Good luck to Kate Arrington, the Department of Defense’s CISO, who just inherited a disaster from former members of the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB). Fighting rumors of corruption and poor planning of the program’s launch by her predecessors, the Cybersecurity Maturity Model Certification (CMMC) program has already lost credibility in an industry that desperately needs better cybersecurity hygiene.
The CMMC is soon (end of this year) expected to be officially written into Defense Federal Acquisition Regulations (DFARs) as the official DoD cybersecurity standard for defense contractors. The CMMC shall offer 5 levels of compliance, ranging from premise-based technology companies to cloud-driven FedRAMP High environments.
Focusing on supply-chain vulnerabilities, DoD will finally require its contractors to demonstrate cybersecurity protocols reflecting the levels of sensitive information that the contractors handle (including CUI). DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).
However, a massive problem is hindering the advancement and integrity of the program: allegations of corruption.
The CMMC-AB was established to administer the CMMC program for DoD, which includes certifying auditors to ensure the contractors adhere to the CMMC standards. Unfortunately, it seems the CMMC-AB forgot important steps. To begin, you cannot enforce CMMC until the contractors can be audited. Before the contractors can be audited, there needs to be auditors. And, before the auditors can be certified, there needs to be something (a curriculum or manual) upon which to certify then, that mirrors the standards to be enforced. While the DFARS standard was finally published for public comment on July 30, 2020, there are still no courses for the aspiring auditors to take.
Now, welcome the “educational” profiteers. Former CMMC-AB Chairman Ty Schieber and head of communications Mark Berman resigned (although some report that they were voted off) after a purported “pay for play” scheme under the Licensed Partner Publisher program (“LPP”) appeared to be selling influence.
CMMC announced a “Partner” program on September 4, 2020, advertising the sale of “Diamond” leveled titles to entities that donated $500,000. Other tiers of partnerships were offered, with the “Bronze” partnership offered at lowest level donation of $5,000.00. Critics of the program called these partner programs as influence sales, in which donations were repaid with high-level status within the program. Two days later, September 6, 2020, the partner programs were removed from the CMMC website.
Still, the CMMC-AB continues to sell certifications — branded, in some cases, as “licenses” or “registrations” — for training curriculum developers, training providers, assessors, and “internal consultants.” On its LPP website page, applications for certifications are $1,000.00 and nonrefundable, and the one-year certification fee is $4,000.00.
The outcome of the LPP is unknown but past CMMC-AB actions certainly invited increased scrutiny of future moves. With so few people actually able to understand the CMMC, the tiers and requirements, the opportunities for corruption and mismanagement remain significant. And although the original intent of the CMMC was stop the false “self-certifications” of cybersecurity practices by contractors, unless and until auditors can be certified in trusted manner, the CMMC program will either fail or further delay government procurement.
Comments