An official from the US Dept. of Defense CMMC Program Management Office revealed that a major revision of the CMMC model will impact manufacturing companies.
The comment by Buddy Dees, the Acting Director of CMMC for the DOD, was made almost in passing during a “CMMC town hall” meeting in late February 2021. During that session, a question was raised regarding whether the current CMMC model covers both IT systems and “OT” (operational technology) systems such as those used by manufacturing companies to operate and control their assembly and machining equipment. Dees indicated that the current model does not cover OT, but a future “Phase 2” version would:
[The] current [CMMC] model is designed for the traditional IT system. We refer to it in the Program Office as “Phase 1” of CMMC. So the model and assessment guide were written to support assessment of those type of technologies. There is a follow-on effort that will take place within the CMMC Program Office, our “Phase 2” effort that will focus on the SCADA, OT type capabilities, manufacturing floor.
The announcement is likely to send shockwaves through the defense industry’s manufacturing base, as it reveals two critical points. First, that the current CMMC model — published currently as version 1.02 — does not cover OT systems currently. “OT” systems would include the hardware and software used to control typical CNC machining equipment, many of which are now networked and able to receive and send product design data. To date, many machine shop firms have spent hundreds of thousands of dollars on hardware and system upgrades believing that CMMC assessments would be flowed down to them based on the current version of the standard.
Next, the DOD statement reveals that the DOD is not finished revising the CMMC model, and has refused common-sense calls to “lock the model.” The DOD seems intent on “tinkering” with the model, thereby ensuring constant changes and denying DOD contractors the time to implement existing requirements before new ones are introduced. In addition, changes already made to the CMMC have obsoleted current CMMC-AB training programs, and the “Phase 2” release will likely force currently-certified assessors and other practitioners to undergo costly “upgrade training,” a financial boon for the CMMC-AB.
Dees, along with DOD representatives Katie Arrington and Stacy Bostjanick, seem disinterested in locking the model, and appear to be operating in a vacuum that isolates them entirely from defense contractor feedback, even as they falsely assert that the CMMC model is finished.
Instead, the CMMC Program Management Office has focused on events hosted by conflicted partners and other outlets that have a financial stake in the CMMC scheme. Such events only allow pre-screened questions submitted by sources “friendly” to the CMMC-AB and Arrington.
Arrington’s office has been aggressive in creating a private cottage industry for consultants that, Oxebridge estimates, will result in over $95 billion in costs to defense contractors. Arrington seems obsessed with creating an overnight cottage industry for-profit consulting firms and entities like the CMMC Accreditation Body; she has insisted that not only will CMMC be rolled out for DOD contractors, but across the entire US government, affecting every supplier who sells to any Federal agency. She has also aggressively tried to sell the CMMC scheme to “international partners,” raising questions about why a domestic supply chain office is creating products for foreign nations.
To date over 15 complaints and filings have been submitted alleging waste, fraud, and abuse by Arrington, her office and the CMMC-AB.
Arrington has labeled the criticism of her management as “harassment.”