DOD’s Cybersecurity Accreditation Body Open to Pursuing Grants as a Nonprofit 

The group of volunteers the Defense Department has tasked to implement a monumental change in its cybersecurity policy is open to exploring grants from foundations as an additional source of future funding, according to the chairman of the board for the aspiring nonprofit.

The Cybersecurity Maturity Model Certification program will usher in a new era of defense contractors needing to undergo an independent, third-party audit of their cybersecurity practices. Companies currently only attest their adherence to standards issued by the National Institute of Standards and Technology.

The Defense Department’s Defense Contract Management Agency can conduct audits through the Defense Industrial Base Cybersecurity Assessment Center, but its capacity is limited, so the department developed the CMMC in order to scale auditing operations to all of its estimated 300,000 contractors. Some contractors look forward to the CMMC leveling the playing field while others are not thrilled about having to pay for another certification. 

A rule to implement the program and a related statement of work outline duties for the CMMC Accreditation Body to approve new entities that will conduct the audits and establish training requirements for their assessors. The CMMC AB, as it’s called, came together at an industry event DOD held to launch the program. Participants volunteered to stand up a nonprofit organization to put the pieces together.

The group has come under intense scrutiny over uncertainty about how they would fund their operations—the previous chairman of the group’s board of directors stepped down amid what was perceived as a pay-to-play scheme—and there are concerns about potential conflicts of interest given their industry ties. 

In a conversation with Nextgov, the CMMC AB’s Volunteer Board of Directors Chairman Karlton Johnson dispelled what he said is misinformation about how the AB is supporting its work and shared how he sees the board transitioning over the coming years.

The AB is funded by fees collected for accrediting prospective auditors and other professionals who will be part of the new CMMC ecosystem, Johnson said. The revenue stream alone could sustain the organization into the future, he said, but also noted other possibilities if the organization’s application for nonprofit status with the Internal Revenue Service comes through.

The board applied for nonprofit status in February, Johnson said. He expects the process to be recognized as a 501(c)(3) entity under the tax code will take about eight months. 

“As we continue to evolve this … we'll be looking at those other opportunities that normal 501(c)(3)s are able to do, whether it be grants and so forth that are available to any nonprofit,” Johnson said. “[We're] open to exploring those options to the betterment of the mission, and looking for opportunities to give back as much as we can to industry, wherever we can. You'll hear more about that down the road.”

Johnson said it’s not true that the board has taken on debt in order to run its operation, a suggestion made in October by DOD’s CMMC program lead Katie Arrington, who said she believed the organization had taken out “lines of credit.”

“We haven't gotten any loans that I know of,” Johnson said. “That's misinformation that's out there.”

On concerns over conflicts of interest, Johnson said it was DOD’s intention from the start to have an avenue for industry to have a say in the process. The AB has stressed that it will operate separately from the organizations doing the actual audits, but there are still unanswered questions about the role the AB will play in cases of disputed assessments.

“The only way we would get involved is if, again, to what you're getting to, is issues with adjudication, and then that also pleads up to the government, as appropriate,” he said, noting the process will have to be fine-tuned and calibrated to avoid conflicts of interest while preserving due diligence. 

Johnson pointed out that in general, the DOD has total oversight over the AB’s operations. 

“If in doubt, the government has oversight with us and so we’re working hand in hand with the government,” he said. “There's a lot of misinformation out there. It'd be nice for people to look at us as the professionals that the AB are.”

Johnson’s primary focus right now is transitioning work currently being done by the volunteer board to professional paid staff for the AB. A major move on that front came with former deputy director of the Cybersecurity and Infrastructure Security Agency Matt Travis coming on as CEO. The AB is also actively looking for a chief financial officer and vice presidents for training, operations and other functions currently being handled by board members.

At some point, he said, the board will move to only participating in quarterly, even maybe biannual meetings. That will allow the board to focus on ensuring the important mission of the CMMC gets accomplished, said Johnson, who is a retired Air Force colonel.

“It's really to deter the adversary,” he said. “Ultimately I want to be able to shift the cost of ‘doing businesses’ in this system to them. I want them to incur all the costs, trying to figure out how to get around our defenses. I want them to work harder, and I want to make sure that we never give them a freebie.”