The US Dept. of Defense has handed oversight of the nation’s cybersecurity certification program to the IAAC, which operates out of Mexico, and the IAF which is led by China. In response, Oxebridge has published a formal White Paper on the matter, and is preparing a formal report to the DOD Inspector General.

The news comes as journalists obtained the “Statement of Work” (SOW) for an exclusive, no-bid contract between the DOD and the CMMC Accreditation Body. That contract requires the CMMC-AB to obtain ISO 17011 accreditation and undergo “peer evaluations” by the Inter-Americas Accreditation Cooperative, or IAAC. The IAAC is headquartered in Mexico, and its current Chair is from Uruguay.

The contract makes the CMMC-AB the sole authority for accreditation of CMMC assessment bodies, and responsible for overall administration of CMMC certifications.For unknown reasons, the DoD has refused to release the full contract.

The SOW may be downloaded here.

The IAAC normally exists to facilitate trade between North, Central, and South American countries, by ensuring accreditations for ISO certification bodies are mutually recognized and properly administered. The scheme is controversial, but largely harmless in the context of trade or standardization. It has never been used as a means of overseeing the United States’ national defense, however.

The IAAC is furthermore obligated to flow down to the CMMC-AB all requirements and oversight authority of the IAF, whose current president is Xiao Jianhua, an executive with the Chinese National Accreditation Service (CNAS).

The Oxebridge White Paper details how the published procedures of both IAAC and IAF will force the CMMC-AB to grant physical access to foreign auditors during their accreditation audits of CMMC assessment bodies, known as “C3PAOs.” This will then expose national security weaknesses, including cybersecurity deficiencies, to those foreign auditors.

In addition, the IAAC membership requirement mandates that complaints and appeals be processed by IAAC and/or IAF when escalated by an aggrieved party. The published IAAC procedures on complaints handling reveal that any such escalations will be processed by foreign nationals. Oxebridge has seen this first hand; during one prior interaction with the IAAC, a complaint filed by Oxebridge was processed by representatives of Uruguay, Jamaica and Brazil, and copied to overseers in China.

Back in September of 2020, Oxebridge warned officials in the Dept. of Defense, including Katie Arrington and Kevin Fahey, that any such move would bring in Chinese and Mexican oversight into the scheme. The DOD rejected the warning. Leadership within the CMMC-AB also adopted a hostile posture to the reports, choosing instead to bend the knee to Arrington.

Overall, the SOW reveals a stunning surrender of nearly all rights of the CMMC-AB in deference to the DOD, but still holds the CMMC-AB solely liable if things go wrong. One clause allows the DOD to cancel the contract at any time and gives the CMMC-AB only 30 days to surrender the entirety of the program’s systems, documentation and records to its replacement.

It does not appear that officials in either the DOD or CMMC-AB ever read the public procedures of the IAAC, which are freely available on the group’s Mexican website, in English. Those procedures go into significant detail on the requirements for IAAC “peer evaluators” to physically attend CMMC-AB audits of C3PAOs and DIB companies.

Oxebridge is preparing a report to the US Dept. of Defense Inspector General on the matter.

At the same time, Oxebridge is investigating evidence that suggests one former member of the CMMC-AB may have committed a felony in order to set the stage for the eventual contract with the DoD. If this bears out, the contract with the DoD may be nullified on the spot, as having been obtained illegally. If parties are found guilty, the law provides for them to face up to 5 years in federal prison.

The Oxebridge White Paper, entitled  Addressing How the Dept. of Defense Contract with the CMMC Accreditation Body Risks The USA’s National Defense, may be downloaded here.


ISO 17000 Series Consulting