DOD Official Confident in Cybersecurity Certification Body’s Business Model

The volunteer accreditation body that will handle the Defense Department’s cybersecurity certification effort for contractors will be able to support itself financially, according to the official leading the Cybersecurity Maturity Model Certification program.

Last month funding for the various activities of the volunteer group, called the CMMC Accreditation Body, or AB, became a bigger part of policy discussions after it floated an idea of offering “sponsorships” in exchange for hundreds of thousands of dollars. 

Arrington, chief information security officer for DOD’s acquisition office, described it as an admirable but misguided effort due to the potential conflict of interests. Critics—including those from the tech industry and legal community—have called for the department to put more resources toward the program.  

“They’ve shared their business plan and revenue models with the department,” Arrington said. “They have figured out a way to make it a sustaining. They've done the lord's work in my eyes.”

The CMMC program, detailed in a Sept. 30 interim rule, will take effect on Dec. 1. It will require Defense contractors to pass third-party audits of their cybersecurity before they can do business with the department. The current system relies on entities within the defense industrial base simply declaring that they’ve implemented appropriate controls, as outlined by the National Institute of Standards and Technology. 

DOD is accepting public comments on the interim rule through November and will consider those in issuing a final rule, which Arrington said can be expected to drop in January or February of next year. 

Arrington reacted to concerns about the AB’s finances Wednesday at CyberCon 2020, an event hosted by Fifth Domain, Defense News, Federal Times and C4ISRNET, where she also shared additional details of a new statement of work that the DOD and the AB are finalizing to replace an initial memorandum of understanding. 

“They've worked with financial institutions to give themselves lines of credit, I believe,” she said. “They've generated funding so far from the registration of the classes that are able to help, you know, pay for the assessing companies they'll be using, the testing facilities.”

Arrington also said DOD has no intention of entering into agreements with other accreditation organizations outside the AB. She suggested “spin-off” groups she mentioned in a Tuesday webinar referred to the various organizations that could partner with the AB. Those entities, along with the AB, would all need to obtain appropriate certifications from the International Organization for Standardization, she said. 

Arrington also illuminated another area of concern, particularly for major tech companies: the appeals process. According to the interim rule, if a contractor disagrees with an assessment conducted by an AB-certified assessor, the contractor can ultimately request an assessment by the staff of the AB itself. 

On Wednesday, Arrington said the defense industrial base cybersecurity assessment center within the Defense Contract Management Agency is acting as a third-party intermediary to ensure consistency of the appeals process that is outlined in the new statement of work.