The fact that the US Dept. of Defense and CMMC-AB signed a contract that would grant China some role in overseeing the nation’s CMMC cybersecurity certification program is so insane, it’s hard for anyone to believe. But, yes, they did that. See my article in the April 2021 edition of Cyber Defense Magazine that breaks down this debacle. (Free, but requires email signup.)
This is the result of the DOD taking the advice of some existing US accreditation bodies who had already signed up for this nutty arrangement. Those guys are all members of the IAF and have to undergo the attendant peer audits, and agree to allow the IAF (and, thus, China) to have final authority over complaints and appeals. It’s crazy, but in the commercial world it’s not a direct risk to national security.
So let’s agree that the CMMC-AB should act like an actual “accreditation body” and not the massive consultant scam it is now. That means getting into compliance with ISO 17011, as the DOD directed them to do, but not under the oversight of the IAF or Mexicos’s IAAC, as DOD currently requires.
So how do we fix this, and what will it cost?
The answer is equally insane, only because it’s so simple and so cheap.
First, the DOD must tear up its contract with the CMMC-AB — which is likely illegal anyway — and start over. In the new contract, it must define an entirely different oversight structure for the CMMC-AB which does not involve at all the IAF or IAAC, but instead puts the responsibility back on the DOD itself. No buck-passing, sorry.
The DOD would contractually require that the CMMC-AB undergo 2-day ISO 17011 conformity assessments by a third-party contractor, and to do so twice per year. The resulting reports would be sent to the DOD (not the CMMC-AB) along with any documented nonconformities. The CMMC-AB would be required to correct these deficiencies or lose its role as sole CMMC authority entirely, or perhaps face crippling financial penalties.
At a cost of $2000 per audit day, the overall costs would be $8000 per year, for four audit days. These audits can be conducted remotely, so there are no expenses. Let’s say for the sake of argument that the third-party auditing firm wants more time for report writing, or perhaps they could be used as an independent clearinghouse for complaints against the CMMC-AB or C3PAOs. Let’s exaggerate, and pretend the final costs will be $40,000 per year.
The DOD would not pay that. The DOD instead would require the CMMC-AB to pay that, even as the contract would have the auditing firm report to the DOD. The CMMC-AB, then, would flow these costs down to the DIB companies (through their C3PAOs) as a cost of certification.
If the scheme has 300,000 companies in it, then the actual cost to an individual DIB company would be $7.50. Let’s get crazy and round it up to eight bucks per year.
Your coffee costs more than that.
BTW, this is how schemes like AS9100 function, with costs of oversight bodies and databases being flowed down to the certified companies, through their certification bodies, so we have lots of experience that proves this works.
Meanwhile, the DOD would not even need to hire additional staff to support this. An existing staffer within the DOD would be a point of contact with the third-party auditing firm, and then ensure the audits of CMMC-AB were scheduled and conducted. Then, twice per year, they would receive the reports, distribute them accordingly, and ensure the CMMC-AB was taking corrective action. You’re talking about adding a few hours of work to an existing DOD employee’s year… that’s it.
Of course, the DOD department responsible would have to be someone other than the Office of the Undersecretary for Acquisition & Defense, which oversees the CMMC program. They have proven to be incapable of being a fair dealer in this scheme, and are colluding with the CMMC-AB to sell consulting badges rather than do the hard work of creating a functioning certification scheme. So it has to be someone else, but someone with authority.
Here’s the rub: we have a problem of unbelievably high risk, but a solution of unbelievably low cost. That makes the entire discussion unbelievable in itself, even if it’s completely true. It’s very difficult to talk about this without it sounding like one of those “perpetual motion machine” ads in the back of old Popular Mechanics magazines.
In short, it’s too good to be true.
But this is only because the incompetence of the DOD and CMMC-AB is so incredibly fantastic, so unprecedented, they have created a problem that even critics could never have imagined.
Would you pay $8 per year to ensure the US cybersecurity program doesn’t require China’s involvement?
I’m assuming that if you said “no,” you live in Beijing.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.