The flood of confusing or misleading information coming out of the CMMC Accreditation Body seems neverending, and trying to clarify the information for defense industry companies is becoming a daily chore. I’ll have to keep this as brief as possible, but there’s a lot to unbox here.

FAQ Tax Claims Disputed

First, the CMMC-AB has updated its FAQ page. The new FAQ worsens things by making claims which defy facts and deny the CMMC-AB’s own role in the spread of contradictory information.

While it may be true that the IRS did not “deny” the CMMC-AB its tax-exempt status (those claiming otherwise don’t have any actual proof), the FAQ now claims that it couldn’t have obtained it anyway. The FAQ claims that the IRS requires “1 year of trailing financials” before one can apply. This doesn’t appear true at all, and the official IRS website clearly states that an organization can apply for 501(c)(3) status before it has “completed a tax year”:

Full disclosure: CMMC-AB may have some other complicated or legal reason it needs to provide financials, but on its face, the claim by the FAQ is not supported by the standard IRS process.

FAQ Accreditation Claims Misleading

The FAQ relies on the CMMC-AB’s repeated attempts to “re-imagine” what accreditation means, and how it works. The FAQ makes a number of claims about accreditation that are either misleading or patently false.

First, the AB claims that it’s “not an ISO accreditation body.” In reality, there’s no such thing as an “ISO accreditation body”; it’s a somewhat awkward, shorthand phrase to represent accreditation bodies that operate under ISO accreditation standards. Since the CMMC-AB is obligated to operate under ISO 17011, it literally meets that definition.

Next, the FAQ claims that the CMMC-AB’s work is fundamentally different from the work of other accreditation bodies like ANAB. This is wholly false; both ABs accredit CBs to perform assessments. The CMMC-AB does not have, as the FAQ claims, a “very different purpose.” It is identical.

Next, the FAQ falsely claims that ABs like ANAB “have a single set of requirements that enable them to accredit Inspection or Certification Bodies.” This is entirely and patently false. In fact, ABs have multiple standards and rules that have to comply with: ISO 17011 plus a host of requirements from IAF and ISO/CASCO.

Then the FAQ confuses the role of AB and CB (“C3PAOs”) entirely, suddenly saying that “C3PAOs must undergo an ISO 17020 that complies not only with ISO/IEC 17020, but also a set of DOD requirements based on the DOD-provided ‘schema.'” They state this to show how they are different from ANAB.

The claim makes no sense and is also entirely false. Traditional ISO certification bodies also have multiple “schema” they have to comply with. An ISO 27001 certification body, for example, needs to comply with ISO 17021 and ISO 27006, the latter of which dictates how ISO 27001 audits will be conducted. In every case, a certification body is always accountable to the accreditation standard and a set of specific standards or rules specific to whatever they are certifying. You don’t merely get accredited to ISO 1702X, you have to be accredited for something specific. That’s how accreditation works, and it shows just how ignorant the CMMC-AB is on the subject.

There is nothing unique about the CMMC scheme, nor the CMMC-AB’s role here.

Next, the CMMC-AB claims it has to wait for the DOD to finish the “schema” (meaning the official CMMC Assessment Guide) anyway. In reality, nothing is stopping the CMMC-AB from implementing nearly 95% of the ISO 17011 standard now. There is no functional reason to wait for the DOD, except that the AB would have to stop all its badge-selling immediately since ISO 17011 prohibits that.

FAQ Claims on “Master Instructors”

The FAQ then tries to address the conflict of interest raised by CMMC-AB Board members granting themselves superpowers in the form of special credentials. In response to the FAQ question “Are there any AB members that are Certified Assessors or Instructors?,” the AB answers, firmly, “No“:

No.  As authors of the Assessment Method, we have observed pilots and provided feedback, but no AB member is a provisional or certified assessor.  For the first three Provisional Assessor classes, the three AB members who authored the training materials and methods volunteered for 15 days to conduct  training in an “acting Master Instructor” capacity, but that role is in the process of shifting to a set of Provisional Instructors.

The problem here is that their own CMMC-AB Board Members are the folks who created this problem. In fact, right now under the “Licenses and Certifications” section of his LinkedIn profile, CMMC-AB Vice Chair Jeff Dalton lists “CMMC Master Instructor” certification.

Then there’s this, which revealed Dalton credentialed himself as “Provisional Assessor #1”

So either the FAQ is lying, or Dalton is.

Contrary to the FAQ claim that the “Master Instructor” role is “shifting” from the AB members to Provisional Auditors — thus implying Dalton’s role was temporary — Dalton goes all-in and declares his self-granted credential as having “no expiration date.”

I suspect within the next few days, his profile will be scrubbed.

False Claim of “Self-Deleting” Contractual Requirements

Meanwhile, over at Reddit, CMMC-AB Board member Wayne Boline falsely claimed that if a defense contract calls out certain cybersecurity requirements that don’t apply to you, you get “a pass” and can ignore them, as “self-deleting clauses.”

There are two problems here: Boline isn’t a lawyer, and his bosses at Raytheon won’t be paying your legal expenses if his advice land you in court. Secondly, there’s no such thing as self-deleting contractual clauses. If a contract says something, and you signed it, you’re stuck. Instead, you have to negotiate the requirement out of the contract before you sign it.

Boline to Appear at Paid RPO Event

Boline’s blundering only gets worse, as he will appear later his month at a shadowy “CMMC Midwest Conference” as its keynote speaker. There are a lot of problems here, and again this reveals that not only are the CMMC-AB Board guys unaware of what a conflict of interest is, but they are also drawn to them like moths to a lamp.

The CMMC Midwest Conference isn’t a free event, and tickets cost $15 a pop. That means the organizers are earning money for it. The first question, then, is who is the organizer?

The event website and promotional materials go way out of their way to hide the actual people behind it. The copyright notice on the event site credits it to the “CMMC Midwest Conference” which isn’t actually a person or company, so therefore can’t hold copyright on anything. Running a Whois search on the domain “www.cmmcmidwest.org” reveals it was actually created by the company Ember Technology. The cell phone used in one of the promo graphics also tracks back to Ember, but nowhere is Ember credited as the event host.

Checking LinkedIn, we find that Ember is a “CMMC Registered Provider Organization” (RPO) credentialed by the CMMC-AB. That means Ember paid the CMMC-AB $5,000 for the credential. Ember also has at least three Registered Professionals (RPs) on staff, also per LinkedIn, so the CMMC-AB earned at least another $1,500 or so for them, too.

So money has already flowed from Ember to the CMMC-AB. The event allows the money to flow backwards, with the CMMC-AB helping promote an event to put money back in Ember’s pocket.

This flow of money is considered a “financial threat to impartiality,” and shouldn’t be happening at all.

Worse, the CMMC-AB shouldn’t be involved in promoting any single consultant over any other, since that is another entire conflict. But the conference is overtly offering consulting — during the event itself! — thus meaning that the CMMC-AB is promoting not only the consultant but the resulting consulting services. According to the website, you can “schedule your Gap Analysis with a CMMC Registered or Certified Organization onsite!” (Exclamation point theirs.)

All of this unfairly gives Ember market advantage over those companies who did not pay for a CMMC-AB badge, and therefore don’t earn a keynote address from the AB’s Board members.

The real problem happens later, though, when the conflict fully unfolds. At some point in the future, Ember is going to provide some company CMMC consulting. That company is then going to have to get assessed by a C3PAO. That C3PAO will also have paid the CMMC-AB money, so the scheme looks like this (assuming a scenario like that of Ember, where the RPO company also has at least three RPs on staff):

Now imagine that the company does a poor job of implementing CMMC, and clearly should not pass its audit. Will the C3PAO deny them certification? Will the CMMC-AB step up and ensure the C3PAO denies them the certification? If they do so, the CMMC-AB would find itself angering not only the C3PAO which paid it for accreditation, but Ember who bought all those badges. If they don’t step in, then they allowed the flow of cash to trump national security.

This is literally why we have ISO 17011. The world recognized that the fact that companies pay their auditors is, itself, a conflict. So ISO 17011 was created to minimize this conflict by establishing rules for impartiality and objectivity.

Keep in mind, if Boline is getting paid personally for this, then that raises the concern level much, much higher, and suggests full-on corruption.

Boline’s employer, Raytheon, can’t be loving this. It’s their name that’s getting dragged into the CMMC stew of problems.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.

Advertisements

Traditional Tri-System