Due to concerns raised by industry stakeholders, Oxebridge Quality Resources International will be providing independent oversight of the Cybersecurity Maturity Model Certification (CMMC) program.
CMMC ratings will be mandatory for any US Dept. of Defense contractor, as the program rolls out in 2021. Eventually, these requirements will be flowed down to the sub-tier supply chain organizations and subcontractors as well. The DOD intends that every organization within the “Defense Industrial Base” (DIB) will eventually be appraised against the CMMC model and receive a maturity level rating.
The CMMC is based on Carnegie Mellon’s Capability Maturity Model Integration (CMMI), but is focused on ensuring defense contractors have robust cybersecurity protocols in place to prevent loss of sensitive data. It is built upon the NIST 800-171 specification, and then expands upon that.
Early signs point to conflicts of interest forming in the scheme already, as the oversight body CMMC Accreditation Board (CMMC-AB) is allowing its key executives, Board members and partners to simultaneously engage in activities which some have branded as “self-dealing.” The CMMC-AB has also not yet defined its complaint or appeals process, and an early review of the body’s Articles of Incorporation have raised some troubling concerns. Oxebridge is attempting to see if the CMMC-AB’s structure complies with legal requirements for its 501(c)(3) not-for-profit tax status. The group has already revised its articles once, in an apparent attempt to dilute rules against “pecuniary benefits” being granted to Board members.
Unlike accreditation bodies within the ISO certification scheme, the CMMC-AB will not be subject to any international oversight, and will not be a signatory to the International Accreditation Forum (IAF) scheme. This raises additional concerns over just who will oversee the CMMC-AB if conflicts of interest or corruption arise.
CMMC-AB is demanding that any CMMC certification bodies be ISO 17021 accredited, however, which would put such bodies under the oversight of the IAF. The CMMC-AB has not addressed how it intends to resolve conflicts which, as a result, may span over two separate accreditation structures and thus be subject to entirely different, and possibly contradictory, appeals procedures.
Oxebridge intends to use its contacts within the defense industry and government oversight bodies, as well as Inspectors General, to ensure the CMMC program is rolled out fairly, objectively, and does not fall prey to conflicts of interest.
While Oxebridge can offer cybersecurity preparation services, the company does not intend to participate in CMMC-AB “consultant licensing” programs, in order to remain free of conflicts. It is currently advising companies to resist paying for any CMMC consulting, as the accreditation scheme is not fully formed yet.
To file complaints related to the CMMC scheme and its actors, defense industry companies and members of the public may use the ISO Whistleblower Program reporting tool here, which has been updated to include CMMC reports.