I’ve been looking into this subject more seriously for the past few months, and it is looking more and more likely that The Cyber AB is, under US law, illegal. If so, this means there is no actual CMMC program, since the government’s mandate to have it run by The Cyber AB is, itself, a violation of law.
Longstanding precedence, dating back at least 100 years, limits the US Federal government’s ability to compete with private enterprise. Moreso — with only two exceptions — there’s no actual precedent that allows the government to invent a private company out of thin air, especially when there are existing companies ready and able to perform the prescribed service.
What are those two exceptions? First, the US government can create what is known as a “Federal Government Corporation,” to satisfy a specific need determined by Congress. History shows the government has done this in several famous, high-profile instances, going back for at least a century. For example, look to the formation of the Tennessee Valley Authority (TVA), the US Postal Service, or the Federal Deposit Insurance Corporation (FDIC). Each of these was legally created by the US government, but only because they were done so under passage of a law, introduced by Congress and then signed by the President.
The other condition where the US government can, in effect, create a company is when it nationalizes an existing private corporation. In reality, this isn’t the creation of a company out of thin air, but simply a change from private to public ownership. This is done rarely in the United States, and is almost always a temporary step to help “bail out” a private company that is faltering. But in two famous cases, the US government took over private companies and made them permanent government functions: Amtrak and the Transportation Security Administration (TSA) were both the result of US nationalization of private companies.
Again, however, in both cases, the nationalization of private companies requires the passage of a law. This is because the US wants to be the beacon for free enterprise, and is staunchly against nationalization in nearly any form.
Illegal Formation
The Cyber AB, however, was not created by any act of Congress or law. Instead, it was created out of thin air without any congressional oversight, and Congress was caught wholly unaware of its existence until after it was already operating. The DoD has, in fact, attempted to circumvent Congressional oversight of the CMMC program, going so far as to threaten and harass whistleblowers — including Oxebridge — for raising it with the two Armed Services Committees.
Let’s review what happened. In 2019, the Dept. of Defense, under Ellen Lord’s office, decided that it would create a cybersecurity scheme called “CMMC.” It then put political appointee Katie Arrington in the role of CMMC coordinator, as the main part of her job as DoD’s Chief Information Security Officer (CISO). To get that job, Lord’s office had to ignore the fact that Arrington had no university degree, and only a limited amount of experience in CISO operatois. Her prior experience had been largely, if not exclusively, in cybersecurity sales, not technical CISO work.
Arrington’s office then announced, through a formal DoD Request for Information (RFI) that it intended to oversee the creation of the CMMC scheme, along with — very specifically — the creation of the “CMMC Accreditation Body” (CMMC-AB). That RFI, published in October 2019, stated the following:
The Office of the Undersecretary of Defense (Acquisition & Sustainment) (OUSD(A&S)) in the Department of Defense is seeking information, from non-profit organizations, related to establishment of an Accreditation Body for the Cybersecurity Maturity Model Certification (CMMC) program.
and
This RFI seeks information on how to define the long-term implementation, functioning, sustainment, and growth of the CMMC Accreditation Body. The Government’s goal is for a non-profit Accreditation Body to complete all activities described in Section 4, Accreditation Body Activities, using revenue generated through dues, fees, partner relationships, conferences, etc. with no additional funding or resources provided by the Government. The Government intends that the relationship between the Government and the Accreditation Body will be managed through the use of a Memorandum of Understanding (MOU).
The language was fairly explicit. The DoD was mandating the formation of the CMMC-AB, and soliciting “white papers” on how it could form the organization, and how it would then operate.
This was then followed up by an “Industry Day” announcement, also published in October 2019, scheduling the event for the following month. That announcement — again, a formal DoD publication — stated explicitly that the DoD intended to “establish the CMMC Accreditation Body inclusive of a Board of Directors.”
That Industry Day was then held, and the attendees provided their “white papers” to Arrington. Attendees reported that Arrington was introduced by Kevin Fahey, who named her as a personal friend, and she then took the stage and announced she would be letting the companies in attendance “self-organize” to form the CMMC-AB. She took the white papers, dropped the mic, and left. The general comment from nearly everyone I spoke to who attended it was that they were left more than a little stunned at Arrington’s quick exit.
The room was filled with competitors, including established accreditation bodies like A2LA and ANAB, who all thought they had a chance at taking on the role of the CMMC-AB themselves, but who were now forced to work — side-by-side — with their enemies to sort out Arrington’s blurry idea for an AB.
Subsequently, years later, I was told that the decision by Arrington to flee the stage was because someone had told her the idea of having DoD create a private company overnight was illegal, and so he leaned into the “organize yourselves” pitch to try and build some cover. But legally, the damage may have already been done.
Fraud Raises Its Head
What happened then injected the suspicion of criminal fraud, in multiple instances.
First, while Arrington and the DoD were repeatedly claiming the “DIB” was comprised of “300,000 companies,” somehow the CMMC-AB that Arrington created announced it would be headed by Arrington’s former boss and political donor, Ty Schieber. The statistical odds of that were astronomical, unless one comes to understand that — just maybe — Arrington was creating the CMMC scheme all along to hand gifts to her friends.
So… fraud allegation # 1 arose nearly immediately after Arrington’s “Industry Day” event.
Schieber wasted no time miring the CMMC-AB in controversy. In order to get the promised DoD contract, he — like any government contractor — had to file for a CAGE Code. That’s a requirement for any company doing business with the US government. On the official “certs and reps” filing portion of the CAGE code application, Schieber claimed the AB was already a not-for-profit 501(c)(3) organization, which was a lie. Right below near his signature the CAGE Code form indicated that any such lies are a felony, punishable by fines and prison. But Schieber signed it anyway. The AB wouldn’t get its 501(c)(3) until years later.
Here’s Schieber’s actual filing:
The DoD made some muted grumblings that it wasn’t important, so long as the AB was acting “as if” it were a non-profit, but that’s not what Schieber signed. The DoD then worked to bury multiple formal complaints alleging felony fraud. In short, the DoD colluded to cover up a fraudulent filing by a friend of Katie Arrington.
That’s fraud allegation # 2.
Diamond Fiasco
Schieber then took steps to make CMMC appear as a full-on Ponzi scheme. Remember, the AB was formed to do the thing in its name: accredit things. But without any plan on how to do this, Schieber immediately started trying to dupe donors. He announced a shockingly corrupt plan to offer special “benefits” to anyone who donated $500,000 or more to his new CMMC AB company, through a “Diamond” membership program. Instantly this raised conflict of interest questions, but Arrington took to social media to defend Schieber and harass anyone who questioned it.
After Oxebridge’s reporting was picked up by industry press, the AB’s Board was forced to oust Schieber, along with his sidekick Mark Berman, who had already begun selling “FutureFeed” CMMC software while using his role as Board member to do so.
Fraud allegation # 3. Maybe # 4, if you count Berman’s conflicts of interest.
Again, the DoD and IG office squashed relevant complaints, and Arrington was going rabid on LinkedIn attacking anyone who pointed out the problems. Major industry outlets like Inside Cybersecurity and FedScoop were advised that if they wanted ongoing access to Arrington, they would soft-pedal any CMMC-AB controversies.
DODIG Corruption, FOIA Violations
Next, the DoD’s Inspector General’s office actively worked to squash formal complaints. In case after case, the IG either ignored complaints filed against the CMMC program (a violation of law), or colluded with Arrington’s office to paper them over. The IG is supposed to be independent but routinely showed it had a huge, fat thumb on the scale, weighing things on the side of the DoD.
Fraud allegation # 5.
Then, the DoD has repeatedly and illegally refused to honor Freedom of Information Act (FOIA) demands that its contract with The Cyber AB be published in full. Under US law, FedGov contracts are public information, and freely available to all, unless they contain classified information, which the Cyber AB contract does not. For four years, the DOD’s office has blocked legitimate, legal FOIA requests, issuing snippets of the contract, and only for a prior version that had already been revised in secret. We have never seen the actual, current contract between the AB and the DoD, and the DoD’s representative, Stacy Bostjanick, claimed personal powers to deny a FOIA based on her own opinions.
That’s not how FOIAs work, and a single government representative can’t deny them “because reasons.”
So we still have no idea what is in the most recent contract between the DoD and Cyber AB, and the DoD remains in willful violation of the law in its attempt to protect this made-up company. And, again, DoDIG won’t enforce the FOIAs, so the only recourse is a private FOIA suit, which no one seems willing to pay to mount.
Fraud allegation # 6.
But Is It A Ponzi?
A “Ponzi” scheme is where a group of people or company promises to deliver a thing, and asks for donations from “investors” or “members” promising them a return once those deliveries begin. The scammers then use the money to fund the scam further, knowing full well that there’s no actual product in the pipeline, so nothing of value is being created that can ever generate returns on those investments. While not quite as cut-and-dry as the Bernie Madoff case, the CMMC program definitely ticks the boxes of an illegal scam.
In the case of CMMC, The Cyber AB has spent years not doing the one thing in their name — accrediting stuff — and instead selling worthless “badges” on the promise that someday CMMC will become real, and those badges will have value. The longer The Cyber AB avoids actually accrediting anyone, the further out they can push the scam. This is because The Cyber AB never really was interested in accrediting things, but only selling products based on the DoD’s insistence that CMMC was real.
We’re now entering year FIVE of this program, and there is still no real vision of how CMMC will become anything more than vaporware. Even if it launches, CMMC still has to overcome legal and Congressional hurdles, if not criminal probes.
To date, hundreds of millions of dollars have been spent by private companies and individuals on CMMC products and services, without any actual CMMC program having been launched. Changes in the CMMC plan further made early adopters the biggest suckers, as their purchases were made obsolete overnight, forcing them to buy new ones that align with “CMMC 2.0.” And there’s still no guarantee we might not see “3.0” undo all of those changes, too.
The Solution
The only solution left is to be found in the courts. A lawsuit must be filed that demands an immediate injunction against the CMMC program, until such time as the Dept. of Justice can investigate the allegations of fraud. If it’s found that the DoD and Cyber AB colluded to create a criminal enterprise, those responsible in both private industry and government must be prosecuted accordingly.
At the same time, those who have spent money on CMMC badges may want to consider joining together for a class action suit, which would likely bear some fruit in the courts. The cyber AB is not likely to stop their incessant grifting until told, by a judge or jury, to do so. And a financial award to victims might be the one thing they finally listen to.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
