The Cybersecurity Maturity Model Certification Accreditation Body recently launched a “Partner Program,” but quickly walked back the concept after allegations were raised that it was basically a pay-to-play scheme. The program would have charged companies from $5,000 to $500,000 to be promoted and marketed as a “recognized leader in cybersecurity and an early supporter of CMMC-AB,” at five tiers with increasing perks from “bronze” to “diamond.”
As the sole accreditor of cybersecurity assessors, the CMMC-AB appeared to be creating a conflict of interest, as the program sought large sums of money from the companies the body would oversee. Two sources familiar with the matter said the full board was not consulted before the program was launched, and several members were blindsided by the announcement. DoD CISO for acquisition and sustainment Katie Arrington also expressed disapproval.