The accreditation body implementing the Department of Defense‘s new contractor cybersecurity standards launched a “Partner Program” over the weekend, but it quickly walked back the concept after allegations were raised that it was basically a pay-to-play scheme.
Details of the program were briefly posted to the Cybersecurity Maturity Model Certification Accreditation Body’s (CMMC-AB) website, charging companies up to $500,000 to be promoted and marketed as a “recognized leader in cybersecurity and an early supporter of CMMC-AB.” It has since been taken down, “pending revision.”
FedScoop reviewed screenshots of the listing from when it was still up. It had five tiers, from”Bronze” to “Diamond,” starting at $5,000 with levels of perks that would increase as sponsors paid more. Each tier would have a limited availability open to sponsoring partners — 50 spots for the $5,000 Bronze level and just three for the $500,000 Diamond tier.
Almost immediately after the program was brought online, outrage erupted both on social media and inside the AB.
Here’s why: The AB has a memorandum of understanding to be the sole accreditor for the new army of cybersecurity assessors in the CMMC program. The program assesses contractors on five tiers of security controls and will require all DOD contractors to have a verified cybersecurity audit by an assessor accredited by the AB. The success of the new program largely hinges on the AB’s ability to vet, train and accredit the assessors that roughly 300,000 contractors will need to use to get assessed.
Essentially, the partner program asks the companies that the AB would oversee for large sums of money, creating a conflict of interest between the AB and the assessors and other companies in the CMMC ecosystem. Becoming a CMMC third-party assessor is a highly sought-after role — one that could create entirely new lines of business for those who receive accreditation.
“Many people were surprised and offended at a scheme that asked for so much money,” Robert Metzger, head of the Washington, DC offices of the law firm Rogers Josephs O’Donnell told FedScoop.
Mark Berman, the CMMC-AB communications committee chair, did not provide any explanation of the program or why it was taken down.
“We decided to revisit the page before reposting it, as is noted on the page. There is nothing else to share on the matter,” Berman told FedScoop in an email.
Two sources familiar with the matter said the full board was not consulted prior to launching the program, and several members were blindsided by the announcement. It’s not the first time financial decisions have been made without full-board approval. In April, the AB issued a request for proposals for a “continuous monitoring” solution. Despite the fast turn around time for proposals, the AB has yet to select a winner, to the disappointment of some in industry.
The DOD, too, was unhappy with the move to try and create sponsorships.
“Although the idea to look for ways to lower the cost for certification training is admirable, we in the DOD can’t condone sponsorship’s for this nonprofit because the cause is so very critical to national security,” Katie Arrington, DOD’s chief information security officer for acquisition and sustainment, wrote in a LinkedIn post.
A DOD spokeswoman added to Arrington’s concerns about the idea.
“The Department of Defense was unaware of the CMMC Accreditation Body’s intent and would not embrace any activity that would pose a potential or perceived conflict of interest.”
This isn’t the first accusation of the AB having questionable operations. For instance, several board members run small companies that have CMMC consulting offerings.
Metzger said he doesn’t suspect that the board has fraudulent intentions in trying to create a program that would essentially accept money to promote some assessors over others. Rather, he said, the AB “is populated with people who are not necessarily the most experienced or the best training or have the highest expertise.”