As someone whose family was victimized by a cult, I tend to be on alert for signs of cultish behavior, whether by individuals or organizations. When I say that the American Society for Quality and its British counterpart CQI are cults, it’s because they tick off the right number of signs for me to make that claim. In those cases, however, they are more of the “multilevel marketing scam” (MLM) type cults, using their influence to dupe people into joining, and then roping the dupes into an increasingly costly series of purchases, all to benefit an unregulated leadership.
I’ve been reporting on the US Department of Defense’s “CMMC” (Cybersecurity Maturity Model Certification) program for a few years now, and they check off all of the typical markers of a cult.
The “signs” of a cult have been well-documented by anthropologists, psychologists, and historians, and while different authors have slightly different tweaks on them (see here, here, or here), they remain largely similar no matter the source. For this article, I will be using the list provided by two former Mormon church members, “Sam and Tanner,” from their 2018 article on Medium called “10 Signs You’re Probably In a Cult.” That listing was, itself, modified from the list provided by the Cult Education Institute.
1. The leader is the ultimate authority
It goes without saying that Katie Arrington, freshly appointed to the DoD after having floated from one career to another before landing in cybersecurity, adopted an authoritarian, cultish approach to demand loyalty to her, and her alone. Her manic, overcaffeinated appearances on YouTube, constant microphone-stealing at events, and breathless posts on LinkedIn sucked the oxygen from anyone else nearby, making it clear she was the focus. Repeatedly, over and over, she took personal credit for CMMC, sidelining other key figures who did most of the actual work. Likewise, Arrington repeatedly made personal statements on CMMC, couching them as official policy, when it was clear she had no idea what she was talking about. Recall that Arrington claimed to be ready to release announcements on the “reciprocity” of CMMC with ISO 27001 (which never happened) as well as her repeated false claims that CMMC would “appear in contracts” as early as 2019 (it never did.)
Despite this, the docile cybersecurity “press” parroted her claims as if they were official policy, leading the entire defense industrial base astray in the process.
2. The group suppresses skepticism
Critics of either CMMC or Arrington quickly found themselves on the outside, often the victims of outright — and sometimes illegal — harassment. On LinkedIn, Arrington openly harassed critics — including me — making false and defamatory claims in the process. Others found themselves banned from the CMMC subreddit for asking the wrong questions or harassed on the CMMC Discord channel. One prominent cybersecurity expert was sexually harassed on LinkedIn, in a pseudonymous post thought to be tracked back to an official CMMC Board Member.
Critics were threatened with lawsuits (again, including myself), and always in public, to send a clear message: if you questioned Arrington or the CMMC program, you were the enemy, and would be publicly humiliated. Most critics went underground, leaving the echo chamber filled only with echoes.
Even the CMMC “press” was affected. FedScoop had run articles pointing out the mildest issues with CMMC, but then altered its course and dropped the main reporter working the stories. I spoke to a chief editor there, and he promised some coverage on key issues — like CMMC’s “China problem” — but then went silent and never contacted me again. One reporter at another media outlet admitted they had to tread carefully because any negative coverage of CMMC would result in Arrington blocking access to herself and others. The lesson didn’t go unnoticed at Inside Cybersecurity, which continues to simply copy-and-paste CMMC press releases without ever digging deeper. As a result, they get the most access to DoD and CMMC talking heads.
3. The group delegitimizes former members
The CMMC Accreditation Body (now called “The CyberAB”) features a group of “Board” members who have demonstrated contempt against those who quit in protest. Arrington likewise acted as the CMMC pitbull, going against those that she thought were on board, only to find them asking uncomfortable questions at a later date.
Probably no one more than John Weiler, CEO of the IT Acquisition Advisory Council (IT-AAC) saw this firsthand. Weiler was a founding member of the CMMC-AB but left once he saw things were going pear-shaped. Arrington went on to publicly defame, denounce and harass him on LinkedIn, to the point that it appeared things were headed for court. She later quieted down only after she was pushed aside at the DoD, and eventually quit. Weiler was also denounced by other CMMC-AB Board members. It was a fairly tasteless display of vengeance against someone they felt had betrayed them.
4. The group is paranoid about the outside world
Cults are famous for their paranoia, and the CMMC gang is no different. For CMMC, discussions of topics, organizations, or events outside of their “approved” sources often come with criticism and a side of neurotic monomia.
Despite CMMC talking up its intent to follow ISO standards, any discussion of the actual content of ISO standards is met with a weird… well, paranoia. CMMC folks, such as the AB’s Jeff Dalton, insist they understand the standards, but then handle them as if they are a dirty diaper, holding them at arm’s length while pinching their nose. CMMC gadfly and attorney Robert Metzger admitted he knew nothing about ISO standards, and accepted my invitation for a quick phone call to bring him up to speed; later, he claimed he was “too busy” to have the call, and went onto the CMMC talking circuit making it sound like he knew about the subject after all. (He didn’t, and doesn’t.) But to actually get informed on the world of standards outside of CMMC is too much for these people.
Ditto for exposing themselves to events or media not already proven to be “friendly” to them and the CMMC program; ergo, Inside Cybersecurity instead of FedScoop.
5. The group relies on shame cycles
Per the Medium article, cults prescribe rules related to “diet, appearance, sex, relationships, media, guilting members for their shortcomings, and then positioning themselves as the unique remedy to the feelings of guilt which they themselves created.” This one is a bit trickier to track to the CMMC, but only if you haven’t paid much attention.
For the CMMC gang, they refuse (or are incapable of) explaining the most basic aspects of their certification scheme. Then, they capitalize on this confusion by insisting they are the sole source for the information they haven’t provided anyone. For literally years, the CMMC-AB and DoD CMMC office failed to produce a plan for how CMMC assessments would be carried out, but then reacted angrily when folks tried to fill in the gaps with some level of guesswork. Instead, they insisted, all information must come from the CMMC-AB or Arrington’s office, even though they weren’t providing that information.
Then, supporting groups popped up to enforce the shame cycle, like Tom Cornelius’ CMMC Center of Awesomeness, which sees Cornelius using profanity against critics of CMMC as if he’s an edgelord in a mid-life crisis. Feigning independence, Cornelius’ company sucks up to all the right people — Arrington included — and then his company Compliance Forge conveniently sells CMMC “template kits” (oh, that will end well). The Cornelius “Center of Awesomeness” gag was itself a swipe at Weiler, who had previously launched the CMMC Center of Excellence, before shutting it down in protest of the scheme. Cornelius’ website claims, “why be excellent when you can be … AWESOME!!”
The end result was that a lot of very smart people are left to feel stupid, and some very stupid CMMC folks — I’m looking at you, Jacob Horne — are presented as being smart.
6. The leader is above the law
This one is easy. Arrington herself left the DoD and CMMC program after she was alleged to have violated her security clearance by sharing classified information with at least one unapproved vendor. Her security clearance was suspended, making it impossible for her to do her job. The DoD declined to outright fire her and instead sidelined her until she quit. Since then she sued the DoD — twice — trying to restore her name. (So far, she still hasn’t won the “name-clearing hearing” she demanded in her suit.)
Likewise, the CMMC-AB committed, by my reading anyway, felony fraud when it claimed to be a not-for-profit organization when it filed for its CAGE code. In fact, the AB wasn’t a 501(c)(3), and didn’t get that status until many years later. The falsification of application data was reported to the DoD, DoD Inspector General, and DCLA, all of whom refused to prosecute the complaint. If anyone else had done this, their CAGE code application would have been canceled, and they would have not been able to win a Federal contract. The DoD protected the AB, however, since doing otherwise would have forced them to restart CMMC from scratch.
Later, it was found that the AB had failed to maintain its information in SAM.gov, another legal requirement. Again, it was reported to the DoD, and again, they did nothing. Instead, the AB toggled the “privacy” switch on its SAM.gov profile, making it impossible for the public to know if it had been updated or not.
Repeatedly, time after time, the parties have appeared to act outside the law, engaging in behaviors that would get anyone else debarred or fired. But, repeatedly, they have been protected and treated, effectively, as “above the law.”
7. The group uses “thought reform” methods
This one is closer to point # 5 above, The Medium article explains this as when a cult utilizes “platitudes like ‘follow the leader’ or ‘doubt your doubts’ are regurgitated over and over so that members don’t have to critically analyze complex issues.”
Again, the CMMC leadership trades heavily in this meme, suggesting that people who ask questions are stupid, even though they don’t provide answers. A common trope in CMMC is “don’t believe the myths,” where CMMC-sellers try to debunk clear facts by simply calling them “misconceptions”. See here, here, and here for just a few examples. In nearly all these cases, the writers engage in FUD (fear, uncertainty, and doubt) to scare readers into adopting CMMC as their belief system.
The biggest “myth” the CMMC gang has been trying to sell for years — without success — is that “CMMC isn’t in limbo.” To do this, they harass and chastise anyone who points out the clear historical facts that CMMC continues to be delayed, and was never released in “2019” as promised by Arrington and her cultists. We are now in 2023, and there is still no roadmap for the release of CMMC, and yet the same people keep insisting that it’s not delayed.
8. The group is elitist
The Medium authors describe this tip as follows: “If your group is the solution for all the world’s problems, you’re probably in a cult.”
It couldn’t be more clear that CMMC cultists believe, despite all reasonable evidence and credibility, that CMMC can solve any cybersecurity problem. Arrington herself has often claimed CMMC would have solved some headline-grabbing hack or breach of the week, as have her sycophants.
Recently, the CTO from Ardalyst, Josh O’Sullivan, claimed CMMC could have prevented a hack against the Navy’s Marinette Marine shipbuilding yards. CMMC cultists have claimed that the certification could have prevented the Solarwinds hack, and numerous other publicly disclosed breaches.
The fact that this is impossible since CMMC certification still does not exist points to their willingness to abandon logic and facts in order to claim the elitist spotlight.
9. There is no financial transparency
Don’t get me started! The CMMC-AB worked hard to fight against financial conflicts of interest, ignoring rules against credentialing people and companies they will later face during AB oversight audits, in order to rake in millions of dollars per year. They have refused to release their IRS filings, and calculations on their revenue can only be made by comparing their prices against their unconfirmed number of credential holders.
The DoD, meanwhile, is not required to expose its budget to anyone, despite being a Federal agency beholden to the public. Worse, the DoD has fought — for years — to hide the contract it signed with the CMMC-AB, and only released it after we threatened to file a full FOIA lawsuit if they didn’t. Then, they redacted the names of the contract signers — such as Arrington — in order to protect them from blowback.
Finally, the DoD just full-on lied about the financial impact of CMMC on the defense industrial base, making insane claims that CMMC would only cost “three thousand dollars” or that auditors would charge less than $100 per hour. In reality, estimates and costs for “gap” audits reveal the cost range from $100,000 to $300,000 per company, a far cry from the claims made by DoD officials.
10. The group performs secret rites
Both the DoD CMMC office and The CyberAB operate nearly entirely in secret, without any access by the public. the fact that one of these is a public government office is troubling, but the DoD can claim “national security” and simply not let anyone in the building. For the AB, they can claim the opposite, that as a “private” organization, they don’t have to open their doors. The effect is teh same: everything done by either party is done in secret.
Worse, when they do come up from under their rocks, they do so only in tightly-controlled environments. The AB shuts off all comments on its (rare) LinkedIn posts, so that no one can ask them anything. Likewise, during their ironically-named “Town Hall” events, questions must be submitted in advance, or are “pre-screened” during the event itself, to ensure they don’t have to face a question they don’t want to answer.
The DoD, meanwhile, hides its policies under paywalled articles at Inside Cybersecurity, or “friendly” events hosted by conflicted stakeholders like Redspin, who hold AB accreditation and aren’t about to lose it by letting any critics share the stage or raise questions.
Kill the Cult
Clearly, CMMC has turned into a cult, and must be stopped. At this point, the DoD itself is complicit and has allowed multiple breaches of both ethics and law to go unpunished, so it cannot be trusted to start doing its job now. Instead, Congress must act and scuttle the current CMMC plan and develop a new one. This means disbanding the cyber AB, putting out a new set of bids for competing ABs, and for DoD to be forced into overseeing the scheme itself, rather than trying to do “cybersecurity on the cheap.” If DoD can’t do it, then perhaps NIST should step in.
But nothing good will come from a cult, so it must be killed in the cradle.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.