Buyer Beware: CMMC and Conflicts of Interest
Posted on November 29, 2019 by Christopher Bukowski
The Tentative Effects the New CMMC OCIs Will Have on DOD Contractors
The new Cybersecurity Maturity Model Certification (CMMC), expected to roll out in January 2020, will be applicable to all DOD contractors. The requirement is anticipated to begin appearing in RFIs by June 2020 and subsequently in RFPs/RFQs by September 2020, with full implementation across all DOD contracts within 3 years.
Are you prepared?
There are many factors for DOD contractors to consider when addressing these new requirements. This article addresses only one of these, specifically the tentative role Organizational Conflicts of Interest (OCIs) will play in the CMMC.
As you may or may not be aware, CMMC, in a nutshell, will require all DOD contractors to be assessed and certified compliant to a standard level of cybersecurity requirements. The CMMC framework will consist of 5 baselines for these standards, level 1 being the least restrictive and level 5 requiring the highest cybersecurity posture. Every DOD contractor, whether an IT company requiring a SCIF or a landscaping company mowing the lawn on base, will be required to meet, and certify to, one of these levels.
Furthermore, the era of self-attestation and certification is over. The DOD will now have 3rd party assessors coming to each DOD contractor’s site to assess and certify or fail the contractor’s cybersecurity posture, as it correlates to the CMMC level that is required of them. In addition, contractors will have to recertify on a regular basis, the timeframe for which is still unknown and may be dependent on the level of certification needed. Once CMMC is fully implemented, a contractor will not be able to do business with the DOD unless it is certified to the CMMC level required by the particular contract.
The DOD has stated that it will be working with industry to create an independent third-party body who will train and certify these CMMC Assessors. The DOD has also drawn a distinction and acknowledged that, on the other end of the spectrum, will be CMMC Consultants, who will provide support and help DOD contractors attain the required cybersecurity posture and pass the assessment. Furthermore, these Consultants may help DOD contractors maintain their security posture throughout the cycle until the next assessment, in order to remain in compliance and more easily pass subsequent assessments.
The similarities and, alternatively, the dichotomy between CMMC Assessors and CMMC Consultants are a big concern for the CMMC process. The similarities between Assessors and Consultants will likely be their expertise, to one degree or another, in the cybersecurity field. The dichotomy is, that Assessors will be acting on behalf of the DOD and the Consultants will be advocating and working on behalf of the contractor.
The question then becomes: Due to obvious conflict of interest issues that could likely arise, will this new framework allow cybersecurity organizations to be both a Certified Assessor and a Consultant and, if so, to what extent? For instance, could a Consultant assist a DOD company in attaining the cybersecurity posture they need one day, but then turn around and Assess them the next, despite the obvious Conflict of Interest inherent in such an arrangement? The probable answer to this question is no. However, the line becomes grayer when talking about providing separate services for different DOD contractors. For example, could a company be both an Assessor and a Consultant but only provide one of those services to any given DOD contractor, i.e., Assess DOD Contractor “A” only and Consult with DOD Contractor “B” only? Or, will the new framework draw a hard line between CMMC Assessors and CMMC Consultants, requiring that companies be either one or the other, but not both?
You may ask: “Why do I, as a DOD contractor, care about this OCI issue, as its not directly a concern of mine?” This is a great question, and the short answer is that this distinction is important for all DOD Contractors and a concern they should consider when choosing either the CMMC Consultant who is going to help them attain the cybersecurity posture they need, or the Assessor who will be certifying or failing them.
The primary reason to pay attention to this is to avoid disqualifying your otherwise successful certification. You want to ensure that an unscrupulous company is not violating these OCI rules and, ultimately, running the risk of invalidating your certification (e.g., by providing both services to you when not permitted to do so, etc.).
Another concern is the modus operandi of the company providing the services. That is, even if the framework were to allow obvious Conflicts of Interest to be allowed, if supplemented with a signed waiver agreement, etc., there would be an incentive for the Consulting company to provide more services than needed for the particular CMMC level the DOD contractor is trying to obtain. Since the consultant is, essentially, going to be assessing and approving its own work, the DOD contractor will be almost wholly dependent upon that Consultant/Assessor to provide exactly what it needs, no less or no more.
Conversely, the Consultant could claim that it is providing services that, in fact, it is not and, again, since it is “grading” its own work, might approve and certify the cybersecurity posture, even though it would not otherwise be approved by another, objective Assessor. This could be catastrophic, leaving the Contractor in a vulnerable state, all unbeknownst to them.
There are several other reasons why a DOD contractor wants to be aware of a potential OCI between Consultants and Assessors, but ultimately the reasoning comes down to assuring that your certification isn’t called into question or, worse yet, invalidated. Additionally, you want to be assured that you aren’t taken advantage of by being given the proverbial “ride”, either by paying too much for things you didn’t need, or by not actually obtaining the cybersecurity posture you are required to have.
The final verdict is still out regarding how the new CMMC framework will address these OCIs, but a brief review of similar frameworks, listed below, may give us insights into how that will be determined and implemented.
If ISO/IEC 17020 (Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspections) is any indication of how the OCI will work for CMMC, then it seems standard (not too restrictive) in so far as section 3.8 requires impartiality and the presence of objectivity. Specifically, this means:
Objectivity means that conflicts of interest do not exist or are resolved so as not to adversely influence subsequent activities of the inspection body.
Other terms that are useful in conveying the element of impartiality are: independence, freedom from conflicts of interest, freedom from bias, lack of prejudice, neutrality, fairness, open mindedness, even handedness, detachment, balance.
Impartiality and objectivity can exist within companies who are both assessors and consultants, so long as they are not performing both capabilities for the same client (or, possibly, even then if they receive a waiver from the client or have 2 separate divisions within the same company).
ISO/IEC 17020:2012 (The Accreditation of Inspection Bodies) in section 4 becomes a bit more restrictive, stating that the “inspection body should describe any relationships that could affect its impartiality to the extent relevant, using organization diagrams or other means”. Examples include relationships with parent companies, relationships with departments within the same organization, etc.
The organization should have a documented statement emphasizing its commitment to impartiality in carrying out its inspection activities and managing conflicts of interest, etc.
Furthermore, section 6 requires that individual personnel identify and address commercial, financial, or other threats or inducements which could affect impartiality. Procedures should address how any conflicts of interests identified by personnel of the inspection body are reported and recorded.
If CMMI is an influence, the CMMI Institute defines a Conflict of Interest in its Code of Professional Conduct as, two or more competing priorities that may compromise a CMMI Professional. The CMMI Institute has a Conflict of Interest Disclosure Form to help mitigate potential conflicts of interest here:
Ultimately CMMI seems fairly broad regarding its Conflict of Interest Standard, but not necessarily overly burdensome.
NIST 800-100 (Information Security Handbook: A Guide for Managers) in section 12.5 states that:
An OCI may exist when a party to an agreement has a past, present or future interest related to the work performed or to be performed, which may diminish its capacity to provide technically sound, objective service or which may result in an unfair competitive advantage.
These conflicts should be avoided as much as practically possible, however, if a conflict exists that cannot be avoided, the head of the organization must formally waive the OCI. Identifying the existence of OCIs, mitigating the effect of the OCI to an acceptable level, or waiving the OCI are important alternatives to consider.
For our purposes (Assessor and/or Consultant), I would assume that the “head of the organization” would be the DOD contractor who the OCI would be disclosed to. They would formally waive it all together or at least, if the OCI could be mitigated to an acceptable level, formally accept the risk still inherent in the OCI.
Other NIST publications, such as NIST 800-35 (Guide to Information Technology Security Services), NIST 800-37 (Risk Management Framework for Information Systems and Organizations), NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) seem to reflect the same sentiment as provided for in NIST 800-100, and some go on to address individual Conflicts of Interest (e.g., avoiding a technician from checking and approving his own work – separation of duties, etc.) even indicating that all actual and even apparent Conflicts of Interest should be avoided.
FAR Subpart 9.5 (Organizational and Consultant Conflicts of Interest) goes a little further by addressing both actual and apparent conflicts of interest:
An organizational conflict of interest may result when factors create an actual or potential conflict of interest on an instant contract, or when the nature of the work to be performed on the instant contract creates an actual or potential conflict of interest on a future acquisition. In the latter case, some restrictions on future activities of the contractor may be required.
The FAR has 2 underlying principles it addresses regarding an OCI:
1. Preventing the existence of conflicting roles that might bias a contractor’s judgment;
2. Preventing unfair competitive advantages (i.e., by means of proprietary information or source selection information).
Contractors may be limited in contracting as a means of avoiding, neutralizing and/or mitigating OCIs that might otherwise exist. The contracting activity (and presumably DOD Contractor for these purposes) may be presented with the OCI and may formally give a waiver altogether, or may implement mitigating steps to accept the risk of the OCI, once it’s been mitigated accordingly.
Conclusion – CMMC Minimum OCI Standards
Given the standards set by these other frameworks and some of the underlying principles behind these guidelines that are shared between the frameworks, I believe we can draw some distinct, though broad, conclusions about what to expect regarding OCI rules in the upcoming CMMC framework. Although any clarification regarding the parameters of the OCI are only speculation at this point, there are 3 things we can reasonably expect:
1. There will be OCI rules.
2. At the very minimum, the rules will:
a. Restrict organizations from being both the technical consultant and auditor for the same specific client, and
b. Large organizations with distinct divisions will not be able to perform audits on themselves.
I believe these rules are a minimum and they may even be more restrictive, for instance and as stated previously, not allowing companies to be both an assessor and consultant, regardless of the client.
These rules are important not only to protect the DOD’s interests, but also to protect the consumer, i.e. the DOD Contractor.
Every major framework has OCI rules, to one extent or another, to protect the end customer from being excessively charged for services and products not required of them and/or from paying for a certain standard that they ultimately may not receive. Item 2a above helps address these concerns.
Furthermore, the DOD has a vested interest in protecting its information through this cybersecurity framework and to preserve not only the confidentiality of the information, but also control and limit its availability and preserve its integrity.
In choosing a Consultant and an Assessor, DOD contractors will have many factors to consider such as cost, timeframes and resources required by each of these entities. However, one thing DOD contractors should add to that list of factors is the avoidance and/or mitigation of any Conflict of Interest when hiring these entities. This not only serves the DOD’s purposes, but provides protection for the DOD contractor as well.