CMMC board faces ‘passionate’ internal turmoil over new contract with DOD

Katie Arrington, with Kevin Fahey, speaks during a press briefing at the Pentagon, Washington, D.C., Jan. 31, 2020. (DoD photo by Navy Petty Officer 2nd Class James K. Lee)

Share

Written by

The third-party board that the Department of Defense tapped to implement a new cybersecurity standards program is facing its most intense internal turmoil yet, with members questioning its leadership and the future of its relationship with the Pentagon.

Recent events have caused some board members to begin to lose confidence in their chairman and see the tensions with the DOD as reaching a potential breaking point, according to multiple sources familiar with the matter and communications reviewed by FedScoop, as the board expands its crucial work in developing and implementing the Cybersecurity Maturity Model Certification (CMMC) program.

The conflict boiled over, for some, in a “reset” meeting last Friday with DOD officials and board members. The cause of the tension centers on a new contractual relationship DOD wants the board to approve. The document would redefine the way the two work together only seven months into the board’s existence.

Some board members see the new contract, which has a new statement of work (SOW) outlining the board’s responsibilities, as a diminution of authority and an increase in liability for the all-volunteer group, according to external private communications reviewed by FedScoop and sources familiar with the matter. Multiple members have threatened to resign as others begin to privately express a loss of confidence in chairman Ty Schieber, according to communications reviewed by FedScoop and sources familiar with the matter.

The board is still “collaborating” and in a “joint education process” over how best to define the SOW, Mark Berman, the chair of the board’s communications committee, told FedScoop.

“It is not tension, it is passion,” he added of the internal dissent. “I passionately disagree with some of my peers and passionately agree with my peers on certain issues.” He said that talk of a loss of confidence in Schieber was a surprise, and he has not heard it discussed by board members.

CMMC — the program the board has been tapped to implement — is the largest change to defense contracting in years. If the program is successful, DOD will require all of its 300,000 contractors (with a small exception) to conduct a third-party cybersecurity assessment certifying that they meet a certain level of network maturity on a new five-level scale.

Implementing this transformation requires careful orchestration between the third-party board, the CMMC Accreditation Body (AB), and the small CMMC Program Management Office (PMO) in the Pentagon. In public statements, the AB and the DOD’s lead CMMC officials have consistently praised each other’s service and committed to close partnership. It’s a message reinforced by a DOD spokeswoman when asked to comment on this story: “We certainly have the utmost confidence in the AB’s ability and have a close partnership with them.”

Berman said the board’s relationship with the DOD remains close and strong and that during the recent meeting, the conversation was positive and DOD officials expressed their appreciation for the board’s volunteer work.

The Friday meeting was the first that Katie Arrington, the DOD’s lead CMMC official, had with the full board. Several sources familiar with the call described it as “rough” and said Arrington, officially DOD’s CISO for acquisition and sustainment, spent time accusing the board of “leaks” to news media. Berman said he wouldn’t comment on the specific conversations, but disclosures of information did come up.

The SOW would supersede the current memorandum of understanding that authorizes the AB to work on DOD’s behalf. A contract would be legally more enforceable and tighten the boundaries of the work each entity can legally do. For months there have been disagreements between members of the AB and DOD’s PMO office on which entity should work on what and how to answer basic questions on the program’s model and implementation, communications reviewed by FedScoop show and multiple sources familiar with the matter say.

The DOD spokeswoman said the SOW and contract would allow the DOD to sponsor security clearances for board members, if needed, and “provides a more binding relationship.”

The fissures and political infighting put the program at its highest risk yet and come at a critical time when contractors are waiting for regulatory guidance from the Office of Management and Budget, Eric Crusius, a partner with Holland and Knight, told FedScoop.

“It is concerning, I hope they can work it out,” he said, adding that he has confidence in Schieber’s ability to manage the difficult situation.

One DOD official in the PMO described disagreements on the SOW as potentially terminal for the AB, according to a private external message reviewed by FedScoop. Berman said that there has been no indication that a fracture between the DOD and AB is imminent. He added that the AB and DOD officials discussed “increasing the cadence of meetings” between the two entities, a move that does not indicate separation, he said.

The private feelings of officials involved in the process are reflected by some outside observers watching the development of the program.

“It’s a good idea, but the management of it seems ham-handed,” Mike Hamilton, founder of CI Security, told FedScoop.

SOW still in question

The meeting did not resolve the issues on the SOW — another SOW-related meeting was scheduled for Wednesday evening — but it did bring up months of tension over fundamental questions of the models’ implementation. The meeting crystalized some members’ belief that DOD’s strategy is to leave the AB to own the “mess” of any potential failings of the program, sources familiar said.

Berman said that so far, the initial rollout has yielded enormous interest from industry and “excitement” from the DOD and AB. He said so far hundreds of applications to be involved in the ecosystem of assessors, trainers and consultants have been received. He described it as evidence of the AB’s initial success.

One of the central disagreements that has dogged the relationship between AB members and the PMO is around the CMMC “standard,” which according to the MOU, the AB creates. Details remain unresolved around how the SOW will divide authorities over the creation and maintenance of standards.

More contracts, more money

With a contract replacing the MOU, complaints and allegations of conflicts of interest would be more impactful, Crusius said. A recent CMMC government contracts alert from law firm Akin Gump Strauss Hauer & Feld also highlighted the conflicts the AB’s structure creates. If the AB signs on to a typical contract with the DOD, it would include compliance with the Defense Federal Acquisition Regulations, bringing added regulatory and financial burden to the organization.

“The significant role played by the directors in the AB’s guidance, training, accreditation and certification functions create significant potential for conflicts of interest,” the Akin Gump alert states. The AB has a code of ethics posted to its website that ban board members from advancing their personal interest.

More costs to the AB could further inflame tensions. Previously, board members dissented over talks of contracting with a marketing firm to rename and rebrand the AB before they had started taking in money for the training and accreditation process it will own. A contract also opens the door for complaints to be full-on protests that would only serve to slow down the process.

The debate over the SOW falls in the zone of government contracting where legal formalities and managing difficult relationships can conflict.

“As much as government contracting is all about formalities … is still a people business,” Crusius said.

-In this Story-

Acquisition, contracting, Cybersecurity, Cybersecurity Maturity Model Certification, defense acquisition, Department of Defense (DOD), DFARS, Katie Arrington, Ty Schieber
TwitterFacebookLinkedInRedditGoogle Gmail