The new CMMC (Cybersecurity Maturity Model Certification) scheme is proving to be controversial for a variety of reasons, including accusations of self-dealing, cronyism and political intrigue. The scheme comes from a demand by the US Dept. of Defense to improve the defense industry’s cybersecurity methods, in order to defeat increasing cyber attacks by hostile nations and enemy actors.
The accreditation scheme was stood up by Trump ally Katie Arrington, who was appointed as the Chief Information Security Officer for the Office of the Undersecretary of Defense for Acquisition after her failed candidacy for Congress in South Carolina. Arrington and the DoD then developed a plan to create the CMMC Accreditation Board (CMMC-AB), which was handed to Ty Schieber, Arrington’s former colleague at Dispersive Technologies. According to their profiles on LinkedIn, Schieber was Executive Vice President at Dispersive, while Arrington was the VP of Sales. The appointment of Schieber by Arrington has resulted in accusations of cronyism, although Schieber does appear to have security experience and is a former US Marine.
In March, the DoD’s Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord, signed a Memorandum of Understanding (MOU) with Schieber which empowered the nascent CMMC-AB to oversee the scheme on behalf of the United States.
The MOU empowering CMMC-AB, however, represents what is known as an “impossible contract” in US legal parlance, as it presents requirements that are both technically and logically impossible to fulfill.
The MOU dictates that the CMMC-AB shall perform multiple duties related to certification and training of both organizations and personnel. This includes requirements to:
certify contractors in the DSC at the identified levels of cybersecurity maturity established in the CMMC model
administer applications from individuals requesting approval as CMMC trainers
administer applications from individuals requesting approval as CMMC assessors
develop, maintain and provide training, including curricula and testing, for trainers, individual assessors and, as necessary, C3PAOs
The MOU then requires the CMMC-AB to become “ISO 17011 certified.”
The “impossible contract” comes into play because ISO 17011 prohibits an accreditation body that accredits certification bodies — known as “C3PAOs” in the CMMC jargon — from simultaneously certifying people. ISO 17011:2017 indicates this is an insurmountable conflict of interest:
4.4.11 The accreditation body and any part of the same legal entity shall not offer or provide any service that affects its impartiality, such as:
a) conformity assessment activities covered by accreditation which include but are not limited to testing, calibration, inspection, certification of management systems, persons, products, processes and services, provision of proficiency testing, production of reference materials, validation and verification;
The MOU appears to attempt to circumvent criticism of its terms with the following statement, however:
This MOU is not a contract and does not create legally enforceable duties or obligations for either party.
The caveat has little power under law, however, and may — if anything — work to embolden a party who wants to challenge the DoD or CMMC-AB. A competing party could sue alleging the MOU was wholly defective whether or not the parties themselves declare it to be a contract, especially given that it resulted in the CMMC-AB gaining monopoly control over the scheme. The fact that the MOU presents contradictory requirements that the CMMC-AB cannot in any way comply with — but which they signed anyway — would strengthen that argument.
Inexplicably, the MOU also requires CMMC-AB to achieve certification to ISO 17020, but that standard applies to test laboratories or inspection bodies “whose work can include the examination of materials, products, installations, plants, processes, work procedures or services,” and where the end result is a pass/fail determination. This idea wholly contradicts the graded “maturity model” approach of the CMMC.
It is concerning that the nation’s cybersecurity defense efforts were granted to parties who appear not to have read the MOU requirements, nor the ISO standards referenced in them. Making matters worse, the MOU then makes the rookie error of conflating “certification” and “accreditation.” For example, it demands CMMC-AB obtain “ISO 17011 certification,” which does not exist. Parties subject to 17011 are accredited, not certified.
One Board member admitted to Oxebridge that he had not read the standard.
Regardless of the requirements, CMMC-AB has launched personnel certification schemes, including for “registered practitioners,” “licensed instructors,” “licensed training providers” and other roles.
Impartiality Problems Arise
ISO 17011 would also prohibit CMMC-AB members from certain activities, many of which they already appear to be engaged in. Board member Mark Berman simultaneously operates FutureFeed, an organization that provides a $300/month CMMC and cybersecurity “compliance tool.” ISO 17011 would prohibit such arrangements, should CMMC-AB eventually obtain accreditation to that standard:
4.4.6 The accreditation body shall have a process to identify, analyse, evaluate, treat, monitor and document on an ongoing basis the risks to impartiality arising from its activities including any conflicts arising from its relationships or from the relationships of its personnel. The process shall include identification of and consultation with appropriate interested parties … to advise on matters affecting impartiality including openness and public perception.
NOTE 1 Sources of risks to impartiality of the accreditation body can be based on ownership, governance, management, personnel, shared resources, finances, contracts, outsourcing, training, marketing and payment of a sales commission or other inducement for the referral of new clients, etc.
4.4.4 All accreditation body personnel and committees who could influence the accreditation process shall act objectively and shall be free from any undue commercial, financial and other pressures that could compromise impartiality. The accreditation body shall require all personnel and committee members to disclose any potential conflict of interest whenever it may arise.
The current activities by some Board members all but ensure questions will arise as to the objectivity of CMMC-AB accreditation decisions. The “public perception” would likely be that CMMC-AB would not deny CMMC certification to users of its Board members’ supporting services, thus resulting in unfair, financially motivated decisions infecting the assignment of CMMC maturity levels.
In another example, the CMMC-AB has signed a separate MOU with another organization, the CMMC Center for Excellence, formed by former Board member John Weiler. That organization posted on LinkedIn claiming it can provide CMMC services that will “avoid high cost consultancies or paying for audit several times.” Such language would be prohibited under ISO 17011, however, which dictates:
4.4.13 The accreditation body’s activities shall not be presented as linked with consultancy or other services that pose an unacceptable risk to impartiality. Nothing shall be said or implied that would suggest that accreditation would be simpler, easier, faster or less expensive if any specified person(s) or consultancy were used.
In this case, the Center of Excellence would not be held responsible to ISO 17011, but the CMMC-AB would be forced to induce the Center to cease making such claims while invoking its name or Board members. CMMC-AB would also be forced to cancel its MOU with the Center. If CMMC-AB were accredited to ISO 17011 at this time, this would be likely grounds for de-accreditation.
No-Compete Contract Looming
The MOU problems may be moot, however, since the DoD has announced its intention to replace the MOU with a no-compete, no-bid contract to the CMMC-AB. This move is all but ensured to result in a formal contest, if not a court challenge.
Accreditation bodies such as ANAB were originally invited by Arrington to compete for the role of CMMC accreditation body, but were then shut out when Arrington arranged to hand the role over to Schieber.
The CMMC-AB was only formed in the past few months, and still has no listed staff. The body has not released required documents such as a complaints and appeals process, its impartiality procedures, nor the criteria for assessor training. Its Articles of Incorporation were initially released in January, then amended in May to strip out language that might limit Board and executive activities. It has not even trademarked its logo yet. Much of the CMMC-AB website is incomplete, and despite having registered in Maryland, the body does not yet appear to have formally filed with the IRS for its claimed 501(c)(3) tax-exempt status. However, the IRS website does indicate that because of COVID-19, new organizations having filed after March 2020 may not yet be listed.
Nevertheless, CMMC-AB has begun training “provisional assessors,” and Board members and others are insisting that the project is on track to start formal appraisals as early as this year.
Despite the fact that CMMC-AB is barely operating yet, Arrington has made bold claims that the accreditation program will roll out to more than 300,000 defense contractors in short time. Arrington is relying on threats to propagate the scheme, indicating that any defense contractor that does not achieve CMMC accreditation will be denied work with the Federal government. The certification program will not only be rolled out to direct defense contractors, but their subtier suppliers as well.
Things are rarely that black and white, so it remains to be seen how this will play out. But it’s likely that both courts and accreditation appeals will be in the offing, further delaying the rollout.