The US Department of Defense’s Inspector General has released a report on the controversial CMMC program, specifically related to the approval of CMMC certification bodies, called “C3PAOs” and their oversight by the CMMC Accreditation Body (known as the “Cyber AB”.) The report offers a damning criticism of both the Cyber AB and the DoD’s CMMC Program Management Office, led by Stacy Bostjanick, accusing the parties of multiple failures and raising the alarm that the CMMC program could jeopardize national security rather than ensure it.

The January 10 report, entitled “Audit of the DoD’s Process for Authorizing Third‑Party Organizations to Perform Cybersecurity Maturity Model Certification 2.0 Assessments,” raises multiple red flags, many of which have been reported by Oxebridge and others since the program was first discussed in 2019. Despite multiple parties raising formal complaints and concerns with the DoD’s CMMC Program Management Office (PMO), previously led by disgraced former DoD CISO Katie Arrington, the DoD consistently worked to block investigations and has refused to investigate criminal allegations.

The DoDIG’s report will only add more fuel to the fire raging over whether the CMMC program is, at its heart, a grift scam.

The DoDIG’s report includes a number of findings but summarizes them as being an overall failure by the CMMC PMO to oversee its sole-authorized accreditation body. The Cyber AB, to ensure it did its job. As a result, the DoDIG found that none of the 11 certification bodies — called “C3PAOs” in CMMC parlance — were properly approved by the Cyber AB:

Specifically, for the 11 C3PAOs that we reviewed, DoD and Cyber AB officials ensured that 10 of the 12 requirements were met before the C3PAOs wereauthorized to perform CMMC Level 2 assessments; however, Cyber AB officials authorized:

— two C3PAOs without ensuring that a signed C3PAOAgreement and Code of Professional Conduct was maintained for those C3PAOs

— four C3PAOs without verifying that their quality control leads were certified

— all [11] of the C3PAOs without adequately verifying that both a certified assessor and certified quality control lead were on staff or under contract as part of theassessment team.

The IG then put the blame on Bostjanick and her superiors, but without naming them, saying, “These issues occurred because the DoD CIO did not have a quality assurance process in place for verifying that the Cyber AB authorized only those C3PAOs that met all of the requirements to perform CMMC Level 2 assessments.”

In April 2021, Oxebridge accused the CMMC PMO of failing to have proper oversight of the Cyber AB, and for intending to outsource that oversight to the Inter-American Accreditation Cooperation (IAAC), a Mexican organization. Oxebridge then provided the CMMC PMO with a plan that would force the DoD to take control of the Cyber AB and ensure its ISO 17011 conformity while removing Mexican oversight entirely. Oxebridge estimated this would increase the cost of CMMC certification by only $8 per certified company. The PMO never responded to the report, which mirrored exactly what the DoDIG now reports in its 2025 audit.

The DoDIG then tied the failures by the PMO and Cyber AB directly with risks to national security:

If the C3PAO authorization process is not effectively implemented, then the DoD does not have assurance that all C3PAOs performing CMMC Level 2 assessments are qualified to perform those assessments. If the C3PAOs are not qualified to perform the CMMC Level 2 assessments, then the DoD increases its risk that contractors will be awarded DoD contracts without the requirements in place to protect CUI. CUI, although not classified information, is sensitive information that can be critical to national security and therefore, requires safeguarding.

The report included a follow-up on a formal complaint filed by Oxebridge which alleged the Cyber AB had ignored a contractual requirement to obtain ISO 17011 accreditation. The DoDIG reported that after the update to CMMC 2.0, a new contract was entered into between the DoD and Cyber AB which extended the deadline for its ISO 17011 accreditation to “December 2026 at the earliest.” Bostjanick has refused to honor FOIAs and release the revised contract, and Oxebridge has yet to obtain a copy.

The DoDIG did not investigate how, exactly, the DoD intends to roll out the CMMC program in 2026 if the Cyber AB will not even have to obtain ISO 17011 until the end of the year “at the earliest.” The Cyber AB will not be able to begin accrediting C3PAOs until after it obtains ISO 17011, meaning it is likely that no C3PAOs will be accredited at all until 2027. The Cyber AB must divest its CAICO training organization in order to obtain ISO 17011, but has refused to do so since CAICO is the source of its millions of dollars in annual revenue. It is a conflict of interest for the AB to offer training and certification alongside accreditation.

If the DoD honors the requirements of ISO 17011, then fully-accredited assessments by C3PAOs would not be able to begin until well into 2027 or 2028. Despite this, the DoD insists that CMMC will become a contractual requirement long before that, even if the Cyber AB has not accredited any assessment bodies. As a result, it is likely the DoD will simply ignore the Cyber AB’s intransigence, as well as the DoDIG’s audit report, and allow the issuance of fully unaccredited CMMC certificates. This will embolden litigation for conflicts of interest by the parties and the companies receiving CMMC certifications.

The DoDIG report indicates that the PMO only partially agrees with the findings and has only agreed to correct a handful. It appears the PMO intends to ignore the rest of the DoDIG’s report. The audit report is not legally enforceable, and since no criminal allegations are mad, it cannot be enforced by Dept. of Justice. DoD departments have a long history of ignoring Inspector General audit findings.

Arrington and Kevin Fahey created the CMMC program as a “free” solution for the DoD to ensure the cybersecurity footing of the defense industrial base. Fahey reported to Oxebridge that he took elements of ISO 9001 and the CMMI software development model to create CMMC despite these two standards not being designed to work together. Arrington then used her office to call for the creation of the Cyber AB and immediately gave control of that organization to her former boss and political donor, Ty Schieber. The DoD explained this as pure “coincidence.” Arrington and Fahey then blocked calls for investigations into the AB and Schieber, and both left government to go and sell the CMMC services they created.

Ironically, the DoDIG’s office refused to investigate multiple complaints filed with it against Arrington, Fahey and the PMO. Had they processed those complaints, the structural issues now reported by the DoDIG might never have been allowed to congeal.

At no time did the DoD perform any validation study to show whether CMMC would actually secure the DIB.

 

Advertisements
Surviving ISO 9001 Book

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.