Allowing a non-governmental third party to decide whether a company can bid on a DOD contract conflicts with the “inherently governmental” function of the awarding government contracts, according to former DOD Undersecretary for Acquisition, Technology & Logistics Frank Kendall.  Writing in Forbes magazine, Kendall states, “Determining whether or not a contractor is qualified to bid on a government contract is, in my view, an inherently governmental function.  Under CMMC, however, a new bureaucracy created outside of government, takes on that role.”  Kendall goes on to point out that how third-party assessors will, themselves, be accredited is “a mystery”.  He recommends that DOD delay or cancel the CMMC program entirely.  DOD, in the meantime, still seems set on moving forward with the requirement for contractors to show certain levels of cybersecurity capabilities if they want to do business with the agency.  Draft RFP’s and RFQ’s already contain such language.  It is uncertain what companies exist now, however, to attest to a company’s ability to meet one or more of the five levels of CMMC status that will be required.  Another area of confusion on CMMC is its applicability to Commercial Off the Shelf (COTS) procurements.  Katie Arrington, who oversees CMMC, says that COTS acquisitions will be exempt, while other say that it depends on whether the nature of the work to be performed brings the contractor into contact with sensitive, but not classified, information. 

Kendall’s comments also raise questions about the validity of other third-party accreditation protocols already in use for government contracting.  Both the FedRAMP and Section 508 compliance programs use outside parties to determine a company’s ability to meet those standards.  Should Kendall’s view on using this approach for CMMC take hold, it could have an impact on these programs as well.