The Dept. of Defense’s representative Katie Arrington has all but signaled surrender for her CMMC project by announcing that the DOD would accept ISO 27001 certificates “in reciprocity” for CMMC appraisals.
If you recall, Arrington was hired to stand up the DOD’s Cybersecurity Maturity Model Certification program, which some have argued (including myself) has been nothing more than a massive make-work project for Arrington and her friends, including her former boss at Dispersive Technology, Ty Schieber. Instead of doing the necessary (and hard) work of setting up a functioning, accredited certification system, Arrington and the CMMC Accreditation Board have been happy to trot out a host of meaningless “badge” personnel certifications that have no actual role in the eventual accreditation process.
Now, according to an article in NextGov, Arrington announced, “I’m going to take any ISO 27001 and provide reciprocity. Those memos are up in the office of the undersecretary to be signed out…we’ve agreed upon all of those terms with the AB, the CIO, and the other stakeholders.”
Arrington has a long history of speaking first, only to find out later she never had the authority nor the deal in hand to back up her statements, so this may be attributable to her quirks. But it’s not the first time Arrington has spoken of reciprocity with ISO 27001.
The idea sounds great at first blush: ISO 27001 is a known and fairly well-respected international standard for information security management systems, and has a well-developed accredited assessment infrastructure already in place. But Arrington’s announcement is troubling for a host of reasons — and, yes, as a company that offers ISO 27001 consulting, I realize I am about to spit in my own food. But truth matters more than sales pitches, something Arrington could learn.
The first problem is that by recognizing ISO 27001 as equivalent enough to CMMC to justify “reciprocity,” Arrington essentially admits that the US government never needed CMMC to begin with. Both the ISO 27001 standard and the surrounding audit infrastructure have existed for almost two decades. Many current DOD and other government agency contracts already require ISO 27001 certification as a condition for bidding. In the NextGov article, it reveals Arrington is also pushing for not only for reciprocity with ISO 27001, but also for FedRAMP assessments and DIBCAC audits.
The argument to create a new system out of whole cloth — the CMMC scheme — was defended originally by Arrington and the DOD as being necessary because the other systems weren’t working. FedRAMP self-assessments couldn’t be trusted, DIBCAC wasn’t widespread enough, and ISO 27001 didn’t go far enough to secure the United States’ national defense.
So, why walk this back now? It looks like Arrington has essentially surrendered, and has lost confidence in her own project.
The reciprocity announcement further cripples the CMMC Accreditation Board as it’s trying to get started. The CMMC-AB has yet to develop the most basic policies and procedures needed to allow it to actually be an accreditation body, and now will face a huge setback as companies just decide to ignore CMMC altogether. CMMC-AB rep Jeff Dalton has shoved off full accreditation until 2023, giving himself and his cronies a few years to collect more money in selling “badges,” but at the expense of rolling out the CMMC program. (Arrington has apparently signed off on this insanity.)
Again, why would any functioning defense industrial base organization buy into this boondoggle, if a respected ISO certifciation scheme will be viewed as equivalent? DIB companies wanting to be ahead of the curve, or simply ensure access to government contracts, won’t wait for Dalton and his pals to get rich. They will just get ISO 27001 now, rather than wait for the CMMC-AB to get its act together in the next 2-3 years.
Better yet, ISO 27001 is universal. While a CMMC certification may get you access to a handful of DOD contracts, the folks over at FDA or EPA or NRA don’t recognize it, and you’d have to get ISO 27001 anyway.
But as you’ll see, ISO 27001 isn’t the solution here, either.
The next problem is the dirty secret of corruption within the ISO certification scheme, including that of ISO 27001. Because of the conflicted oversight “pyramid” within ISO certifications, companies that do not comply with the applicable standards achieve certification anyway. Worse, even after violations are widely reported, the companies retain their certification, as the auditing bodies are too corrupt to perform their required due diligence and retract those certifications.
This is rampant in the ISO 9001 quality management scheme, where companies found to have killed people due to deadly product defects, or who have falsified product inspection data, continue to hold their certifications even after widespread reporting, arrests and government sanction. Simply put, once you’ve paid for an audit, you’re never likely to lose it so long as you keep paying your annual fees.
Within the ISO 27001 scope, nothing typifies this more than the Equifax hack. Investigators later found that Equifax’s information security systems were so lax, they included equipment that was dated to pre-DOS 1.0 technology. Meanwhile, Ernst & Young financial auditors had signed off every year on the company’s IT controls for accounting, while cohorts at EY CertifyPoint — also owned by Ernst & Young — issued annual ISO 27001 certifications, having audited the same systems. Investigators later found the systems could never have provided the security required, leading to the massive breach. Despite the corruption of two E&Y bodies auditing each other’s work, evidence suggested by investigators pointed to CertifyPoint doing “drive-by” information security audits, allowing massive lapses and deficiencies to go unreported so long as Equifax was paying their bill.
That hack exposed the data of over 147 million consumers, all under an ISO 27001 certificate banner, and is one of the largest in history.
EY CertifyPoint should have faced withdrawal of its status as an ISO 27001 certification body by those bodies who accredit it, but the corruption is so rampant in the ISO field that no such actions were taken. This is true for nearly every single ISO scandal involving the applicable certification bodies: even in cases where there has been a massive death toll — see the Deepwater Horizon explosion, or the Grenfell Tower fire deaths, or the Takata airbag recalls, or the PIP breast implant scandal — accreditation bodies such as ANAB and UKAS refuse to hold the auditing bodies even partly accountable, allowing them to continue to issue dubious certifications. This, because the accreditation bodies receive a percentage of the revenue generated for every certificate issued, thanks to a corrupt, industry-wide pricing model. Then, lazy and confused governments fail to perform any oversight over the accreditation bodies, happy to claim that “privatizing audits” allows them to lower taxes.
Assuming ISO 27001 certifications will help ensure confidence in the US’ cybersecurity defense is a bad idea, since it will allow anyone who can pay to achieve certification regardless of whether they actually comply with ISO 27001 cybersecurity controls or not.
(To un-spit in my food a bit, all you can do is implement the standard as honestly and robustly as possible, and then use the resulting certificate for its tangible benefits — customer recognition and access to government contracts — and not expect the certificate itself to have any more meaning than that. At least Oxebridge is honest.)
Then there’s the nasty role of China in the ISO accreditation scheme. This sounds like a plot point in a Tom Clancy novel, but’s public knowledge and the IAF is unapologetic about it.
Understand that all ISO 27001 certification bodies must be accredited, typically to organizations like ANAB, A2LA, UKAS or some other international equivalent. But who watches the watchers? The various accreditation bodies must sign an international multilateral agreement (MLA) with the International Accreditation Forum (IAF) in order to be internationally recognized. So ANAB, UKAS and the rest are all official IAF members. As part of that membership, the IAF — through various regional daughter bodies — manages “peer review” audits of the ABs to ensure they are upholding all necessary ISO standards and IAF regulations.
The problem here is that the IAF is run by China. Its current Chairman and chief executive is Xiao Jianhua, who is also the chief executive of China’s national accreditation body, CNAS. As a government-run entity, CNAS’ executives are sworn to uphold the Chinese Communist Party policies and plans first and foremost. CNAS is key to two main Chinese policy initiatives related to improving the world’s perception of quality of Chinese products and boosting China’s presence in standards development activities. Xiao has been a key player in both those initiatives.
(In case you’re wondering, Xiao is a Chinese national, not a US resident or citizen. He’s not a US-born citizen with a traditional Chinese name. He literally lives and works in China.)
It is well known that CNAS is one of the world’s largest producers of fake ISO certificates, as that country chases numbers — total ISO certificates issued per year — as a metric of its “Made in China 2025” public relations policy. CNAS accredited certificates are often found to have been used to help lubricate the sale of counterfeit product, some of which poses a deadly risk to human health. During the COVID-19 pandemic, it’s common to find CNAS accredited certificates attached to counterfeit nitrile gloves or fake 3M respirator masks, for example.
It’s not just Xiao. CNAS has others of its staff inside various IAF committees and daughter bodies, including the regional groups that audit the various ISO accreditation bodies.
The nightmare scenario for US cybersecurity firms is that any ISO 27001 audit opens up the possibility that China, through IAF and CNAS, can gain visibility into the resulting audit reports. How does this work? During a routine ISO 27001 audit, any deficiencies in cybersecurity controls are written up by a company’s ISO 27001 audit body, and captured in official audit reports. Then, those audit reports are reviewed by the applicable Accreditation Body, such as ANAB or UKAS, during their annual “accreditation audits.” Finally, those reports can be viewed again by IAF representatives doing “due diligence” of the accreditation bodies themselves.
In short, anything written in an ISO audit report can be viewed by China. The bodies will declare they have “procedures” for confidentiality, but those procedures also declare that audit reports may be shared by oversight bodies as part of maintaining accreditation.
In my case, I have emails showing complaints and appeals escalated up the IAF food chain being copied to either Xiao or his CNAS counterpart, Yang Zhou. This is documented evidence of the IAF’s role in adjudicating matters pertaining to ISO certifications in the US and elsewhere.
According to insiders, Arrington has courted the IAF and China before, using the threat of replacing the CMMC-AB with ANAB or A2LA as a bludgeon to force the CMMC-AB to sign the new contract with the DOD. Oxebridge has obtained documentation showing Arrington was present at two such meetings. At that time, it appeared Arrington was wholly clueless about the role China plays in the ISO accreditation scheme, but subsequent reporting by me and others alerted her, personally, to it. So now any move by Arrington to bring China into the oversight of US cybersecurity is both willful and negligent. Some might say it’s a risk to national security.
In the end, the DOD needs to decide which path it wants to follow. Either create a massive cybersecurity certification program such as CMMC and make it work, or go back to requiring ISO certifications in government contracts.
If the government wants to stick with CMMC, then the DOD needs to wrest control of the program from Katie Arrington and her stooges at the DOD’s CMMC Program Management Office, and start to get serious about the nation’s defense. Arrington has repeatedly proven she is not competent to carry out a task of this size, and her perpetual misstatements and blunders during press conferences are not helping. On her watch, the CMMC-AB has grown to become a corrupt stew of self-dealing and collusion, and things are not going to get better.
(See this article on 4 steps the DOD can take now to fix this.)
If the government wants to utilize ISO 27001, then the DOD needs to create a government entity to replace the IAF oversight for ISO 27001 certification bodies. This entity would conduct accreditation audits of the certification bodies, cutting out the current accreditation bodies (like ANAB or UKAS) and, thus, securing the information from China’s prying eyes. The entire operation can be run by a staff of ten people, so it wouldn’t be a massive tax burden.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.