The Cyber AB has announced that ISACA will now take over the management of CAICO, the CMMC scheme’s personnel credentialing program.
The Dept. of Defense contract with the Cyber AB demands that it obtain ISO 17011 accreditation, but that standard disallows the AB from operating a personnel credentialing program at the same time. Nevertheless, the Cyber AB launched “CAICO” and operated it for years, generating millions of dollars in revenue through credentialing and “badge” programs. That revenue has been nearly the sole source of revenue for the AB, which has still not accredited a single CMMC auditing body.
So long as the AB held onto CAICO, obtaining ISO 17011 would have been difficult if the various parties adhered to the rules as written in that standard. Oxebridge had been calling on the AB to divest CAICO for years, and even provided AB Board Members with a roadmap on how to obtain 17011 and spin off CAICO. The AB ignored that plan.
Now, however, the AB appears to have run against a contractual deadline to achieve 17011 and has sold CAICO to ISACA.
ISACA took over the Capability Maturity Model Integration (CMMI) scheme and is largely credited with having brought great harm to it. Under ISACA, the costs of CMMI skyrocketed, the CMMI standard was made accessible only through a subscription-based portal, and overall adoption of CMMI has declined. Many former CMMI appraisers left the scheme, and Oxebridge stopped offering CMMI implementation and appraisal services entirely.
It remains to be seen if ISACA will raise the already questionable rates for the various CMMC scheme credentials. Currently, there is concern that there are not enough CMMC assessors to cover the flood of certification requirements promised by the Department of Defense. If ISACA’s management results in a departure of just ten percent of the current CMMC assessor pool, the impact on the CMMC scheme as a whole will be dramatic.
The move by the AB suggests it is in the final stages of getting fully ISO 17011 accredited, except that one major hurdle remains. That accreditation will be issued by IAAC, a Mexican organization. Under the IAAC’s own rules, it must “witness” CMMC appraisals in real time in order to grant the Cyber AB its accreditation. However, foreign parties are disallowed from participating in CMMC appraisals and seeing the controlled unclassified information (CUI) that is routinely audited as part of those assessments.
The DoD appears to have required IAAC accreditation without ever having checked that the organization is not based in the United States.
The only workaround will be the dilution of the IAAC rules on accreditation, specifically for the Cyber AB, which will result in a lower level of confidence in the AB’s eventual ISO 17011 conformity.
Alternatively, the AB could look to one of its competitors in the accreditation body space — ANAB — and argue that divesting CAICO was not needed at all. As reported here, ANAB has rebranded itself as primarily offering personnel credentialing, in violation of ISO 17011. The IAAC has not held ANAB to conformity with 17011, and so the Cyber AB could sue the IAAC for inconsistent application of the rules.
