Page 93 - Cyber Defense eMagazine April 2021 Edition
P. 93
The only problem is that the IAF is run by China. Its current president is Xiao Jianhua, the chief executive of
CNAS, the Chinese National Accreditation Service. Other CNAS execs perform other duties in various IAF
roles.
In the world of commercial ISO certifications, this is not a tremendous problem, although it does cause some
headaches which are out of scope for this article. But the arrangement is not a national security risk.
Under the DOD contract, the CMMC-AB would join the IAF’s regional body for the Americas, known as IAAC,
which operates out of Mexico, because Mexico resides in one of the “Americas,” just not the United States
Of. It does not appear that DOD realized this bit of geography.
Membership in IAAC will require the CMMC-AB to undergo “peer audits” by foreign nationals from China,
Mexico, Brazil, and a host of other countries, in order to verify the CMMC-AB’s compliance to ISO 17011.
The procedures for these audits are not hidden, and available on both the IAAC and IAF websites for public
review. They reveal that these peer audits will require the IAF and IAAC to physically attend CMMC-AB’s
assessments, allowing foreign nationals to witness – in real-time and in-person – as auditors uncover
cybersecurity weaknesses of defense companies, and write up “nonconformities” to get them addressed.
Then, additional “office audits” will allow those same foreign nationals to review the corrective actions
companies take to close those nonconformities.
The DOD literally handed China a VIP backstage pass to the nation’s cybersecurity gaps and lapses.
Worse, under the IAF multilateral agreement, any appeals filed against the CMMC-AB would – if not handled
properly by the CMMC-AB itself – eventually be adjudicated IAAC/IAF. If China wanted to throw a wrench in
the works it need merely uphold a single complaint, and eject CMMC-AB from the IAF/IAAC roster, stripping
it of its accreditation. The CMMC-AB would immediately be in violation of its DOD contract, and everyone
would panic.
And obviously, the first company that fails its CMMC assessment is going to file an appeal. In the ISO world,
this is a routine occurrence.
The DOD error was entirely avoidable. In September of 2020, I wrote a white paper detailing this threat, and
outlining a simple plan to avoid it; instead of relying on bodies like IAF to oversee the CMMC-AB, the role
would fall to the DOD itself, and an independent ombudsman. DOD rejected the paper, and pushed forward,
insisting they knew better, while the CMMC-AB just ignored it outright. The parties then signed a contract
hardcoding Chinese oversight of the US defense industry and went to bed that night thinking that was a good
idea.
To be clear: there is no way this survives. Under no possible circumstance will anyone allow the CMMC-AB
and defense companies to undergo peer audits by IAF or IAAC. Period.
Congress, along with a number of Inspectors General and agencies, are already examining this remarkably
bad idea. The CMMC plan will be scrapped, the CMMC-AB disbanded, and those responsible at DOD will
move on to other careers. (In fact, most have left already.)
The only question is what will come from the ashes. Perhaps a new CMMC-AB will be formed, independent
of Chinese and Mexican oversight. Perhaps the entire thing will be scrapped and cybersecurity certification
will be given to NIST or DIBCAC or DCMA or some other agency. For my part, I will keep proposing
solutions, but we need to wait for mature adults who will listen, rather than shameless hucksters selling a
future of endless consulting contracts.
But rest assured: the CMMC plan that is being floated now will not survive. Whatever does emerge will be
very, very different.
93 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.