As the CMMC Accreditation Body slides into further irrelevance, its Board is not going down with a fight. Or with dignity.

Right now former (and ousted) Board members are receiving “Presidential Volunteer Service Award” medals, along with certificates, to attest to their spirit of volunteerism. There are, of course, a few problems with this.

First, the medals were purchased for $10.50 apiece, as the program is a vanity award, not an actual thing handed out by the President. The Americorps program allows anyone to buy the medals for themselves or their friends, and requires only submitting a spreadsheet of volunteer hours claimed. I spoke to someone at Americorps office, and they confirmed that they do not verify the volunteer hours, nor the truthfulness of any claims made by the applicants. “We trust people to be honest,” the rep told me. If the paperwork is in order and the check clears, the awards are sent out.

The program is considered a modern take on the “Who’s Who” scam registries, where someone would buy placement in a book of notable persons in order to pass themselves off as, well, notable.

Second, the awards were purchased by ousted Board member Regan Edens, who was removed from the Board in June of 2021. Edens provides products and services for CMMC, and stood to financially benefit from his role as a “volunteer” at the CMMC AB. In truth, Edens was thrown out after publicly clashing with the AB’s own Industry Advisory Council, calling one member a “troll” for questioning his conflicts of interest. That proved too much of a PR nightmare, so Edens was shown the door. CMMC AB CEO Matt Travis later crafted a new story, suggesting Edens was removed as part of the AB’s crackdown on conflicts of interest. In reality, the remaining Board members nearly all have conflicts, so the story doesn’t hold up.

Edens buying $10 medals for his pals smacks of a desperate and needy attempt at redemption. It probably worked, though, since they still keep Edens around on the CMMC-AB’s “Standards Development Committee,” a thing that doesn’t do much since the CMMC-AB isn’t allowed to develop standards.

So expect to see a lot of posts by conflicted, self-promoting consultants claiming their work at the CMMC-AB was just volunteering, and not an attempt to market their various consulting companies. Even though that’s exactly what they did.

The work of the Board was largely thrown out as DoD was forced to address industry concerns and release “CMMC 2.0.” That reboot removes almost all of the role of the CMMC-AB, as it shifts focus back to self-attestation by defense companies. CMMC-AB accredited audits now only comprise a tiny fraction of the remaining CMMC certifications, under the 2.0 plan.

As a side note, as if to remind you what assholes they are, new CMMC-AB Chair Jeff Dalton — who also sells CMMC consulting services — publicly attacked reporter Sara Friedman of  Inside Cybersecurity for her reporting. Friedman published a piece discussing how Dalton had claimed, at a public event, that he was not releasing CMMC assessment process guide due to “national security concerns.” That prompted Travis to issue a corrected statement, but Dalton took to LinkedIn and claimed Friedman had misquoted her, even as he then confirmed what she wrote. He also attacked the “American press,” because if you’re a patriotic “volunteer,” attacking a free press always drives the point home.

I’m no fan of Friedman, who couldn’t ask a follow-up question if her life depended on it, but Dalton’s off his chain here.

I’m taking bets on how long it will be before Dalton is shown the door like his predecessors Edens, Tchoubineh, Johnson, Schieber, Berman, and… sorry, I’ve lost track at this point.




ISO 45001 Implementation