CMMC is vaporware. There, I said it.
Unfortunately, it’s proven to be impossible to have an honest, open conversation about CMMC since the discussions are controlled nearly entirely by a small — but growing — group of conflicted industry actors. This includes the DOD’s Project Management Office (PMO) for CMMC, which has to show progress in order to justify its existence, and the CMMC Accreditation Board, which is raking in money by the truckload selling dubious CMMC-related “badges.” This also includes a network of toady companies who are all jockeying for approval and praise by the PMO and CMMC-AB, in a doomed shot at gaining some sort of market advantage. The end result is a sycophantic, saccharine echo chamber that stifles critical thinking.
But CMMC doesn’t really exist, despite everyone claiming otherwise. As I write this, the DOD’s Katie Arrington has falsely claimed, “if you wanted to go out and get a certification you could, you do not need to wait.” This is patently untrue, and grossly irresponsible.
The DOD does intend on launching it with “15 pilot companies” in 2021, but they have no plan on how that will actually happen.
And it won’t, because, again: CMMC doesn’t currently exist.
Let’s look. The chart below provides the five mandatory requirements in order for a DIB company to obtain CMMC. This requires that (1) the CMMC model be finished, so that companies can implement the requirements; (2) that training be available on said completed model; (3) that the assessment bodies (the CMMC-AB and C3PAOs) all obtain their necessary accreditations in order to conduct assessments; (4) that assessments can actually be performed; and (5) that CMMC levels are issued and reported, so that companies can meet DOD government contracts.
None of those things are happening. Furthermore, the lack of progress on the upper steps cascades downward, pushing delays to the later steps.
So while the DOD and Katie Arrington give falsehood-laden and breathless webinars claiming progress — in order to save their own skins — the facts are that CMMC certification has not really stepped beyond the conceptual design phase. There is almost nothing practical that exists.
You’d be forgiven if you didn’t know this, by the sheer number of posts being made by those announcing they were granted some dubious “badge” by the CMMC-AB. Not a single one of those badges affects the diagram above, nor moves us any closer to the endgame.
As always, I like to go beyond pointing out deficiencies, into providing solutions. There are key steps that the parties can take — right now — to speed up the exit of CMMC from the conceptual design phase into a functioning, real program.
Step One: Lock the Model
The CMMC Model itself is not finished, despite false claims by various parties. Discussions are still underway to strip at least twenty — twenty! — controls from the CMMC Level 3 requirements. While that has been dismissed as “minor,” it is anything but. Removing 20 controls from Level 3 is a massive change. For companies that are using the Model now to implement their controls, it can mean wasted expenditures of hundreds of thousands of dollars. I cannot overstate the huge implications of this potential change.
Consider this: every time the CMMC Model requirements are changed, this forces downstream changes that impact on the CMMC-AB’s rules, the C3PAOs auditing practices, potential auditing time and costs, and — of course — the ultimate controls put in place (and paid for) by DIB user organizations. It’s not clear the Carnegie Mellon people know, or care about, the effects their tinkering has on the DIB.
Instead, the Carnegie Mellon and DOD PMO folks must lock the model, in the same way that ISO locks its standards for a set time, prohibiting changes until a scheduled review period. In this case, the DOD should lock the CMMC model for a period of five years, to give DIB companies a static, unchanging set of goalposts to target with their implementation.
If the parties are not confident in their ruleset, then we shouldn’t even pretend to have a certification program based on that ruleset.
See update below; DOD has announced the model is being updated again.
Step Two: Fully Develop and Release the Assessment Rules
The CMMC-AB still has not worked on any official assessment rules which will then govern the actions and duties of its C3PAOs. Instead, it has prioritized short-term cash flow by selling bogus certificates, with the obvious goal being that the Board members involved will jump ship from the AB to the new “CAICO” organization, where they can continue to rake in money as trainers.
I’m not talking about Carnegie Mellon’s “Assessment Guide,” which proved to be largely useless and hypothetical. I am referring here to the CMMC-AB’s rules, which will then flow down to C3PAOs and form the basis for accreditation and appraisals.
Without these rules, no one knows how long a CMMC appraisal will be. This matters because each C3PAO will develop its cost model on an audit “day rate.” If the going rate is $2,000 per day, as expected, DIB companies need to know how many days will be required for an assessment: a 1-day audit will cost $2,000, but a ten-day audit will cost $20,000. So this stuff matters. Obviously, day rates will be dependant on the targeted CMMC level, too. We need the audit duration tables.
These rules also will govern how a C3PAO builds its appraisal team: how many assessors, how many technical experts, etc. Then, the rules will define the assessment itself, including rules for opening meetings, conducting the assessment, use of information and communication techniques (ICT), assessor ethical guidelines, how CMMC reports will be generated, the report template itself, how the results will be communicated and reviewed, how final levels will be awarded and announced, etc.
Finally, the CMMC-AB must address something they are ignoring entirely: how complaints and appeals will be processed. They are likely to see a flood of appeals in the very first month that assessments begin, as DIB companies object — rightly or wrongly — to audit deficiencies. There must be a formal and objective manner to process these. The CMMC-AB’s current posture — reacting hostilely to complaints and publicly attacking complainants — can’t continue. The AB is living in a fantasy world where they think the sycophantic sucking-up they are currently receiving will continue forever. Once the C3PAOs start denying companies CMMC levels, and DIB companies stand to lose billions of dollars in contract awards, all those illusions will fall apart. The CMMC-AB needs to be ready.
Step Three: CMMC-AB Obtains ISO 17011 in Six Months
The CMMC-AB must develop the rules I mentioned in Step Two anyway in order to obtain their mandatory accreditation for ISO 17020. The DOD has ordered them to become ISO 17020 compliant; there’s no leeway here.
But to allow itself to keep generating cash for its Board members, the AB has elected to give itself an arbitrary “24-month” deadline for ISO 17011. This is because they cannot simultaneously certify persons while being an actual “accreditation body.” Somehow, the AB convinced the DOD and Arrington to buy into this ludicrous — and potentially corrupt — plan, but let me be clear: the 24-month deadline is entirely made up.
Revealing the scam, they then gave the C3PAOs only three months to implement ISO 17011 after that. This exposes the reality that these ISO 17xxx implementations do not need two years to implement, and the CMMC-AB is only doing this to extend the amount of time they can sell worthless badges. Look at this screenshot from the 23:54 timestamp of a recent CMMC-AB Town Hall:
There is nothing at all stopping the CMMC-AB from pursuing full ISO 17011 compliance in six months. Period.
Given that, they must prioritize this over the sale of “badges” which will become worthless when the new CAICO organization forms anyway, and possibly expose the AB to a massive class-action lawsuit. They should drop this doomed endeavor, and get to work on their sole function: becoming an actual “Accreditation Body,” so they can begin accrediting C3PAOs.
Step Four: C3PAOs Accredited to ISO 17020
Once the rules from Step Two are completed, and the CMMC-AB has achieved ISO 17011, only then can the C3PAOs comply with their DOD mandate and become ISO 17020 accredited. Right now, C3PAOs cannot do this, since any ISO 17020 accreditation audit will review their compliance with the CMMC-AB’s rules, which — as I said — don’t exist.
So the entire process is stalled, again, due to this arbitrary “27-month” delay.
If the AB gets its ISO 17011 accreditation in place in six months, it can begin conducting accreditation oversight audits of C3PAOs, and officially granting them the ability to conduct audits. That means that beginning in July of 2021, we could have a functioning CMMC program and the C3PAOs could be issuing real, trusted, accredited CMMC levels. July!
Right now, the C3PAO “badges” issued by CMMC-AB are meaningless, and only placeholders. these C3PAOs cannot actually perform audits until they obtain ISO 17020 accreditation.
By following these four steps — in order — the CMMC Scheme can be fully operational as early as July 2021, but let’s be kind and suggest by Q4. As it stands now, CMMC-AB’s foot-dragging will delay the entire rollout by years, with the only benefit being that a few Board members get to collect money by giving “badge classes” that have no impact at all on the nation’s cybersecurity.
We must fight back against this craven greed, which stands to weaken our cybersecurity defense. China and Russia are not stopping their attacks on our country so a few CMMC-AB Board members can buy a new boat. The CMMC program must be fully operational as soon as possible, and only by doing the steps above can this happen.
We have to move CMMC from vaporware into a real, functioning, and thriving scheme.
CORRECTION: An earlier version of this claimed the CMMC-AB gave itself 27 months to implement accreditation. In fact, it gave itself 24 months, and then added another three months for C3PAOs to obtain their own accreditation after that.
UPDATE 11 February 2021: In an article on Inside Cybersecurity, the DOD announced it was underway updating the CMMC Model. Apparently, the model is being revised to address changes in NIST 800 controls, as well as to address user feedback. While the latter is good, standards developers know that you revise standards to align with user feedback before you publish them and not after you announce a certification scheme around the publication.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.