As reported on FCW, the Biden Administration is moving the CMMC program to have it managed by the office of the DoD’s Chief Information Officer (CIO), taking it away from its current management by the Office of the Undersecretary for Defense – Acquisition & Sustainment (OUSD A&S). According to that report:
John Sherman, who was previously Defense Department’s principal deputy CIO and acting CIO, told the Senate Armed Services Committee Oct. 28 that he would seek to update the Cybersecurity Maturity Model Certification (CMMC) program to be “not onerous” for small and medium-sized businesses, if confirmed [as new CIO.]
Stripping the CMMC program away from Katie Arrington and OUSD A&S had already been underway, with CMMC having shifted it already to OUSD’s Office of Industrial Policy under Jesse Salazar. But Salazar continued to rely on Arrington’s CMMC Project Management Office, headed by John Garstka and Stacy Bostjanick. Salazar had made no public moves to distance his approach from that of Arrington.
Arrington is on paid leave during an investigation into whether she leaked classified information. She is suing the Federal government in response.
The FCW article goes on to say the move is not contingent on Sherman’s confirmation, and that “oversight of CMMC is expected to be subsumed into the DOD’s CIO office and led by the chief information security officer.”
Oxebridge sources had expected a formal announcement related to the CMMC program’s shift sometime during the first or second quarter of 2022, and the interview by Sherman took them by surprise for its timing.
CMMC-AB Contract “Moot”
At the same time, two sources have reported to Oxebridge that the current contract between the OUSD A&S office and the CMMC Accreditation Body (CMMC-AB) is expected to “be allowed to lapse as moot” without formal cancellation. Doing so “allows the DoD to distance itself from the CMMC-AB, but without causing a public fiasco,” a source said.
The fear of scrapping the CMMC-AB entirely is that it would result in a flood of class-action lawsuits by thousands who have purchased credentials from the organization, prompted to do so by Arrington and others in her office.
The contract is between DoD OUSD A&S and the CMMC-AB, so moving the program under CIO would negate the contract’s legal authority.
The contract between Arrington’s office and the CMMC-AB has been controversial for a number of reasons. The contract was between her office and her former boss, Ty Schieber, who originally headed up the AB, raising questions of kickbacks and cronyism. Schieber then falsely claimed the AB was already a tax-exempt organization when filing for its CAGE code, a requirement to obtain the Federal contract; but the AB has never obtained tax-exempt status, prompting Oxebridge to file a felony fraud complaint with the Defense Logistics Agency.
The CMMC-AB then went on to largely ignore the contract, failing to spin off its credentialing operations to a new organization, “CAICO.” The AB repeatedly missed milestones and deadlines defined in the contract, while Arrington’s office declined to enforce it.
Sources tell Oxebridge that there is a chance the DoD will allow the CMMC-AB to continue to credential individuals, such as trainers and assessors, and only strip its duties related to accrediting C3PAO assessment bodies.
Discussions continue to be had at DoD about handing the scheme over to the ISO accreditation body A2LA, but the move would require special contractual terms to ensure the China-managed IAF did not gain oversight authority. Another idea being floated is to have the DoD office of the Chief Information Security Officer (CISO) act as final oversight body, denying all roles to ISO and IAF bodies.
Meanwhile, the AB continues to suffer public relations scandals, with one of its own Industry Advisory Council members now calling the AB credentials “worthless” on Reddit.
UPDATE 5 November 2021: As part of the launch of CMMC 2.0, the DoD’s OUSD A&S office has announced their intention to negotiate a new contract with the CMMC-AB. The announcement did not address how the new contract would survive a transition to the office of the CIO.