Full disclosure: I have not been paying much attention to the CMMC grift lately, and yes, I know Katie Arrington is back. That’s the version of reality we live in. The lunchtime bars around the Pentagon are happy, though, I’m told. No, I am not saying Katie is an alcoholic, just everyone who has to work with her. I mean, wouldn’t you be?

So, yes, I missed a part of the CMMC Final Rule that gives a huge handout to The Cyber AB and its C3PAOs in the form of a reversal of accountability. Whereas the original contract between the CoD and Cyber AB (then the “CMMC AB”), as well as the defined CMMC 1.0 plan itself, relied heavily on ISO accreditation standards to ensure accountability, which has now been diluted to the point of being largely meaningless.

Under the original plan, the DoD required the Cyber AB to achieve ISO 17011 from the IAAC — which was problematic since it’s run by Mexico. The Cyber AB would then use its 17011 to accredit the C3PAOs under ISO 17020 and the training wing, CAICO, under ISO 17024. The role of the AB as an accreditation body was clear, and (f you didn’t notice) it’s right in their name.

So you’d expect the Cyber AB to be accrediting things, right?

Well, again, that’s not the version of reality we live in. Buried in the Final Rule, which went into effect this year, we find the DoD now allows unaccredited C3PAOs to issue official CMMC certificates provided they are merely “authorized” by the CyberAB. No ISO 17011, no ISO 17020. Nothing. Just “authorization.”

That authorization process is as whimsical as it sounds. Despite having published its very official-sounding “Code of Professional Conduct,” which prohibits CMMC scheme players from engaging in crimes, the Cyber AB nevertheless “authorized” its pal Cask, despite the fact that the company’s former CEO and other employees have been arrested in a huge bribery scheme. The AB was notified of this and reportedly approved Cask anyway, relying merely on their off-the-record assurance that the entire DoJ criminal case against them was bogus. (It’s not; multiple defendants have already pleaded guilty and await sentencing.)

But per the Final Rule, the Cyber AB never has to get ISO 17011 accredited, and the DoD is fine with randomly “authorized” bodies issuing certificates without any oversight ISO standards in place.

But, Why, Though?

So why, exactly, would the DoD sneakily water down its heralded CMMC program to become the equivalent of an Indian certificate mill scam? There are a few reasons:

  1. The Cyber AB was nowhere near on track with achieving ISO 17011, due to its addition to the corrupt practice of selling “badges” alongside its accreditation services. Its refusal to spin off CAICO left the DoD no choice. The Cyber AB was never going to get ISO 17011, so the DoD started backing off on the requirement. (Technically, it’s still in there, but the diluted Final Rule language sets the stage for its removal.) Consider that the AB was formed in 2020 and has never accredited anyone, ever.
  2. Oxebridge made a very public fuss over the fact that the idiots at DoD required the Cyber AB to get its ISO 17011 from Mexico, thus handing off control of the entire CMMC scheme to a foreign nation. They never addressed that directly, but by pushing aside the entire argument of accreditation, they dodged a Mexican standoff. Disculpame por la broma, por supuesto.
  3. With the Cyber AB’s ISO 17011 off the table, this meant no C3PAOs could ever get “accredited” as promised, since there was no one to accedit them. By allowing “authorized” C3PAOs to issue CMMC certs instead of accredited ones, the DoD gets to push ahead on its deadline for the CMMC grift. The accreditation of C3PAOs no longer plays into the timeline.
  4. The attempt to hammer an ISO-style conformity assessment scheme into a CMMI-style “maturity model” was doomed from the start, the product of Kevin Fahey’s dangerously-low levels of knowledge on both schemes. It was never going to work.

All of this totally tracks with the DoD’s willingness to bend over backward to let Matt Travis and his Cyber AB mob do whatever the fuck they want, regardless of ethics, crimes, conflicts of interest, or corruption. And now, under the new Trump administration, these sorts of things are rewarded, so we can only expect more of them, not less.

CMMC is a grift scam, and a huge tax on American companies. But it was shoved into place by a clever sideloading technique, using acquisition rules and now-withdrawn promises of ISO compliance to nearly entirely bypass Congress. They then created an entire private company to compete with existing American companies, all without the passage of a law. The people who did all this then fled the government and went into the private sector, selling the thing they had used their DoD jobs to create. Pretty incredible.

One other note: those of you expecting Elon’s DOGE gang of incels and ketamine addicts to step in and save you, forget it. While DOGE and Trump are killing jobs at CISA and NIST, they did rehire Arrington. I suspect they will be very hypocritical in firing a lot of cybersecurity folks but then doubling-down on CMMC if only to save face for bringing her back.

But unless Elon puts down the crack pipe long enough to realize this own companies, like Starlink and SpaceX, will have to spend millions on getting CMMC themselves. But he’s a bit busy these days, and isn’t actually paying attention to any of his companies.

Anyway, the fight against CMMC grift will now head to the courts, but there’s no respite to be found there, either. That entire system is broken. The billionaires and their drunken, drug-addled droogs have won.

Oh, the other winner? China. They are loving this. The DoD is going to bankrupt its own defense industrial base all to give some money to a made-up “ecosystem” that nobody asked for, for a scheme that won’t ensure one additional minute of cybersecurity.

 

 

Advertisements
Traditional Tri-System