The ISO 9001 certification body NQA is already offering certification services for the Cybersecurity Maturity Model Certification (CMMC) program, despite no such certification program in existence.
The CMMC certification is managed by the CMMC Accreditation Board (CMMC-AB) which has only just begun the process of training provisional assessors; it has not yet announced the accreditation of any third-party assessment bodies, called “C3PAO’s” in the CMMC jargon.
Despite this, a July 2020 press release on the NQA website says that the company has been approved by CMMC-AB as a C3PAO, claiming it is listed on the Accreditation Board’s website. The CMMC-AB website, however, does not list any C3PAOs, and makes no mention of NQA at all. Sources report that a drop-down menu accessible only to those registrars who applied lists the various applicants, but this is not available to the public, nor is it an indication of CMMC-AB approval.
The press release does indicate that NQA is only providing pre-assessments to the CMMC scheme, but a separate page on the NQA website offers full “CMMC certification,” despite this not being possible. The page prompts the reader to “Get a quote” for certification. Oxebridge tested the page and it did not throw up any disclaimers or clarifications.
The same page then features the logo of NQA’s accreditation body, ANAB, despite that body not offering accreditation under the CMMC scheme.
ANAB originally participated in discussions to become an official accreditation body, but the US Dept. of Defense scuttled such talks, and instead ordered the creation of the CMMC-AB.
The CMMC scheme and the CMMC-AB have been mired in controversy and accusations of self-dealing and “pay to play.” The CMMC-AB was forced to remove a controversial program whereby it attempted to sell $500,000 per person “Diamond” memberships. Oxebridge first reported on this, and the industry outcry forced CMMC-AB to withdraw the program less than 24 hours later.
Oxebridge also analyzed the official DoD Memorandum of Understanding (MOU) that was used to create the CMMC-AB, and found it legally unenforceable.
Industry attorney Robert Metzger is calling on the CMMC-AB to “pause, correct and regroup” given the scandals facing it.
Oxebridge founder Christopher Paris has called on CMMC-AB Chair Ty Schieber to step down.
The cybersecurity industry has been plagued with marketing claims which falsely assert that companies must begin CMMC implementation now or face the loss of DoD related contracts. Major companies such as Deltek and Dun & Bradstreet have launched ad campaigns that claim the certification program is already underway. Private consultants have been found claiming the DoD rules mandating CMMC certification are already in effect.
In reality, a slow rollout of audits will begin next year with a tiny selection of defense industry companies, and those would likely be very large prime contractors. It is not expected to impact on other companies in the supply chain until later 2021 or deep into 2022. In addition, the scheme may be impacted by the coming US Presidential election.
There are currently no finalized audit rules, audit duration timetables, checklists or training programs developed for the CMMC scheme. The Assessment Guide, which will dictate how certification audits are to be performed, has not been released.
NQA President Kevin Beard did not immediately reply when asked to comment on the CMMC certification claims.