At the most recent Town Hall by the CMMC Accreditation Body, Board of Directors member Regan Edens created a firestorm after making made the bizarre claim that CMMC assessments will include home “inspections” for any employees working from home.
The video can be seen here, and Edens’ comments appear at the 40:30 time stamp. He says the private homes of remote workers will “have to meet the requirements as any controlled environment would,” and then drops this bombshell:
[You] should be prepared for some sort of sampling of an organization that is doing distributed workforce for remote reasons will also have to be inspected in their work environment, whether that’s home or a rented office or any other facility.
This immediately caused a panic on Reddit and LinkedIn, as people imagined C3PAO assessors traipsing through their kitchen and scaring the cats. And — remember — the DOD is forcing the CMMC-AB to sign up to the IAAC/IAF oversight arrangement, so that home inspection can include “witness auditors” from not only the CMMC-AB itself, but also accreditation overseers from Mexico and China, which should go over great with your HOA.
When challenged a few days later on LinkedIn, Edens tripled-down, all while fellow board members remained silent. When asked if he “was serious,” Edens responded:
Undeterred, Edens is clearly going even further than before, saying that “100% conformity” to the CMMC Model applies to your house, not based on a thoughtful, intellectual breakdown of requirements, but instead because ‘Murica.
Later, fellow Board Member Jeff Dalton — who is also under investigation for ethics violations — chimed in with this smug remark:
Yes, the CMMC-AB is populated with real charmers.
Anyway, it’s all moot, and will never happen. Let’s see why.
First of all, the official contract between the CMMC-AB and DOD dictates that the Office of the Undersecretary of Defense for Acquisition & Sustainment (OUSD) determines the assessment practices for CMMC, not the CMMC-AB. From that contract:
I wrote to DOD’s Stacy Bostjanick, the head of the CMCM Project Management Office, and she confirmed that it is her office, and not the AB, that dictates this stuff:
Our office OUSD(A&S) is the office setting the requirements. We are in the process of clarifying the requirements for telework through the CIO’s office and will publish the clarification through the DoD website. The DoD is the responsible authority for setting cybersecurity requirements for the DIB sector and responsible for providing clarification and responses.
So the CMMC-AB shouldn’t be speaking on this topic at all, since it doesn’t get to decide these things.
As you can see, the DOD contract then says the official Assessment Guide is the sole repository for such policies. But the Assessment Guide is silent on the subject of “home inspections.” Throughout the guide, there are dozens of references to “facility” and “location” that, if the Edens Interpretation is allowed to stand, would force homeowners to implement tremendous and burdensome controls… essentially the entire CMMC Model! These include facility layouts (of their homes), visitor access logs, access log review protocols, a “system security plan,” and a host of other controls. The costs could be horrendous.
Then there’s the issue of who pays for this… the employer? The employees themselves? What if I rent, and the building isn’t even mine? Does the landlord pay for my alarms and locks? What might this do to the value of one’s home, or the eventual tax implications?
Furthermore, we have decades of experience in conformity assessments, including those that touch CUI, and there is no precedent for what Edens is suggesting. ITAR is a great example, and there are well-established means of handling ITAR-controlled data by not only home-based workers, but traveling employees, too. If “home auditing” was a thing, ITAR would have been doing it ten years ago.
Now remember that we also have 30+ years of experience with ISO audits, CMMI assessments, Medicare DME audits, HIPAA compliance audits (which I personally conducted), and more. These never involve employees’ homes, either.
And, trust me, something like forcing assessors into private homes is going to need a lot of legal and historical precedent to survive the coming lawsuits.
The Whatifisms are endless.
What if the assessor utilizes a wheelchair, and your home isn’t fitted with ramps or elevators? Does your home now need to comply with the Americans with Disabilities Act?
What if your spouse is undocumented? Will the assessor have to report you to ICE?
What if your brother-in-law is visiting, and is secretly smoking pot in the basement? Will CMMC assessors be duty-bound to report things they perceive as crimes?
The biggest question is what if you just outright refuse the audit? Or if your housemates refuse? Or the landlord, whom you have no control over? Will the C3PAO get a court order? A subpoena? A search warrant?
Actually, they’d have to.
The Fourth Amendment of the US Constitution prohibits unreasonable “search and seizure” by government or other officials. Now, if a work-from-home employee agrees to allow a CMMC assessment of their home, they have waived their rights under the Fourth. But for those that refuse, the Fourth might protect them.
I spoke to an attorney who confirmed that, yes, a CMMC audit of one’s home would fall under the aegis of the Fourth. Since the justification would be “the DFARS” and a DOD mandate, the assessment would be viewed by the court as a “government inspection” even if it is conducted by private companies such as the CMMC-AB or C3PAOs. In such cases, those companies would be acting as agents for the government. As a result, long-standing US Supreme Court rulings (including the famous Camara v. Municipal Court) uphold that such inspections can only be conducted with the permission of the occupant. Without such permission, the DOD would have to file for a search warrant, and do so by providing sufficient justification that a Federal violation is occurring in the home. Simply denying access would not rise to sufficient justification by itself; the DOD would have to have actionable suspicion that the employee was abusing or leaking CUI in some fashion.
Now, of course the employee could be fired for refusing to support the CMMC audit. But then, the attorney said, the employer would be open to a civil rights lawsuit on the basis that they were requiring employees to surrender a constitutionally-protected right as a condition of employment. Here again we have long-standing Supreme Court precedent, going back for nearly a century.
No, It’s Not in the DFARS
Matthew Titcombe, a CMMC-AB minted “provisional assessor,” claims “Regan is right.” In his defense on LinkedIn, he invokes the magic word “DFARS” to explain that home inspections will be required.
Let’s look at the mechanism. Per DFARS Clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, “The Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment, as described in NIST SP 800-171 DoD Assessment Methodology…” DoD has already required all aspects of an Organization Seeking Compliance (OSC) business to be subject to review, regardless of location.
Umm, no. Because something appears in a DFARS or federal law does not suddenly empower law enforcement — much less an obscure DOD branch — to conduct enforcement methods that include violations of civil rights.
Let’s follow this a bit further, then. Regan Edens likes wrapping himself in the flag, like many in the CMMC “ecosystem.” Now let’s imagine the Biden administration passes gun control legislation that limits large-capacity magazines, and requires improved storage of licensed firearms in special safes. Now imagine the BATF decides to enforce the law by hiring a horde of private “assessors” to enter the homes of every gun-owner to verify the size of their magazines and conditions of their safes.
You know how that ends.
So, yes, “DFARS” is a scary word used by people who don’t understand it. But remember: they don’t understand it.
To pre-empt this problem, companies could try to get employees to opt-in to this agreement ahead of time. Inducing employees to undergo potentially illegal home inspections would require massive re-writes of corporate employee handbooks, as well as issuing riders to any existing hiring contracts. Furthermore, to avoid litigation, a company would have to give time for each employee to “opt-out” of such draconian policies, and seek employment elsewhere; although this still doesn’t fully answer the civil rights concern.
These policies would have to undergo careful legal review, too, by a company’s law firm. That adds more costs to the companies seeking CMMC certification.
In short, a company might be in agreement with the Edens Interpretation, but it would not be able to legally impose it on their workers overnight, if at all.
ISO 9001 audits have tackled the issue of home-based work for decades, as many single-employee companies working out of garages often have to get certified to land that first, big contract. In these cases, the audits are conducted in rented office spaces — or even the local Starbucks lounge — to get around the biggest problem of all: insurance.
In short, a homeowner’s normal insurance policy does not cover accidents for third-party companies coming into your home and performing “audits.” Instead, the onus falls on the inspection body (such as a licensed home inspector) to carry insurance to cover themselves should something happen. As a result, any organization that attempts to step foot in a home will need to have special coverage and workers comp policies before they attempt an audit; that means not only the C3PAO, but any subcontractors they use, as well as the CMMC-AB itself (and IAAC and IAF, if they tag along.)
If they don’t, and they get hurt, the homeowner will be hit with a bankruptcy-inducing lawsuit.
So under the Edens Interpretation, suddenly your dog becomes something you need to worry about for CMMC, because it might bite your assessor and trigger a multi-million-dollar personal injury suit.
Conflict of Interest
Then there’s the big, fat elephant in the room. Regan Edens runs two companies — DTC and CUI Supply — and both openly sell CMMC services and products. CUI Supply in particular sells $185 “Ultimate CMMC Compliance Packs” of labeling stickers. Through his interpretation, Edens would personally benefit by being able to sell those products not only to companies, but to each of their individual employees. If each of the alleged 300,000 DIB companies had only ten employees, Edens just increased his potential customer base to a whopping 3,000,000.
But while the CMMC-AB may have abandoned all pretense of caring about conflicts of interest, it doesn’t mean that government regulators or civil litigation lawyers have. Fair warning to all involved.
This is exactly why the AB should have reined in the conflicts from the beginning. When actual policies are being uttered by an individual who stands to personally reap huge financial gains because of those policies, something has to stop.
Earlier today I called on Edens to resign “ASAP,” citing the conflict of interest.
Finally, consider the raw scale of this. The first companies likely to need CMMC will be large contractors. Let’s say Boeing is one of them. Boeing has 90,000 employees working from home. How will the C3PAO conduct sampling? Will they select all in one town? Or spotcheck employees across multiple cities and states? What’s the sample rate?
Or will the C3PAO try to avoid this and arbitrarily come up with some reduced sample rate, say “ten employees out of 90,000.” Why ten? Will that really be representative of anything? At that point, why bother at all?
Again, the official Assessment Guide fails us, since it has nothing to say about multi-site sampling, as would normally be required for a certification scheme.
But let’s say that the C3PAO elects to sample just 1% of Boeing’s staff; that would require a physical audit of 900 individual homes and apartments. Now let’s assume the assessors all fly coach, and can keep their expenses to only $1,000 per home visit (for airfare, rental car, and hotel.) That’s already added $900,000 to the assessment — before we factor in the likely $2,000/day assessor fee. And, trust me, they’re not flying coach.
Sure, most companies are likely to be far smaller than Boeing, but home assessments won’t be free, and those smaller companies won’t be winning contracts of the size that Boeing does, making their appetite to spend thousands of dollars flying CMMC assessors into their employee’s home towns even less attractive.
Suddenly you’re not making any money from that DOD contract you were bidding on.
Will the DOD reimburse that? Of course not.
The fix for this isn’t particularly complicated, but requires a few steps.
First, the AB has to come out and retract the Edens statement. It needs to clearly point the responsibility for such assessment practice requirements back to the OUSD where it belongs.
Next, Edens needs to resign. I said that already. His personal conflicts of interest have grown insurmountable, and appear — to me, anyway — to be clearly clouding his judgment. If he won’t resign, the AB needs to eject him.
Finally, the Assessment Guide authors at Carnegie Mellon need to engage with people who know how conformity assessment audits work (not CMMI-style “maturity model” assessments), and update the Guide accordingly. I volunteer and will do it pro bono. This includes adding requirements for minimum audit duration, multi-site sampling, audit team composition, and rules for remote site auditing that don’t involve intrusive — and potentially illegal — home inspections.
In the meantime, don’t worry. CMMC assessors will not be physically auditing your home, no matter what anyone says.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.