In a 2020 interview, Ben Tchoubineh, the head of the CMMC Accreditation Body’s training development efforts, admitted to being “lucky” for simultaneously owning a separate company that could provide CMMC gap analysis and support services for his other companies.
The interview was part of a webinar published in October 2020 between Tchoubineh, who was representing the CMMC-AB, and Thad Wellin of the CMMC consulting firm SecureStrux, and Scot McCloud of Apptega. A transcript was then published on the Apptega website.
In the discussion, Tchoubineh openly admits to operating a company that appears, based on the statement, to be a CMMC consulting firm. Tchoubineh admits he personally used that company to help assist his “IT guy” in another of his companies to implement CMMC. Wellin asked Tchoubineh, “what is your starting point for getting started with a gap analysis?” to which Tcoubineh responded (emphasis added):
I called my IT guy in one of my businesses and I said, Hey, are we ready for this? And he’s like, well, how do you spell CMMC? So, I said, okay, well, let me send you some guidance. Because I have access to the public stuff. None of the private stuff. So, here’s the link to the website and you might want to read it through that. I gave him a few days and called him back. And of course, he hadn’t done a thing. So, I think that’s where we need some help. You said, okay, go find some organization that can come and help you out. The lucky thing for me is that I also own a company that does that. They do gap analyses and so forth, and they’re a cyber company. So, I said call the other company. And so that was my start.
Later in the discussion, Tchoubineh also hinted that CMMC-AB might eventually be providing “template” procedures and documents for CMMC compliance. In response to the question by Apptega representative Scot McCloud as to whether “there will be any templates” available for IT professionals to use, Tchoubineh answered:
That’s a great question. We don’t have any, but your MSSP or your cyber, support organization or consulting organizations should have templates for you to help you get prepared. We have draft templates, but honestly, those are just draft. We’re going to be software agnostic. So hopefully a lot of different applications we’ll be able to plug in with us term, but until then, it’s probably some word or Excel spreadsheet you can use. But we don’t have anything like that right now on our website.
If the CMMC-AB were to provide such templates it would find itself competing with the various consulting firms that purchased Registered Practitioner Organization (RPO) credentials from them, creating a potential legal minefield, as well as creating additional conflicts of interest. The CMMC-AB is prohibited as an organization from providing consulting services, which would include the provision of “templates.”
Tchoubineh owned and/or founded Phoenix TS, 30 Bird Media, and CyNtelligent Solutions. The Phoenix TS company lists Tchoubineh’s wife as its executive, then claims “Economically Disadvantaged Women Small Owned Business” status.
CyNtelligent Solutions does offer NIST cybersecurity consulting services, according to its website. It currently does not explicitly list “CMMC” consulting, but the NIST offerings overlap with CMMC due to that model’s reliance on NIST 800 controls.
The CMMC-AB has been rife with Board member conflicts of interest. Current Vice-Chair Jeff Dalton operates a CMMC consulting firm, and fellow Board member Regan Edens runs two separate companies openly selling CMMC consulting and physical products, such as “CMMC Compliance” sticker packs.
The CMMC-AB Chair Karlton Johnson recently took a position on the Board of Microchip Technology, which appears to be pursuing CMMC certification for itself. Public job postings for jobs at Microchip require “exposure to CMMC controls,” among other requirements.
Johnson and the CMMC-AB leadership have refused to rein in conflicts of interest or enforce the group’s Code of Ethics and conflict of interest policy. The DOD CMMC Project Management Office has acknowledged it is investigating complaints related to the conflicts, but has tied its own success to that of the CMMC-AB and actively attacked complainants and critics. Fearing the PMO is not a fair dealer, Oxebridge has escalated ethics complaints to the DOD Inspector General, as well as Congressional oversight committees and other Federal agencies.
Neither the CMMC-AB nor the DOD PMO has taken any action against Tchoubineh for his public comments in the Apptega webinar.