An analysis of the current set of certification bodies shows all but three CMMC Third Party Assessment Organizations, or C3PAOs, simultaneously offer consulting services. This raises the possibility that CMMC assessors may end up assessing — and certifying — their own work.
ISO accreditation rules have long established that certification and accreditation bodies cannot assess their own work, and standards prohibit them from assessing companies that have previously purchased any consulting from the same body. From the earliest days in 2020, it was telegraphed that the C3PAOs would have to follow the same ISO industry rules. Eventually, the US Dept. of Defense placed this requirement in its contract with the CMMC Accreditation Body, now called The Cyber AB, demanding C3PAOs comply with ISO 17020. In addition, the AB itself was required to comply with ISO 17011.
Despite a continued push to begin CMMC assessments, the parties have not moved to comply with either standard to date. The DoD has not enforced the contract, either.
Oxebridge recently discovered that one consulting firm, Kieri Solutions, was selling CMMC template kits while promoting their status as an authorized C3PAO. Amira Armond, the operator of Kieri Solutions, openly posted her fees for CMMC Assessments, which start at $30,000, contradicting earlier claims made by the DoD’s former CISO, Katie Arrington; Arrington claimed CMMC Assessments would be available for a few thousand dollars.
But Armond was also found selling a $3,000 template kit, based on documents she apparently created for her own use at Kieri. Converting them to a product for generic use, Kieri markets these as “battle-tested.” When questioned, DoD CMMC director Stacy Bostjanick said she would investigate, and Armond claimed she had procedures in place to ensure that no Kieri assessments were performed by any company that purchased the Kieri template kit. Armond agreed to update the Kieri website.
A further examination of all the current authorized C3PAOs found that all but three were selling consulting services, template documentation, or other products that would create conflicts of interest for their assessment activities. The table below summarizes the findings:
|C3PAO (& Link to Claims)||Consulting Offered|
|Booz Allen Hamilton||Full suite of implementation services plus cloud compliance solution|
|Boston Government Services||Cloud compliance solution, consulting|
|Cask LLC||Offers “Cyber Compliance As a Service”|
|C. H. Guernsey & Co.||Documentation and consulting, participation on client’s assessment team|
|Ciseve||Consulting offered, but has disclaimer prohibiting this for assessment clients|
|Forvis LLP||None found|
|Peak Infosec LLC||Full suite: design, implementation, remediation|
|Provincia Government Solutions LLC||Unclear, but strongly suggests they will assist in documenting processes|
|Ctek Security (Cynergistek/Redspin)||Documentation and consulting, remediation support.|
|Schellman & Company||None found|
|Steeltoad||Documentation templates, consulting|
|La Jolla Logic||Documentation and consulting, remediation.|
|Monarch Information Security Consulting||Cloud compliance solution, consulting|
|Kieri Solutions||Documentation templates, consulting|
|Kratos Technology & Training Solutions||CMMC “gap analysis, documentation, and process/engineering consulting”|
In addition to the authorized C3PAOs, there are many more “Candidate” bodies that have received initial approval by the CyberAB but are awaiting final authorization. Of a sample examined, all were found to be offering simultaneous consulting. These include Coalfire, Baker Tilly, Darkblade, Cotton CPA, and MSN Group.
Only Ciseve had an overt statement clearly prohibiting selling assessment services to its own consulting clients. None of the other bodies examined had any such statement, and many just openly conflated the offers of consulting with the assessment activities. As mentioned, Kieri Solutions promised to update their website shortly.
The CyberAB itself also retains conflicts of interest from consulting services offered by its Board members and those still in the AB’s orbit. The recent CMMC Assessment Process guide (CAP), released in draft recently, was found to have been written entirely by private consultants, without any end-users having been involved. The CAP is being criticized as a bloated process that will increase the need for end-users to buy consulting services in pursuit of CMMC.
The CyberAB’s Nominations Committee Chair, Clifton Poole, works for Unison which sells a CMMC cloud solution called “Unison CLM.” Similar consulting was found to have been sold, or may still be sold, by Board members Jeff Dalton and Paul Michaels.
The CyberAB has a Code of Professional Conduct that allegedly controls such activities, but the Code goes largely unenforced and is not published publicly. Oxebridge was only able to review an older, leaked version; that version did not address the sale of consulting services by C3PAOs.
The sale of such consulting services will inject conflicts of interest during CMMC assessments in real time. C3PAO assessors may well find the client under assessment is also a customer of their consulting products, creating scenarios where the C3PAO cannot “fail” the client without raising concerns of the products sold to them. Likewise, C3PAOs may encounter customers of their competitors, inducing them to asses those clients harder, in order to get them to switch products.
Related to the AB conflicts of interest, C3PAOs may be hesitant to write findings against a client who is found to be using a Board Member’s products, in fear of losing their accreditation.
The obvious solution, enshrined in decades of existing ISO procedures, is to disallow consulting by CB and AB auditors and staff, or put in place strict rules to force recusals.
Within the ISO 9001 certification scheme, it’s accepted that a consultant may then certify a client if two years has passed since the consulting took place. This is arrangement has raised eyebrows, as the typical ISO certification cycle is three years, meaning the final year allows for a conflict of interest. But nevertheless, the CMMC scheme has no such ban. The CyberAB has notified Oxebridge that it is open to adding such a restriction.
Should CMMC assessors be allowed to assess their own work, or be influenced by fears of AB retaliation by conflicted Board members, the scheme is likely to seen as untrustworthy. Such schemes fall into the “certificate mill” category, similar to university diploma mills. During a sting by Oxebridge, one such certification body was found to be issuing certificates to dogs.