Katie Arrington, the main Department of Defense official who has been in charge of CMMC since its inception, has been placed on leave based on allegations she disclosed classified information. Previously, there have been allegations that Arrington had committed ethics violations related to the CMMC-AB, which was supposed to be independently managed by an accreditation body that was disconnected from the DoD.
Allegations have been presented to the DoD Inspector General that the CMMC Accreditation Body itself has lied about its tax-exempt status on official documents (a felony), and board member Edens abruptly resigned after a CMMC-AB Advisory Council member alleged that Edens had unjustly enriched himself through his position with the CMMC-AB, a violation of the CMMC-AB Code of Professional Conduct. The board member in charge of training while the CMMC-AB looked to hire full-time staff abruptly resigned when a director of training was hired. Other ethical improprieties have been alleged in a formal complaint to the CMMC-AB.
I think the entire program will be revamped but will continue to be an opportunity for MSPs.
CMMC is currently too expensive and difficult for smaller contractors to pass an assessment with a perfect score, after years of non-enforcement by the DoD of its current cybersecurity requirements.
The CMMC-AB has not been able to scale up to deliver training materials, certify trainers, and train hundreds of assessors. Imagine what will happen once 300,000 assessments back up in the certification process.
The delays with the final rule, the allegations of criminal activity with key CMMC figures in the DoD and CMMC-AB, and the “internal review” by the DoD Inspector General, all indicate that the new DoD leadership is very concerned about CMMC. The politicians that fund and oversee the DoD, and also represent large and small defense contractors, are also likely to weigh in.
I believe that the DoD will delay CMMC and revisit the requirements to make them less costly for smaller contractors. They may even find a different organization to manage the program, or move to a centralized cloud-based solution, which will take years to develop.
But don’t give up! The current requirements for the implementation of NIST 800-171’s 110 cybersecurity controls can be very profitable for MSPs, and whatever comes of CMMC is also going to provide you with big opportunities.
I might be wrong, but there is so much smoke right now that there has to be a fire someplace.