[UPDATE: The document has now been released, see update below.]
The US Dept. of Defense and the CMMC Accreditation Body (CMMC-AB) have failed to release the much-anticipated CMMC Assessment Guide which would provide details on how CMMC assessments will be carried out.
Oxebridge had previously obtained a version of the Assessment Guide dated March 20, 2020 and marked as “Approved for Public Release”, but was warned against publishing it. Former CMMC-AB Board Member Mark Berman and DOD representatives Katie Arrington and Stacy Bostjanick threatened legal action against another party when it was briefly leaked. Oxebridge then reached out to the AB on the matter, who denied owning the document, making it unclear what legal standing Berman and the Board had for threatening legal action. “Trademark bullying” — the act of falsely invoking trademark rights in order to squelch free speech or criticism — is illegal under US law.
The document itself was copyrighted not by the Dept. of Defense, but by Carnegie Mellon University and the Johns Hopkins Applied Physics Laboratory, suggesting the DoD also had no right to threaten litigation. US government agencies typically cannot “copyright” documents that are produced using taxpayer dollars, suggesting Arrington and Bostjanick were also using their positions to intimidate and harass industry participants, suggesting possible violations of ethics rules.
Oxebridge wrote to one of the document’s primary authors, Katie Stewart of Carnegie Mellon’s Software Enterprise Institute, who indicated that while Carnegie Mellon produced it, the document was “owned” by the DoD, which would control its release. Stewart then refused to answer questions on how a taxpayer-funded document could be owned by the DoD and withheld even when marked as “approved for public release.”
The assessment guide is critical as the CMMC-AB has launched multiple, costly certification programs for Provisional Assessors, consultants, trainers, and others, despite not having any official rules for conducting CMMC assessments. The CMMC-AB may face backlash and, potentially, class action lawsuits if they force certification holders to undergo additional training once the guide is released.
Oxebridge then filed a Freedom of Information Action request to have the Guide forcibly released. In a stunning move, the DoD simply refused, indicating they would release it by “the end of November” on their official website as well as that of the CMMC-AB. Oxebridge agreed to table the FOIA request, allowing the DoD to meet its November 30th deadline. That deadline has now passed, and neither organization has released the guide.
Despite this, Arrington continues to publish feel-good press releases and videos claiming the CMMC program is on track, and bragging how Provisional Assessors have already been trained. Arrington has not explained how the auditors were trained if no rules were provided on how to conduct assessments.
The DoD FOIA office has left open the option of re-opening the Freedom of Information Act filing if the DoD does not release the Guide this week. In such a case, Oxebridge will likely expand the FOIA to extend to emails from Arrington, Bostjanick and others related to the delays and stonewalling of the Guide’s release.
It is not expected that Arrington will survive the transition to a Biden administration and that the CMMC program will thus be under different stewardship after January 2021.
UPDATE: Oxebridge contacted the FOIA office to notify its intent to reopen the request. The Guide was released a few days later, and may be downloaded here. No explanation was given for the delay. Contrary to the explanation provided by DOD in the FOIA response, it has only been released on the DOD website, and not that of the CMMC-AB.