The certification body at the center of the CMMC scheme’s first major complaint has been found to hold a non-IAF accreditation for the issuance of ISO 9001 and ISO 27001 certificates. Such certificates are called “mill certificates” in industry parlance.
Lazarus Alliance of Scottsdale AZ claims to be accredited to ISO 17021 as a certification body by the American Accreditation Association (AAA). The AAA is not a signatory member of the International Accreditation Forum (IAF) and thus issues what are known as “mill” accreditation certificates. Because it is not answerable to any oversight body, AAA is not required to comply with ISO 17011, the standard for accreditation bodies.
AAA is currently listed as “Pending Inactive” in official Virginia state records. That entry reads, “Annual Registration Fee Past Due and/or Penalties Unpaid and Annual Report Past Due – Not in Good Standing.”
The body is owned by Egyptian businessman Ehab El Shamy, and claims a personal residence in Virginia as its principal office. According to Whitepages.com, that address resolves to the El Shamy family. The AAA website, however, claims the company operates out of an office in Tyson’s Corner. Oxebridge contacted the office and was transferred to a UK-based answering service. The answering service could not provide any information on who actually worked at AAA, and had no ability to verify any actual employees of AAA. A representative for the office building at Tyson’s Corner could not verify if any business at AAA actually operated within the structure.
LinkedIn shows other employees of AAA come from Egypt (here and here), Saudi Arabia (here), and other nations in that region.
The AAA accredited the American Learning Center, another company owned by El Shamy, a violation of conflict of interest rules. Since AAA is not answerable to the IAF or any other oversight body, it does not have to adhere to impartiality requirements.
Of most significant concern, however, is that the AAA offers hospital accreditation within the United States. In its marketing, AAA claims it will assign a “dedicated advisor” and then issue a hospital accreditation afterward; this appears to violate rules prohibiting an AB from accrediting its own consulting work. In the US, hospital accreditation is generally provided instead by the Joint Commission, which operates under the recognition of State and Federal agencies, including the US Centers for Medicare & Medicaid Services (CMS).
Accreditation Mill Dangers
“Accreditation mills” generally operate outside the rules of the ISO accreditation and certification scheme, issuing certificates without any oversight and often without performing any audits of their clients at all. The IAF calls such certificates “counterfeit,” and claims the problem results in billions of dollars of fraud:
This traffic amounts to close to 10 billion USD, is run by multinational organized crime and is closely linked to corruption, fraud, and drug and human trafficking. It poses a direct threat to health and human lives around the globe.
Counterfeit certificates are making a false claim about a product or a company, with the intention to deceive or mislead end users. There are various types and systems for counterfeiting certificates, often well-funded and sophisticated, including parallel systems to IAF and the International Laboratory Accreditation Cooperation (ILAC), websites with lists of “accredited” certification bodies and databases for validation. In some cases, accredited CBs or individuals from ABs are complicit in organizing the counterfeiting schemes of large operations.
The impact of counterfeit certificates at the organizational level includes misleading users, loss of confidence, loss of business, poor/dangerous quality, unfair competition, and again, most importantly, facilitation of international traffic of counterfeit goods and services.
There is no evidence that the AAA or its clients are engaged in crime, despite what the IAF claims. The practice is not illegal on its face, but is seen as unethical, and the resulting certificates are frowned upon. Without oversight to ensure an accreditation body complies with ISO 17011, there is no assurance the lower-tier certification bodies abide by any standards or perform any audits when issuing certificates.
But it’s all posturing anyway. IAF brands these things as crimes, but then does nothing to stop its members from engaging in them. Worse, the IAF doesn’t stop their members from engaging in actual crimes, like criminal defamation, harassment, violation of international sanctions, false arrest, and more.
Reps and Certs Risks
Lazarus Alliance holds ISO 17021 from AAA for performing ISO 9001 and ISO 27001 assessment audits. The risk for Lazarus clients is that Federal government contracting officers could view certificates issued by the company as counterfeit or fraudulent, as the IAF suggests. More likely, however, is that a company bearing such a certificate would face additional scrutiny from Federal government contracting officers. Typically, US government contracts require such ISO certificates to be issued by a body accredited by an IAF or ILAC signatory, and treat any non-IAF certificates as potentially fraudulent. A company could face debarment if it presented a non-IAF certificate to the Federal government as part of a bid proposal package and did not clearly identify it as being outside the IAF scheme.
It is not clear why Lazarus pursued accreditation with an Egyptian-run accreditation body, given that there are many fully valid IAF-signatory bodies it could have been accredited, such as ANAB or IAS. Lazarus already has ISO 17020 accreditation from A2LA, which is a full ILAC signatory. Typically, companies pursue these third-world “mill” accreditations to save money and avoid oversight.
But Lazarus is leaning into their mill accreditation. On the official CMMC Marketplace site operated by the Cyber AB, Lazarus claims that it can provide “Certification Body audit services covering 27001, 27017, 27018, 27701, 9001, 90003, 42001, and 31010.” Some of those are not even standards you can get certified against, since they are guidance standards.
Lazarus faces the first major complaint in the CMMC scheme. A complaint filed against it has been escalated to The Cyber AB after Lazarus’ CEO refused to process the complaint in accordance with the CMMC FAR Rule CFR 32 Part 170 and ISO 17020. Instead, Peters accused Oxebridge of “trolling,” running a “kangaroo court,” and engaging in “social engineering crimes.” He claims to have suggested his client file criminal charges and have Oxebridge reported to the FBI.
The escalated complaint alleges a total of 33 violations by Lazarus of ISO 17020, The Cyber AB’s CMMC Code of Professional Conduct, CFR 32 Part 170.9, and its own internal procedure on complaints handling.
