with Tonya Riley

The organization responsible for implementing stringent new cybersecurity requirements for companies that do business with the military has been accused by an outside consulting firm and a former board member of running a “pay-to-play” fundraising strategy that could call its objectivity into question.

Over the last several years the Defense Department has written a new set of cybersecurity standards for companies that manage classified data or build weapons systems, part of a broader effort to prevent such information from being leaked or stolen. 

Those standards are set by the Defense Department and implemented by a private organization called the Cybersecurity Maturation Model Certification Accreditation Board (CMMC-AB). When the standards are fully implemented, all companies that do business with the military will have to comply. The board does not receive funding from the Defense Department for its work.

But there are concerns that the board’s funding could compromise its objectivity as it helps to regulate the massive defense supply chain. 

A fundraising announcement posted by the organization last week, and later removed after it was subject to harsh online criticism, solicited payments of up to $500,000 in exchange for “partnerships” that carry the board’s seal of approval, according to a screenshot taken Friday and shared with The Washington Post. Oxebridge Quality Resources International, a consulting firm that specializes in cybersecurity standards, detailed the issue extensively in a Sunday blog post.

The episode highlights potential ethical concerns that come with relying on the private sector to help regulate the cybersecurity of the military’s vast supply chain; in this case, an accreditation board appeared to be asking for money from the industry it is helping regulate.  

“The CMMC-AB has never contemplated, and will never contemplate, any mechanism where an organization can ‘pay-to-play’ in order to achieve, or enhance the ability of an organization to achieve, CMMC accreditation,” said Mark Berman, communications chairman for the board.

Board chair Ty Schieber said the board is exploring potential “partnership programs” but there is no such program currently in place. He added any partnering strategy would not solicit funds from contractors seeking accreditation from the board. 

A representative from the Defense Department did not offer comment on Tuesday.

John Weiler, who served on the board for before quitting in early August, says this kind of sponsorship model “is not consistent with the mission of the organization” because it would allow companies to, in effect, buy the organization’s approval.

“This reinforces concerns that the [accreditation board] is becoming a pay-to-play operation,” said Weiler, who runs the IT Acquisition Advisory Council.

The funding announcement appears to solicit payments of between $5,000 and $500,000 for the opportunity to “be recognized as a leader in cybersecurity and an early adopter” of the new standards, according to the fundraising announcement. A $50,000 payment would have bought a “bronze partnership,” which seems to hold little more than a seal of approval. A $500,000 payment would allow companies to be considered a “diamond partner,” a designation that would give the company prominent placement in the organization’s marketing materials and create a scholarship for veterans in the company’s name.

It is unclear whether the partnerships would have conferred any specific advantage beyond marketing. 

 With the standards months, if not years away from being fully implemented, it is unclear at this point whether the board wields enough power for there to be a conflict of interest concern. And those familiar with the board’s operations say it’s unlikely the board could help a specific company’s cybersecurity rating; under Defense Department policy the actual audits will be performed by third-party organizations.

Even so, industry observers say it’s inappropriate for any accreditation body to market on behalf of the companies it helps regulate. 

“Companies able to make such large payments could be tempted to presume they have special access or influence,” said Bob Metzger, an attorney following the issue. “That could sway the process and the outcome of the AB to favor the contributors, not best practices and fair outcomes.”

The board itself has insisted that any partnership program it does develop will be approved by the Defense Department and will be constructed to avoid any possible conflict of interest.

“The government prefers that the program be private, nonprofit, and separate from government control and funding,” wrote Berman, the CMMC-AB spokesman. “But the program must be somehow funded; and there is no ownership in a nonprofit. There will be absolutely no relationship between any individual or firm that chooses to help support the initiation of the program and the actual accreditation decisions made in the program. ”

Joe Marks will be back on Sept. 21. Meanwhile, we have a slate of excellent Post writers to keep you informed on the latest cybersecurity political and policy news.

The keys

Top intelligence agencies are teaming up to protect U.S. coronavirus research.

Members of the National Security Agency, the FBI, the Department of Homeland Security and the Department of Health and Human Services are working on providing cybersecurity guidance and services to pharmaceutical companies and government agencies working on a vaccine, Shannon Vavra at CyberScoop reports.

The program’s primary concern is looking out for and stopping hackers who want to manipulate or steal vaccine-trial data.

Officials worry a cybersecurity incident or attack from foreign rivals such as China could set back a vaccine by months or lead to a vaccine that could hurt citizens.

The group has notified companies about “a number” of cybersecurity incidents it is tracking, Bryan Ware, the assistant director of cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), tells Shannon. U.S. officials in July accused China of sponsoring hackers to target biotech firms around the world working on a vaccine.

Officials are preparing for hackers’ motivations to shift to disrupting the creation and distribution of the vaccine once one is approved, Shannon reports. 

A top election security official says he’s seen no signs of foreign attacks on voting equipment.

“The technical stuff on networks, we’re not seeing,” CISA Director Chris Krebs said in prerecorded remarks at a cybersecurity summit yesterday. “It gives me a little bit of confidence.”

His remarks follow a different assessment from White House national security adviser Robert C. O’Brien, who claimed that Chinese-linked hackers were targeting election infrastructure, Joseph Menn at Reuters reports. China has denied the charges.

A CISA spokesman declined a request from Reuters to clarify whether Krebs and O’Brien disagree in their assessments.

Hartford, Conn., postponed its first day of school after a ransomware attack.

More than 200 of 300 servers maintained by Hartford Public Schools were attacked by hackers, Rebecca Lurye at the Hartford Courant reports. The city was able to restore some of the systems on Monday, but a system key to in-school operations wasnt up in time for the first day of classes on Tuesday. 

City officials say they dont believe any sensitive information was stolen in the attacks and are working with the FBI to investigate. Classes will resume today, officials said.

The attack also had an effect on other city systems, including scheduling systems for the Hartford Police Department.  

Ransomware attacks are a growing problem for local governments and schools, and remote learning has increased the risk of attack. Last week, the public school system in Miami-Dade County was hit by multiple cyberattacks later connected to a student.

Global cyberspace

South Korea’s Samsung will reportedly stop selling parts to Huawei when new Trump trade rules kick in. 

The restrictions, brought by the United States last year, will go into effect on Sept. 15. Samsung and telecoms company SK Hynix will suspend trade with Huawei at that time, the Verge reports. The rules mean that companies cannot sell parts to Huawei using U.S. technology without approval from the U.S. government.

Samsung, which recently signed a nearly $7 billion contract with Verizon for 5G parts, has benefited from the United States push against Huawei. U.S. officials say the Chinese company poses a national security threat.


  • The Center for Democracy and Technology hosts Sen. Ron Wyden (D-Ore.) and FCC Commissioner Geoffrey Starks for a virtual conversation moderated by CDT President and CEO Alexandra Givens today at noon.
  • The House Oversight and Reform Committee will hold a hearing on “Ensuring a Free, Fair, and Safe Election During the Coronavirus Pandemic” today at 1 p.m.
  • USTelecom will host a virtual conversation on how industry and government are fighting illegal robocalls with FCC Chairman Ajit Pai and Colorado Attorney General Phil Weiser today at 1:45 p.m.
  • The House Oversight and Reform Committee will hold a hearing on “Providing the Census Bureau with the Time to Produce a Complete and Accurate Census” on Thursday at 11 a.m.
  • European Justice Commissioner Didier Reynders will participate in a Brookings virtual panel discussion on advancing the transatlantic dialogue on data privacy, security, artificial intelligence and consumer protection on Thursday at 10 a.m.
  • The Senate Judiciary Committee will hold a hearing to examine threats to U.S. intellectual property, focusing on cyberattacks and counterfeits during the coronavirus pandemic on Sept. 23 at 2:30 p.m.

Secure log off

The marketing of 5G is getting ahead of 5G technology, which is putting the emphasis on wider coverage rather than speed.

The marketing of 5G is getting ahead of 5G technology, which is putting the emphasis on wider coverage rather than speed. (The Washington Post)