the nation’s cybersecurity infrastructure while DIB companies go unprotected.
If you’re a C3PAO and need to start preparing for ISO 17020 — understanding that the problems above still need to be resolved — click here.