Page 92 - Cyber Defense eMagazine April 2021 Edition
P. 92
here’s been much bluster about the DOD’s pending CMMC certification
Tprogram, aimed to have more than 300,000 defense industrial base companies
under third-party audits to confirm their cybersecurity controls. This has caused a
mix of panic, among defense industry companies who have legitimate questions
about costs and rollout, and elation, by consultants who stand to benefit from the
new industry created nearly overnight by DOD.
The reality is that CMMC is dead in the water, and cannot launch. Read that again:
CMMC is dead.
Despite having been under development since at least 2019, the CMMC program
never progressed past vaporware. The CMMC model – or “standard” – is still not
completed, and DOD recently announced it intends to release a “major” revision
sometime later this year. Next, not a single auditor nor certification body exists that
can assess a company to CMMC, and the programs to get assessors and CBs
ready have not even been drafted.
Instead, the DOD mandated the formation of the CMMC Accreditation Body, which
has spent the past 15 months selling dubious “badges” for consultants, the one part
of the scheme that is wholly unnecessary. To repeat: the CMMC-AB wasted nearly
a year and a half on the one thing that’s in their name: an “accreditation body.”
In the interim, the CMMC-AB bungled the basics. In March of 2020, they filed for a
CAGE code attesting – under penalty of criminal prosecution – that they were
already a tax-exempt organization, when in fact they never filed for tax-exempt
status. They then solicited $500,000 “Diamond memberships” in what might have
ended as felony tax fraud if the Board hadn’t pulled the scam in 48 hours and
ejected the Board members responsible. They then failed to trademark their logo,
inviting a future filled with pirated CMMC certs and bogus marks. More recently,
they failed to update their SAM.gov filing, allowing it to lapse earlier this month.
It does not appear that the DOD contract that mandated its formation is legal, nor
will it survive even a minor legal challenge. Criminal investigations are underway, as
well as over a dozen other probes. Talks of class-action suits have begun.
Ironically, that’s not what will kill CMMC. Instead, it was the even-more-monstrous
bungling by the DOD itself.
Early on, DOD dreamed up a plan to marry a CMMI-style “maturity model” concept
with old-fashioned ISO certifications. Without any actual accreditation experts to
advise them, DOD never realized the two don’t mesh. Maturity models are graded
systems, sloped and allowing a variety of results based on, well, “maturity.” ISO
certifications are pass/fail, binary attestations. The system was broken before they
ever launched it.
Next, DOD apparently “heard some stuff” about ISO accreditations, and so
mandated that the CMMC-AB would become an official accreditation body by
obtaining ISO 17011 accreditation for itself. In the ISO scheme, this is managed by
an organization called the International Accreditation Forum (IAF), so DOD put in its
contract that the CMMC-AB would join that oversight scheme.
92 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
