Audit of the DoD’s Process for Authorizing Third Party Organizations to Perform Cybersecurity Maturity Model Certification 2.0 Assessments (Report No. DODIG-2025-056)

Show Notes

A Department of Defense Inspector General audit (DODIG-2025-056) revealed that the Department of Defense (DoD) inadequately implemented its process for authorizing third-party organizations to conduct Cybersecurity Maturity Model Certification (CMMC) 2.0 assessments. The audit found that the DoD failed to ensure all required steps were completed before authorizing these organizations, increasing the risk of awarding contracts to companies lacking sufficient cybersecurity controls. Two hotline allegations were substantiated. Ten recommendations were issued to improve the authorization process, focusing on implementing quality assurance measures to guarantee compliance. The DoD OIG will continue monitoring the DoD's implementation of these recommendations.

Ref: https://www.dodig.mil/In-the-Spotlight/Article/4028197/press-release-audit-of-the-dods-process-for-authorizing-third-party-organizatio/

Transcript

0:13

Alright. So get ready because we are diving into some seriously murky waters today. Oh, yeah. You know how the Department of Defense is, like, super focused on cybersecurity these days. Right? Yeah. I mean, they rolled out that whole CMMC 2 point o thing to make sure all the contractors are handling sensitive information properly. Yeah. Well, today's deep dive is all about a brand new DOD inspector general audit report. Okay. Freshly released, just came out on January 10, 2025. Wow. And let me tell you something. What? It reveals some pretty unsettling things about the people who are supposed to be the cybersecurity experts. Oh, really? It's, it's a little concerning. It really does raise some eyebrows, doesn't it? Yeah. This audit focuses on how the DOD vets the very people who are assessing the contractor's cybersecurity practices. Right. Those are the c 3 PAOs or third party assessment organizations. Right. C 3 PAOs. Yeah. They're the ones who can, like, make or break a company's ability to even work with the DOD. Right? I mean, they hold a lot of power when it comes to deciding who's meeting those cybersecurity standards and who isn't. Yeah. They're the gatekeepers, so to speak. Yeah. And what's concerning is that this audit suggests that the DOD might not have been doing its due diligence in making sure those gatekeepers are up to par. I'm already getting a bad feeling about this. Yeah. So for those of us who haven't, like, memorized the entire CMMC framework Right. Can you give us a quick rundown of what level 2, like, entails? Sure. That's the level this audit focused on. Right? Right. Level 2 focuses on what they call controlled unclassified information Okay. Or CUI that's considered critical critical to national security. Okay. So think of it as the sweet spot between, like, basic safeguarding measures Right. And the super high security stuff. Gotcha. It's based on NIST special publications, 8017180170 2 Okay. Which lay out over a 100 specific cybersecurity controls that contractors need to have in place. Alright. Things like, you know, strong passwords, multifactor authentication, all that stuff we hear about all the time. Right. Right. All the all the good stuff that we should all be doing anyway. Exactly. So these c three PAOs are basically responsible for going in and making sure the companies are implementing all those controls correctly. Precisely. They do the on-site assessments. They review documentation. Okay. And then they ultimately decide whether a contractor meets the CMMC level 2 requirements. So this audit looked at how those c three PAOs are authorized to do those assessments in the 1st place. Yeah. Did they have to, like, pass some sort of, like, cybersecurity superhero test or something? You'd think so. Right? Yeah. The report outlines 12 requirements that c three PAOs need to meet before they can assess assess others. Okay. It involves background checks fees, a whole lot of paperwork. Oh, fun. But here's where things get a little interesting. Yeah. The audit found that the DOD wasn't exactly following its own playbook Oh, yeah. When it came to implementing this authorization process. Wait. Hold on. Yeah. So the organizations in charge of ensuring cybersecurity Right. Might not have been thoroughly vetted themselves. That's what it seems to suggest. That seems a little backwards, wouldn't you say? It certainly raises some red flags. Yeah. And the audit found not just one, but three areas where the cyber a b Okay. That's the organization that's managing this authorization process Right. Really dropped the ball. Okay. I'm all ears. Let's unpack these issues 1 by 1. Alright. What was the first red flag? Well, for 2 of the 11 c three PAOs they looked at Yeah. Okay. The cyber AB didn't have signed agreements and codes of conduct on file. Right. You know, those documents that spell out, like, the ethical expectations Mhmm. And rules of engagement Oh, okay. For these organizations. Isn't that a bit ironic? It is a little bit ironic. We're talking about folks who are supposed to be upholding all these cybersecurity standards. Yeah. And they're not even following the basic rules themselves. Right. What were they thinking? It's certainly a head scratcher. Yeah. Without those signed agreements, especially the code of professional conduct Right. There's no real way to hold those c three PAOs accountable for their actions. Yeah. That makes sense. You know, remember, these are organizations that are literally judging the cybersecurity posture of companies that are handling extremely sensitive information. Right. Information that, frankly, could impact national security if it fell into the wrong hands. Okay. Yeah. That's not great. Yeah. What about the second issue? Right. What else did they mess up? Well, this one is almost more concerning in my opinion. Okay. 4 of the c three PAOs had uncertified quality control leads or QCLs. QCL. Yeah. Think of a QCL as like a cybersecurity inspector Okay. Who make sure that the assessments are done by the book Right. Without any shortcuts or oversights. Okay. They're a critical layer of quality control. So they're basically the experts checking the experts. Exactly. Makes sense, but also seems like a lot of bureaucracy. It does. Why not just trust the initial assessors to do their jobs correctly? Well, the idea is to have that extra layer of scrutiny, you know, especially given the stakes. Right. But here's the kicker. Okay. The cyber AB didn't even think that QCLs needed to have technical expertise. Oh, wow. They basically said, you know, anyone can check a box. Right? So not only were these quality control folks not certified Right. They might not have even know what they were looking at. Exactly. That seems like a recipe for disaster. It is. Especially if we're talking about protecting information that's critical to national security. Exactly. And that brings us to the 3rd major finding. Okay. Which might be the most alarming of all. Okay. Lay it on me. The audit found inadequate verification that the assessors Okay. And those QCLs we were just talking about Right. Were actually on staff at all 11 c three PAOs that they reviewed. Wait. They didn't even verify if the people doing the assessments actually worked for the companies that they claimed to work for? Pretty much. How is that even possible? It seems almost unbelievable. Right? Yeah. But the Cyber AB mainly relied on email addresses Email address. To confirm employment. Seriously. If the email address matched the company's format What? They considered it good enough. So, basically, anyone with a Gmail account could have pretended to be a cybersecurity expert. It seems that way. That's not exactly reassuring. Not at all. And remember, these are the people that are supposed to be protecting sensitive defense information. Right. The report even called out this reliance on email addresses as a prime example of poor verification practices. Okay. So we've got missing agreements Right. Uncertified quality control people Yeah. And a verification process that's about as secure as a screen door on a submarine. Pretty much. I'm starting to get a really bad feeling about this whole CMMC thing. It's definitely concerning. Yeah. But hold on tight because it gets even more interesting when we see what the audit team observed when they actually watch these c three PAOs in action. Oh, boy. Oh. Okay. So we've established that the process for authorizing these c three PAOs is about as solid as a wet paper bag. Right. But you mentioned that the audit team actually got to see these successors, like, in action. Yes. That's where things get really interesting. Right? Oh, absolutely. They didn't just review paperwork. They went out into the field and observed 3 live DIBC act assessments of candidate c 3 PAOs. DIBC. Now Now I know we've talked about that before, but remind me what DIBCK is again. Sure. DIBCK is the Defense Industrial Based Cybersecurity Assessment Center. Okay. They're the ones who actually go in and assess the assessors. So it's like a cybersecurity version of Undercover Boss? Exactly. But with much higher stakes. Much higher. Okay. So I'm picturing, like, hidden cameras and cybersecurity agents wearing, like, disguises. Right. So did they catch any c three PAOs red handed? Well Like cutting corners or completely missing the mark? There is some good news. Okay. The DIBCA assessors seem to do a pretty good job overall in verifying compliance with those a 110 NIST ST 80171 controls. Right. Right. All those specific cybersecurity practices that contractors need to implement to protect the sensitive data. Exactly. What's the catch? Well I have a feeling there's a but coming. Of course, there's a but. Yeah. 2 of the c three p a errors had issues with the disabling inactive accounts control. So specifically, they weren't properly addressing group accounts. Mhmm. You know those shared logins that multiple people use? Shared accounts. Yeah. That doesn't sound so bad. Well I mean, we all do that at the office to share access to things like printers and software licenses and stuff. Right. What's the big deal? It's all about managing risk. Oh, cool. Shared accounts, if they're not managed properly Got it. Become a major security vulnerability. Okay. Think about it. If someone leaves the company or their credentials are compromised Right. That shared account could provide an open door for hackers Uh-uh. To get into sensitive information. Okay. That makes sense. Yeah. So what were these c three PAOs doing wrong? Well Were they just completely ignoring those group accounts? Let's look at the specifics Okay. From the reports table too. Okay. In one instance, the c three PAO didn't even define a time frame for disabling inactive accounts. Really? They just said they were monitoring them regularly. Regularly. Yeah. That's pretty vague. It is. What does that even mean? Right. Once a year, once a decade. Never. Exactly. It's like saying you go to the gym regularly. Exactly. Yeah. And in another case, the c three p a o was only focused on individual user accounts Okay. Completely overlooking those group accounts. Oh, wow. It's like they had blinders on. And the DIB SaaS assessors. Yeah. They didn't flag this as a problem. Well, this is where it gets even more perplexing. Okay. For that first c three PAO, the assessors decided that the requirement wasn't really necessary. Why? Because the company only had 2 employees. Wait. Seriously. Yeah. So basic cybersecurity rules only apply if you have a certain number of employees. That's what it seems like. That seems a little ridiculous. It does, doesn't it? It? Yeah. And for the second c three PAO, the assessor said that they thought that group accounts were just flat out prohibited. But they're not. Nope. Not at all. Really? Neither NIST nor the DOD specifically bans group accounts, which suggests a fundamental misunderstanding of the very cybersecurity controls they're supposed to be enforcing. So not only are there problems with how these assessors are authorized Right. But the people doing the assessments might not even understand the rules they're supposed to be upholding. It's a little concerning. This is starting to feel like a house of cards. It does raise serious concerns about the consistency and rigor of these c three PAO assessments. Yeah. And it begs the question. What's that? If these issues were found in just 3 observed assessments Right. What else might be lurking out there? Yeah. How many other c three PAOs might be missing the mark potentially putting sensitive information at risk. That's a chilling thought. Yeah. And this is just the tip of the iceberg. Right? You're right. The audit uncovered an even bigger issue with the DOD's own oversight of this whole process. Perhaps the most alarming finding of all is that the DOD's chief information officer, CIO, had absolutely no quality assurance process in place for c three PAO authorizations. No quality assurance. Yeah. You mean nobody was double checking that this whole system for vetting assessors was actually working properly? Apparently. That seems like a pretty crucial step to skip. You would think so, wouldn't you? Yeah. Especially when we're talking about information deemed critical to national security. Right. But the audit clearly states that no formal quality assurance process existed. So they weren't checking to see if the cyber AB was doing its job. Right. If the DIBCC assessments were thorough. Yeah. Or if the entire process was even remotely effective. It doesn't seem like it. It's almost like they built this elaborate cybersecurity fortress, but then forgot to hire any guards to man the walls. It's a striking analogy Yeah. And sadly, quite accurate. And what's even more ironic is that the DOD seems to be putting all its eggs in one basket. It does seem that way. They're banking on the cyber AD, eventually complying with ISO slash IEC 1711 standards. Right. ISO slash IEC 1711 refresh my memory. What are those all about? Think of them as, like, the gold standard for accreditation bodies. Okay. ISO slash IEC 1711 11 lays out a comprehensive set of requirements for organizations that accredit other organizations. Got it. It's all about ensuring competency, consistency, and impartiality. So the DOD is basically saying Yeah. We'll just trust that the cyber AB will get its act together eventually and meet these standards. Right. That seems like a pretty risky gamble. It's a risky strategy to say the least. Yeah. Especially given their track record so far. Yeah. And here's the kicker. Okay. Those ISO slash IEC 17011 requirements won't even be mandatory for the Cyber AB until 2026. So that means for, like, the next year or so Yeah. There's no real enforceable oversight in place. Not really. It's a free for all. Pretty much. Yikes. Yeah. And as if that wasn't enough, the audit also pointed out a couple of other pretty significant concerns. Right? Yes. There are 2 more issues that really add fuel to the fire. Alright. Let's hear them. What else is lurking in the depths of this audit report? 1st, there's no formal process for reauthorizing c three PAOs. Oh. They get assessed once. Okay. And then they're good to go for 3 years. 3 years? Yeah. But so much can change in 3 years. What if a c three PAO has financial troubles? Right. Or there's some shady foreign ownership involved Yeah. Where all their expert assessors decide to go work for Google or something. Exactly. There's no way to catch any of that. Not right now. Okay. That's terrifying. Yeah. What's the other issue? Hit me with it. The final problem is that there's no requirement for c three PAOs to immediately report any changes that might affect their authorization. Okay. So a c three PAO could undergo, like, major changes that impact its ability to do its job properly. Right. And the DOD would be none the wiser. That's what it seems like. That's insane. Yeah. So a c three PAO could be falling apart at the seams with unqualified assessors and compromised systems Right. And the DOD would be left in the dark. Pretty much. Just like a slow motion train wreck. It is. And remember, we're not just talking about hypothetical scenarios here. The report explicitly mentions cases where DOD contractors were targeted by malicious actors. Wait. Like, real life cyber contractors were targeted by malicious actors. Wait. Like, real life cyber attacks? Yes. Give me the scary details. In one case, a navy contractor had their entire system completely locked down by hackers who demanded a hefty ransom to restore access. Oh, wow. And in another case, hackers stole the names and Social Security numbers of over 16,000 individuals from a different navy contractor. Okay. Now I'm officially freaked out. Yeah. So we've got a whole system riddled with problems from the initial authorization process to the lack of ongoing oversight. Right. And all of this is happening while actual cyberattacks are targeting defense contracts. Yeah. It's enough to make you wanna ditch your computer and live off the grid. It's certainly a sobering reality check. Yeah. This isn't just about abstract regulations or bureaucratic bungling. Right. This is about real world threats to national security Yeah. And the potential for significant damage if those threats aren't taken seriously. So what does all of this mean for our listeners? Wow. Why should they care about this audit report, especially if they're not working directly with the DOD? Here's the big picture Okay. And it's a little unsettling. Imagine the most sensitive, advanced defense technologies being developed. Right. Things that are crucial to our national security. Okay. I'm picturing top secret labs Yeah. Futuristic weapons Right. And maybe a few robots thrown in for good measure. Now imagine that all of that information is vulnerable Okay. Because the very people entrusted with protecting it haven't been properly vetted themselves. They might not understand the rules. They might not be following Oh. And there's no real accountability in place to ensure they're doing their jobs properly. That's a terrifying thought. It is. And this audit shows that it's not just a theoretical risk. Right. It's actually happening. It is. Cyber attacks are happening. Data's being stolen. Mhmm. Systems are being compromised. Exactly. This isn't just an internal DOD problem. It has far reaching implications for national security Yeah. And for public trust in the government's ability to protect sensitive information. So while the DOD is trying to create this impenetrable fortress of cybersecurity with CMMC, the foundation might be a lot weaker than they think. It could be. And the implications go far beyond the defense industry itself. You've hit the nail on the head. Yeah. This is a wake up call for everyone. It really is. Not just those working in the defense sector. Right. Cybersecurity is everyone's responsibility. It is. And we need to be asking tough questions about how our information is being protected, whether it's our personal data, our company's intellectual property, or nation's most sensitive secrets. It really is a wake up call. It is. And to think this audit only looked at 11 c three PAOs. Right. I mean, there are dozens more out there, you know, assessing contractors right now. Yeah. Makes you wonder what a wider investigation might uncover. That's a question worth pondering. Yeah. If these issues were found in a relatively small sample Right. Imagine what's lurking beneath the surface. Yeah. So it's like we've only just scratched the surface of a much bigger problem. Exactly. And this brings up another question that's been swirling in my mind. Okay. How does all of this impact public trust? Right. If the organization's responsible for cybersecurity Right. Aren't being properly vetted Yeah. What does that say about the DOD's commitment to protecting sensitive information? It certainly erodes confidence Yeah. Not just in the CMMC program itself Right. But in the entire defense industrial base Yeah. It raises questions about the government's ability to handle sensitive data Right. To oversee its contractors Right. And, ultimately, to keep our nation safe. It's like that saying. Yeah. Trust takes years to build seconds to break and forever to repair. Right. The DOD has a lot of repair work to do after this audit. Absolutely. And this isn't just an internal DOD issue. Right. It has ripple effects across the entire ecosystem. Right. If contractors lose faith in the system, they might be less inclined to participate in it. And if the public loses faith in the government's ability to protect sensitive information, that has even wire implications for national security and our standing on the world stage. This all feels very overwhelming. Where do we even go from here? Yeah. What can our listeners do with this information? Knowledge is power. Okay. 1st and foremost, I encourage everyone to, you know, continue exploring. There are plenty of resources available to learn more about CMMC Right. Cybersecurity best practices and the evolving threat landscape. Well, make sure to include some links in the show notes for anyone who wants to, like, dive deeper. Perfect. 2nd, think about the implications of these findings on your own industry or field. Yeah. Even if you're not directly involved in defense work. Right. Chances are you handle some form of sensitive information. Absolutely. It could be customer data, financial records Yeah. Intellectual property. It all needs to be protected. It is. It's easy to think Yeah. Oh, this doesn't apply to me. I'm not working with top secret government stuff. Right. But cybersecurity is everyone's responsibility. It is. We all have a role to play in protecting sensitive information, whether it's our own personal data or the data of our clients Mhmm. Customers, employers. Yeah. Don't wait for a major breach to happen. No. Be proactive about protecting your data and ensuring your systems are secure. Okay? Implement strong passwords, use multifactor authentication Right. Stay informed about the latest threats. Right. And be vigilant about suspicious activity. That's a great takeaway. Yeah. We can't rely on others to protect our data for us. We can't. We have to take ownership of our own cybersecurity. Exactly. Well, on that note, I wanna thank you so much for joining me today. It's been my pleasure. This has been a very thought provoking deep dive into this DOD audit report. It has. And I think it's clear that there are some serious issues that need to be addressed. There are. But as always, I wanna leave our listeners with something to ponder. Sure. So I'll turn it over to you for a final thought. If this audit revealed such significant issues within the DOD and organization that you would think would be at the forefront of cybersecurity, what might similar investigations uncover in other government agencies, private companies, or even within our own personal digital lives. It's a chilling question, but one that we all need to be asking ourselves. We do. The world is increasingly reliant on digital systems. It is. And ensuring their security is paramount. It is. This audit is a reminder that we can't take cybersecurity for granted. We cannot. We need to be vigilant, proactive Absolutely. And always questioning the status quo. Well said. So until next time, stay curious, stay informed, and stay safe. I like that.