Poisoned DNA: DFARS CMMC Interim Rule Hardcodes Corruption, Conflicts of Interest

The US Dept. of Defense has issued a Defense Acquisition Regulations System (DFARS) Interim Rule that all but ensures the CMMC certification scheme will be infected by corruption, by “hardcoding” conflicts of interest into the assessment decisions.

Specifically, the Interim Rule — which is set to go into effect on November 30, 2020 — defines CMMC certifications as being issued in this manner:

CMMC Assessments will be conducted by C3PAOs, which are accredited by the CMMC-AB. C3PAOs will provide CMMC Assessment reports to the CMMC-AB who will then maintain and store these reports in appropriate database(s). The CMMC-AB will issue CMMC certificates upon the resolution of any disputes or anomalies during the conduct of the assessment. These CMMC certificates will be distributed to the DIB contractor and the requisite information will be posted in SPRS.

The paragraph is problematic because it continues the DoD’s conflation of “certification” with “accreditation” that has plagued the scheme from the beginning, despite alleged experts on ISO accreditation having been utilized at the earliest stages.

In short, “certification” is granted to a thing, and “accreditation” is granted to the certifier. This hierarchy aims to ensure the trust and validity of the resulting certification, by having “accreditation bodies” oversee the “certification bodies.” Without this, you have the diploma mill scenario, where certificates are issued for anything, without any real auditing or oversight.

Under the Interim Rule, a CMMC certification will be issued by a “CMMC Accreditation Body,” thus meaning the CMMC-AB will not be, in fact, an “accreditation body” despite the words appearing in its name. Instead, it will be a simple “certification body” issuing certificates. The third-party assessment organizations (called “C3PAOs” in the scheme) will be nothing more than approved, hired guns. The DoD calls this “accreditation,” but under the internationally-accepted ISO and WTO interpretations, this would not be true.

The Interim Rule wants to have it both ways: it claims the CMMC-AB will “accredit” C3PAOs, but then has the CMMC-AB issue the “certificates.” It’s therefore not at all clear what, exactly the C3PAOs are being accredited to do. Simply carrying out subcontract audits under the final authority of the CMMC-AB is not a candidate activity for “accreditation.”

This arrangement also violates the current Memorandum of Understanding (MOU) the DoD signed with the current CMMC-AB, which clearly states the certificates will be issued by C3PAOs who will then be accredited by the AB.

The MOU then requires the CMMC-AB to comply with ISO 17011, the standard for accreditation bodies. If the intent is for the CMMC-AB to merely issue certificates, the DoD should have flowed down ISO 17021 — the standard for certification bodies — instead; but it did not.

This problem arises because of general confusion on the part of the scheme’s architects over the difference between “certification” and “accreditation,” which the parties have consistently used as synonyms. Not only does this mean the CMMC scheme will be at odds with international standards and World Trade Organization principles, but in conflict with existing US regulations and even other DoD rules and programs which do understand the differences.

The MOU between the CMMC-AB and DoD will soon be replaced by a formal, no-bid contract which I’m left to understand will retain much of the confusing, contradictory language regarding certification vs. accreditation, and which may overtly contradict the Interim Rule, making for an awkward and potentially tangled legal debate. Eventually, the DoD’s own contract may not comply with the DoD’s own Interim or Final rules.

Poisoned DNA

The very next paragraph, however, all but ensures corruption will arise by “poisoning the DNA” of the scheme before it even starts:

If a contractor disputes the outcome of a C3PAO assessment, the contractor may submit a dispute adjudication request to the CMMC-AB along with supporting information related to claimed errors, malfeasance, or ethical lapses by the C3PAO. The CMMC-AB will follow a formal process to review the adjudication request and provide a preliminary evaluation to the contractor and C3PAO. If the contractor does not accept the CMMC-AB preliminary finding, the contractor may request an additional assessment by the CMMC-AB staff.

This paragraph again reveals the DoD does not understand the certification/accreditation hierarchy, allowing the CMMC-AB to essentially oversee itself, without any further recourse.

Putting the words into English, the rule means that if a CMMC auditor either displays unintentional incompetence or outright corrupt behavior (“ethical lapses”), and if the client wishes to complain, the CMMC-AB will have some vague, undefined “normal process” to review a complaint. If the client rejects that review, the only recourse is for the client to pay an additional — and no doubt much more costly — re-audit by CMMC-AB staff. Because of potential incompetence by a C3PAO, the client will have to pay for an entire second audit. There is nothing in the rule that then says the C3PAO will compensate the client if the CMMC-AB finds the original appraisal was defective.

This raises a question of who within the CMMC-AB will conduct such audits? Will the CMMC-AB have its Board members or executive staff perform such audits? What will they charge? Will “complaint resolution assessors” be trained and certified by a C3PAO? By the CMMC-AB itself? By no one? How will this work, exactly?

Now keep in mind that the DoD had determined from the very outset of the CMMC scheme that any CMMC-AB would be (a) a private, non-governmental organization and (b) wholly self-funded. The DoD has refused to fund the accreditation scheme, and instead insisted the CMMC-AB will find revenue through “licensing, certification” and other services.

It is not hyperbole to emphasize just how bad this decision is. The US government is creating, overnight, a single private monopoly, and then enshrining in law the fact that the organization will have no independent oversight whatsoever. Not even the DoD will be involved in disputes or assurances that the Accreditation Body operates objectively.

Now, we follow the money. The C3PAO will charge the client a fee for conducting a CMMC appraisal. From that fee, the C3PAO will pay a portion back to the CMMC-AB for “accreditation” (ignoring the improper use of the word.)  The money will flow in one direction: up.

Under the Interim Rule scheme, if an auditor engages in anything from a minor bungling of a report to full-on corrupt practices (solicitation of bribes, harassment of client staff during the appraisal, violations of confidentiality or impartiality, etc.), the DoD expects the CMMC-AB — who is being paid by the C3PAO — to somehow come to a fair and balanced ruling on behalf of the client.

While simultaneously worrying about where its funding comes from.

Without other sources of independent funding, the CMMC-AB will reliant on the revenue paid to it by the C3PAOs. This will dampen — if not snuff out entirely — any “objectivity” needed to properly prosecute complaints. The math is simple: the CMMC-AB may literally not be able to afford to uphold any complaint against one of its C3PAOs, at the risk of losing that accreditation revenue. It will be forced to side with C3PAOs in every case.

A Solution Guaranteed to Worsen the Problem

Now factor in another small detail that readers of the Interim Rule have missed. The rule only invokes “an” accreditation body in passing, and does not limit this to only one. It’s conceivable the DoD could begin to authorize the formation of other Accreditation Bodies, under a misguided idea that they will create a “free marketplace” where the competition will keep the players honest. This may also occur as ANAB, A2LA and others research the feasibility of suing the DoD for granting a monopoly to the CMMC-AB in the first place.

In reality, we have decades and decades of experience to tell us that creating multiple ABs will not work, and will result in “doctor shopping” by clients, who will seek the easiest AB to operate under. Rather than improve the scheme through competition, the quality of certifications will sink to the lowest common denominator: the cheapest, easiest AB who writes the fewest audit findings.

At the same time, we have the UKAS model to show what happens when a private monopoly is granted total omnipotence by its government. The accreditation body UKAS routinely flouts the international accreditation rules, but because it’s protected by UK national law, there is no recourse.

It is bad enough that the DoD is creating a single, unaccountable monopoly and washing its hands afterward. If it duplicates the effort by creating one or two more, it will inject all sorts of new problems into the scheme. It will have created a whack-a-mole scenario that it cannot win.

This is not hyperbole, nor is it fantasy. Corruption in the ISO scheme is rampant, and well documented. But there are methods to escalate complaints and pursue them to an end. But because the ISO certification scheme is voluntary, in extreme cases a client can simply “give up” and drop the scheme entirely, working to negotiate a waiver from their customers as they do so. Even in scenarios where the escalation fails, there are options.

This will not be an option under CMMC, which the DoD has announced will be mandatory. You either sign up for the corruption, or you go out of business.

Offering Solutions

The DoD is hardcoding its ignorance and missteps into law, but there may be time to fix it. The Interim Rule is open for public commenting, and Oxebridge is providing input directly to the players. We’re calling on the following:

1. The Final Rule clearly must differentiate between certification and accreditation.
2. CMMC certificates must be granted by a C3PAO.
3. The C3PAOs must be accredited to ISO 17021 by the CMMC-AB.
4. The CMMC-AB may “authenticate” certificates afterward, but only for that purpose, and for entering them into the EMASS reporting system.
5. The CMMC-AB must be independent.
6. The CMMC-AB must comply with ISO 17011.
7. The DoD must establish an independent oversight body to audit the CMMC-AB annually to ISO 17011, and provide general guidance.

As it stands now, the poisoned DNA of the DFARS Interim Rule absolutely ensures the eventual CMMC certifications will not be trustworthy, as they will always be infected with a financial shadow of doubt without any means of shining a disinfectant light on them later. This will result in a less-safe US cybersecurity infrastructure, while costing billions to the Defense Industrial Base.

Postscript Note

Some have repeatedly pointed out that ISO 17020 — for inspection bodies that certify things —  would be more applicable to the C3PAOs than ISO 17021, for bodies that certify management systems. In fact, the MOU name-drops ISO 17020 once or twice, adding confusion to the mix.

The reality is that CMMC is based on CMMI, and is a “maturity model” built on a sliding scale; it’s not the pass/fail decision typically addressed by either standard. CMMC does not, therefore, neatly fit into either standard, since the mashup of ISO and a “CMM” of any stripe has never been done before. This again arises due to DoD’s confusion over products, systems and models.

I believe ISO 17021 is the better fit, and we can point to ISO certification schemes under ISO 20000 (for IT service management systems) or ISO 27001 (for information security management systems) as “close-as-we-can-get” analogs. These are well-established certifications governed by accreditation bodies operating under ISO 17011.