The Cyber AB has finally responded to the first-ever complaint filed against a CMMC certification body, adopting some of the shadiest practices of the ISO certification scheme actors in the process. In short, they shut down the complaint while refusing to provide any demonstrable evidence that anything had actually been done. To justify this, Cyber AB’s Director of Accreditation, Steve Medellin, cited made-up “confidentiality” rules from a standard the AB isn’t even using, all to protect the subject of the complaint.
As you likely know, we filed a major complaint against Lazarus Alliance, an authorized C3PAO for the nascent Cybersecurity Maturity Model Certification scheme. The complaint alleged approximately 30 violations of ISO 17020, the CMMC Code of Conduct, and the related CMMC CFR regulation. Nearly all of the evidence provided was in documentary form, coming from Lazarus itself, so it would have been difficult to dismiss. This included a report provided by Lazarus that was presented to look like a US Dept of Defense report, complete with a photoshopped version of the DoD logo on the cover, and then giving a copy of the Cyber AB’s own logo to their client to use as marketing material.
We then found out Lazarus holds a fake accreditation to act as an ISO 27001 certification body and falsified some of the testimonials and awards it claims it has won.
Lazarus CEO Mike Peters then committed defamation per se by falsely accusing me of cybercrimes and telling his client, Willrich Precision, to file charges against me with the FBI and have me arrested. The ISO standards, meanwhile, prohibit a CB from taking any discriminatory action against a complainant, such as you know, trying to have them arrested for crimes they never committed.
None of this is normal behavior. And, again, all of this was in writing.
We Shall Never Speak of This Again
From the Cyber AB’s final report on the complaint:
As a result of our inquiry, The Cyber AB has substantiated and concurred with several, but not all, of the issues you raised. Confidentially requirements of ISO/IEC 17011:2017, “Conformity assessment— requirements for accreditation bodies accrediting conformity assessment bodies,” preclude us from
disclosing the specific findings and actions related to each element of your complaint.The Cyber AB has met with the Subject regarding our findings and have initiated appropriate corrective actions. We now consider this matter closed.
There are a lot of problems here. First, we have no idea which of the 30 allegations the Cyber AB concurred with and which they did not. That provides no practical intelligence into what may have been right about the complaint and, more importantly for the CMMC scheme, what we might have gotten wrong. It would have been in the scheme’s best interest to detail which allegations were (in their view) wrong, so we don’t repeat that mistake. But we have no idea.
Next, the Cyber AB claims that Lazarus initiated corrective actions, but does not indicate whether they were actually implemented. That makes it sound as if Peters just wrote up a few CARs but never actually did anything. And, unfortunately, the evidence suggests this is true.
I waited two weeks to see if Lazarus’ client, Willrich Precision, would be forced to remove the misleading logos from their website, and you can see for yourself… they were not. This includes an unauthorized use of the Cyber AB’s own logo. This screenshot is as of today, June 7, and we can see that no action was taken. This means anyone can put the Cyber AB logo on their website for anything whatsoever, even unrelated to CMMC, and the AB is cool with that. (Here’s a link to the Cyber AB’s logo if you want to put it on your website or post it in the men’s room at your local airport.)
Then, of course, Peters himself never apologized or retracted his defamatory statements, so that issue also remains open. On that point, the Cyber AB agrees that Peters went overboard, but never actually required him to do anything about it:
Please know we did find that the nature and tone of the Subject’s initial response to your original complaint failed to meet the standard for proper adjudication of CMMC stakeholder complaints and was not in consonance with C3PAO best practices.
Moreover, we have marked several of the issues and concerns you highlighted in your complaint for additional emphasis and clarification throughout the C3PAO cadre.
I have no idea what any of that means, but it has no practical, real-world implications. But the message is clear: if you “fail to meet the standard for proper adjudication of CMMC stakeholder complaints,” the AB will only write a sternly worded letter about you. Otherwise, you’re off the hook.
No, ISO 17011 Doesn’t Say That
Finally, Medellin’s claims that ISO 17011 somehow constrains the Cyber AB from revealing what was done, due to “confidentiality requirements,” are patently false. It relies on ABs knowing that nobody ever reads ISO 17011, so they can say whatever they want about its content.
Well, I did read it, because I literally do ISO 17011 consulting and have created ABs from scratch.
While that standard does discuss confidentiality, none of the references to the concept apply to the complaints handling clause. Instead, ISO 17011 cites confidentiality related to the following: AB staff rules, subcontractor confidentiality, document control, and records security. That’s it. The clause on complaints, meanwhile, makes no mention of confidentiality at all. Medellin — who previously worked at A2LA — has brought over the worst practices of ISO accreditation bodies and is using tired, false scripts to protect the Cyber AB and its paying C3PAO clients.
And, hey, where was the Cyber AB’s concern for “confidentiality” when Peters was blasting emails accusing me of “criminal social engineering” and calling for my arrest?
Finally, there is the matter that the Cyber AB doesn’t comply with ISO 17011 anyway. ISO 17011 requires the AB not to own any training or credentialing organizations, but the Cyber AB has refused to divest CAICO. So the Cyber AB is not anywhere near compliant with ISO 17011, nor have they even started the process by submitting an application to the IAAC to undergo 17011 assessments.
But, when they want to, they will invoke ISO 17011 to protect a certification body that has engaged in shockingly bad behavior and which took a blowtorch to the reputation of CMMC.
Lazarus Alliance, meanwhile, remains a C3PAO in good standing, per the Cyber AB’s CMMC Marketplace (here). So their accreditation was not even suspended temporarily, never mind withdrawn. (Note how Lazarus’ listing claims that it can provide “Certification Body audit services covering 27001, 27017, 27018, 27701, 9001, 90003, 42001, and 31010.” Some of those standards are not even for certification, and are only guidance documents. And remember their “accreditation” to issue these certs came from a fake accreditation mill out of Egypt.)
Pucha, Tenemos un Gran Problema
In the end, this was exactly the outcome that was expected.
Now, pay attention, because this next part matters. The Cyber AB was tasked by the DoD — per its legally binding Federal contract — to become a Full Member of the IAAC, which will eventually grant the AB its ISO 17011 accreditation. To date, the Cyber AB has not done that (since it refuses to divest CAICO.)
But the Cyber AB has become an “Associate Member” of IAAC, which is typically the first step towards gaining full ISO 17011 accreditation and Full Membership. Have a look:
The way the hierarchy works is that just as a complainant can appeal a C3PAO decision to the AB, the complainant can also appeal an AB’s decision to the IAAC.
Why does that matter? Because the IAAC is in Mexico. Their website is here, if you don’t believe me. Next, the IAAC’s official procedure on complaints, PR-005, indicates that the IAAC Executive Secretary oversees the processing of any complaint against any IAAC member. The current Executive Secretary is Ferney Chaparro, who lives in (wait for it…) Colombia. Here’s his LinkedIn profile, since you don’t believe that either.
That means Mexico and Colombia will have adjudication authority over the US’ CMMC scheme. If the representatives of those countries agree with the appeal, they could deny the Cyber AB its ISO 17011 accreditation.
But, in reality, it doesn’t matter what the IAAC does. So long as the IAAC has the authority to adjudicate a complaint, it puts the CMMC program under control of a foreign nation.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
