By Kathryn Daily, CISSP, CAP, RDRP
On Saturday, September 12th, the CMMC Accreditation Body (AB) posted a page to their website that advertised for a
“Partnership Program” where contracting companies could pay up to $500,000 for a CMMC AB stamp of approval. The proposed program consists of five levels ranging from Bronze ($5,000) to Diamond ($500,000). As the cost goes up, so do the perks. Each level is limited in the number of contracting companies that can partake with Bronze allowing 50 spots, up to Diamond that only allows three.
Almost immediately, this announcement sparked outrage on LinkedIn. If you do a content search for “CMMC Pay to Play” plenty of posts come up with people pointing out the pay to play nature of the program and pointing out the conflict of interest with the CMMC AB taking sponsorship money from the very organizations they are responsible for accrediting.
Following the online outrage, the CMMC AB took the page down. Mark Berman (no relation to BAI’s own Lon Berman), the CMMC AB Communications Committee Chair, stated, “We decided to revisit the page before reposting it, as is noted on the page. There is nothing else to share on the
matter.”
Katie Arrington, DoD’s Chief Information Security Officer for acquisition and sustainment, wrote the following in a LinkedIn post, “Although the idea to look for ways to lower the cost for certification training is admirable, we in the DoD can’t condone sponsorships for this nonprofit because the cause is so very critical to national security.” A DoD spokesperson added the following statement, “The Department of Defense was unaware of the CMMC Accreditation Body’s intent and would not embrace any activity that would pose a potential or perceived conflict of interest.”
Furthermore, it appears that the full board was not consulted prior to launching the program indicating that there is a serious communication issue amongst the CMMC AB. This is not the first time that financial decisions have been made without full board approval. In April, the CMMC AB put out a request for proposals for a continuous monitoring solution. That proposal had a turn around time of only nine days, which isn’t enough time for a company to put together a proposal, leading many to believe that the companies preferred to win the work were notified ahead of time, leaving the others to scramble to put something together in time.
The CMMC AB clearly needs real accountability, transparency, and oversight. We can only hope that will come in the near future.