The selection of a free "benefit" tool for consulting organizations who pay to be part of the accreditation body ecosystem for the Pentagon's Cybersecurity Maturity Model Certification program is raising concerns from two stakeholders on the decision-making process and potential conflicts of interest.
The Cyber Accreditation Body announced the launch of a white label CMMC Readiness Tool (CRT) at its town hall meeting on Sept. 26. The offering is an “optional member benefit” for registered provider organizations (RPOs) who are active on the Cyber AB marketplace, according to the accreditation body’s website.
Matthew Travis, CEO of the Cyber AB, provided a detailed rundown of the platform at the town hall with a number of “disclaimers” in his presentation. The CRT offering was developed by Carahsoft and Cyturus Technologies as a white label product available for a limited time.
Travis emphasized how the Cyber AB isn’t selling the CRT and doesn’t receive “any financial benefit from the sales of additional CRT account licenses.”
“The RPO cadre is that important to us and we want to make sure they stay in the ecosystem,” Travis said. “We have no financial stake in Cyturus or Carahsoft and they are not paying us any sponsorship fee for this.” Travis emphasized how the tool doesn’t convey “advanced standing” for RPOs who use the CRT.
But some stakeholders criticized the Cyber AB’s decision to launch a white label tool without a competitive bidding process, in interviews with Inside Cybersecurity.
“The registered provider program, which has been a significant funding source for the AB, has not had all of the renewals that they’ve needed to maintain the program," FutureFeed CEO Mark Berman said. "So, they needed to boost the program and make sure the participants weren’t leaving because we need them when the final rule is in place” to help organizations prepare for assessment.
The CRT was rolled out to “enhance the RPO program,” Berman said, based on his analysis.
“I think it was pennywise and pound foolish," he added. "I’m not sure it is going to attract people to be an RPO and I think it does some things to hurt the overall reputation of the AB. But I think the reason why they did it is they want to make sure people get value other than being listed on the website for being an RPO.”
According to the accreditation body’s website, there is a $6,000 application fee for RPOs to the Cyber AB marketplace and an annual $5,000 renewal fee. They are required to sign the CMMC-AB code of professional conduct and “RPO agreement” with the Cyber AB.
The number of RPOs on the Cyber AB marketplace has declined significantly over the past two years due to uncertainty over when the CMMC program will launch. The CMMC proposed rule is currently under review at OMB’s Office of Information and Regulatory Affairs with the expectation that it will be published by the end of 2023.
Travis shared figures on the current number of RPOs, RPs and authorized certified third-party assessment organizations at an Oct. 4 industry conference. The number of RPOs has declined from 601 in November 2021 to 305 in October 2023.
Travis said at the Summit 7 conference, “The one thing that has been missing is an accurate countdown clock with an accurate T-minus [clock] and I think now we are finally in the stage of the protracted rulemaking process of which we are in a somewhat regulated phase in terms of time hacks” with the rule at OIRA.
“The government shutdown [in September] may have confused that a bit but hopefully the government will stay open and we will see that proposed rule here toward the end of this month, or potentially at the end of November and that’s progress,” Travis said.
Competitors
FutureFeed offers a governance, risk and compliance (GRC) tool and launched an initiative on Sept. 27 to cover the Cyber AB’s annual RPO fee for new companies who use the FutureFeed platform. Berman was also a founding member of the Cyber AB’s board of directors and left in September 2020.
Berman resigned along with former board chair Ty Scheiber following the controversial introduction of potential sponsorships that was backtracked after intense pushback from stakeholders.
The sponsorships idea was a part of a “group think” among the Cyber AB board members, according to Berman, who reflected on his departure in a recent interview with Inside Cybersecurity. The idea was a “distraction,” Berman said, emphasizing that he already had plans to leave the Cyber AB to run FutureFeed.
“This was a way to support the ecosystem, while it really wasn’t any one individual’s idea within the AB," Berman said. "In life, one has to take responsibility and it was easy for me to leave because I was going to have to leave anyway so that seemed to be the right time.”
Berman provided a list to Inside Cybersecurity of 52 known GRC tools that are offered to help organizations seeking a CMMC certification.
“The AB has an inherent responsibility to make sure there is an equal and fair playing field for those products that are housing and helping people in the ecosystem," he said. "And I think that was a miss. It could be corrected, but that was a miss in this first pass in terms of having a tool ordained as ‘the tool’ from the AB’s point of view.”
The FutureFeed CEO proposed the idea of a GRC page on the Cyber AB’s website where companies pay $5,000 to be listed and the Cyber AB would “require each vendor attest that they meet a minimum set of criteria.”
Fortress responds
Fortress CEO Alex Santos said companies “should have multiple options, not just one option or go through some process to determine which solution has the best benefits.”
Fortress offers a GRC solution that is mainly used by government agencies and utility companies to secure their supply chains. The company is also marketing and selling to CMMC customers, but Santos said “given the delays and our client base, no one has actively been pursuing certifications.”
The Cyber AB is “sort of picking a winner,” Santos said, “which is very unusual, atypical, and you can put lipstick on it by saying it is optional and free but at the end of the day, as my business partner says, there is nothing more permanent than a temporary solution.”
“And so don’t get me wrong I think this is a good thing that they are doing, it just needs to be more competitive because there are a lot of good solutions out there and I’m not sure if there was proper vetting of it from what I can tell,” Santos added.
During the September town hall, Travis said the Cyber AB has “a lot of support” from vendors and partners that they are using to build and maintain the ecosystem. He pointed to Scantron as the AB’s “testing partner” and Badgr who provides badges for the AB ecosystem.
Travis told Inside Cybersecurity in a statement: "The Cyber AB’s provision of limited access to a commercial third-party GRC application for our active RPOs was done solely to add value to their engagement within the Ecosystem. We are receiving no revenue from the provision of the tool, rather we are expending our own resources for this benefit in order to make their RPO status more compelling.”
Travis added: “Many RPOs are small businesses that would otherwise not be able to afford access to a GRC platform, and this benefit gives them some initial experience in using these types of tools. No RPO is required to use this benefit and there are other excellent options in the GRC market that they are welcome to employ.”