Repeatedly, CMMC promoters and The Cyber AB have claimed they don’t see any conflicts of interest in the scheme, despite nearly everyone else consistently banging their fists on the desk and saying, “They’re right in front of you, dude!

Cue Picard memes.

If you recall, The Cyber AB just launched a set of tools, allegedly “white-labeled” from the consulting firm Cyturus, that AB-approved consultants (“RPOs”) can then use to help companies implement CMMC. This means the AB is literally providing procedures, risk analysis, SPRS forms, POAMS, and other deliverables to companies that, later, the AB itself will have to oversee audits of.

This will simultaneously ensure that The Cyber AB gets sued as well as denied ISO 17011 accreditation, but the AB’s CEO Matt Travis insisted to me he didn’t see the conflicts of interest. He was genuinely — or so I’m led to believe — befuddled by the fuss.

So let me lay out the conflicts of interest as they will play out in the real world, in simple language so even the CMMC Kool-Aid drinkers can understand it. This is based on my 30+ years of experience in the ISO audit world, which CMMC is trying to mimic.

To preface this, remember how CMMC assessments (audits) will play out. A company seeking CMMC certification will hire an official, accredited certification body (called a “C3PAO” in this scheme) to audit them against the CMMC standard. That C3PAO will have been accredited by The Cyber AB, and the D3PAO has to maintain that accreditation or risk being denied the right to perform such standards. Moreover, any complaint submitted by the company being audited will be adjudicated by The Cyber AB, which is supposed to remain neutral in such matters.

Scenario 1

Imagine the company “Ape-X” is undergoing its CMMC assessment. Ape-X has hired an official “RPO” consultant who was personally accredited by The Cyber AB; we will call the consultant “Bob.” Ape-X then hired “ShitCo” as their certification body, or C3PAO.

Oh, and wait: Ape-X needs CMMC in order to win a lucrative contract worth millions; if they don’t get a CMMC rating, they can’t bid on that contract.

Bob has taken up The Cyber AB’s offer and is using their CRT consulting tools. Now, Ape-X has POAMS and procedures clearly developed by The Cyber AB, but sold to them by Bob the consultant.

On the day of the CMMC audit, the auditors from ShitCo recognize the materials, and realize that Ape-X and Bob used the official Cyber AB materials.

So what does ShitCo do if they find a problem? ShitCo was accredited by The Cyber AB. If they write up the finding, they are essentially writing a nonconformity against the materials produced by the body that can kick them out of the business entirely, by stripping them of their accreditation. So ShitCo drops the finding, for fear of pissing off The Cyber AB.

And Ape-X gets a CMMC rating despite having a flawed system.

Scenario 2

What if, in the same scenario, the auditors from ShitCo do write up the finding anyway, trying to be honest? Now, Ape-X is denied their CMMC, and thus loses access to the lucrative contract.

Do you think Ape-X will just take that lying down? Of course not. Their lawyers will look for ways to get that decision reversed. They will now be able to sue Bob the consultant, as well as The Cyber AB itself, for malpractice and defective CMMC products, leading to them losing millions of dollars in potential contract awards.

Scenario 3

Now let’s mix it up a bit. Say Ape-X doesn’t hire Bob as the consultant, but instead hires Jane. Jane is a fully-accredited RPO, but chooses to use materials created by her own company, and not The Cyber AB’s CRT tools.

On the day of the CMMC audit, the auditors from ShitCo find problems with Jane’s work, and write it all up. Ape-X is denied an acceptable CMMC rating. Again, Ape-X’s lawyers go to work.

No one can really know if ShitCo wrote up the finding because they are silently pushing companies to use the Cyber AB’s materials, in order to remain on the AB’s good side, or if Jane’s tools were legitimately defective in some way.

Now, Jane the consultant can sue.

Scenario 4

Take any of the prior three scenarios, and let’s assume that Ape-X doesn’t even have lawyers, or isn’t ready to go to court. Instead, they invoke their rights under the CMMC scheme to file a complaint.

First, that complaint will be sent to ShitCo, the auditing body. If Ape-X doesn’t agree with ShitCo’s response, it will have the right to escalate the matter to The Cyber AB.

Now The Cyber AB is adjudicating a complaint related to its own deliverables. Any response by The Cyber AB, other than full acquiescence to Ape-X, will be seen as a self-interest, and be suspect. If The Cyber AB tosses out the complaint, parties can — rightfully — say they did so in order to protect their own CRT products and reputation, not because the complaint was legitimately defective.

(I won’t get into how Ape-X can then escalate the matter to The Cyber AB’s oversight body, IAAC, and how that now lets Mexico decide what happens next. I’ve beaten that horse to death, but it nevertheless remains true.)

Other Scenarios

There are more. A lot more. For one, cybersecurity consultants who are NOT registered as RPOs by The Cyber AB can sue for unfair competition. The Dept. of Defense can face investigations into why it created an overnight monopoly organization, overlooking potential fraud and corruption, just to hand Katie Arrington’s pals a “cottage industry.” When a CMMC-certified company inevitably gets hacked, everything will be examined, and likely everyone sued. Oh, and there’s always the Federal Trade Commission… let’s not forget about them.

for those arguing this is all a bunch of “what ifs,” and therefore should be dismissed out of hand, keep in mind that accreditation standards like ISO 17011 are specifically designed to prevent “what ifs.” That’s literally what they are there for. You can only write rules against conflicts of interest assuming that they will occur if you don’t.

The Only Fix

The only way to prevent these scenarios from playing out would have been for The Cyber AB to never have released the consulting products at all, as they are an overt violation of ISO 17011.

But it’s too late. The products are out there, and The Cyber AB is now sitting in a giant, stinking pool of its own conflicts of interest.

There should be no way that The Cyber AB ever gets ISO 17011 awarded to it by Mexico’s IAAC, but it’s still not out of the realm of possibility. IAAC is, itself, a notoriously corrupt organization, at least by my reading. So they may rubber-stamp The Cyber AB. But it won’t stop the complaints once CMMC audits become a real thing.

Again, companies will have invested hundreds of thousands of dollars into implementing CMMC, and then have potentially millions of dollars in contracts waiting for them, if they obtain CMMC. This means the companies seeking CMMC are not going to be playing around. If they fail an audit, you can be guaranteed they will be looking for ways to reverse that decision.

And the idiots at The Cyber AB just handed them a boatful of ways to do that.

Good job, Jeff Dalton! You really are a very stable genius.

Advertisements

ISO 14001 Implementation