CMMC assessment methods are based on the self-assessment standard, NIST 800-171. That standard was never designed for third-party assessment, so without modification, the practices ensure fraud by the C3PAOs who will conduct CMMC audits. This will then enable contract protests and litigation against anyone who “wins” a CMMC certification.
As usual, the Cyber AB — who is supposed to fix this stuff — is too busy selling fake badges to do its job and tailor the assessment methods to suit third-party certification. So, to ensure their market position, C3PAOs will have to choose the cheapest, laziest assessment methods; that will ensure CMMC certifications don’t have any real impact on cybersecurity.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
