The CMMC Accreditation Board (CMMC-AB) has removed language from its official webpage offering “Diamond” membership to those willing to pay $500,000, in what was called by Oxebridge a “Who’s Who” style vanity scheme.
The CMMC-AB has been tasked by the US Dept. of Defense to oversee the rollout of a mandatory Cybersecurity Maturity Model Certification program that the DoD claims will be mandatory for as many as 300,000 companies within the Defense Industrial Base (DIB). DIB companies provide products and services to the DoD and military branches as direct government contractors. The CMMC program is intended to beef up the nation’s cybersecurity defense capabilities, and prevent foreign incursion into systems and illegal access to sensitive data.
The CMMC-AB has an exclusive Memorandum of Understanding (MOU) with the DoD to be the sole accreditation body for the scheme, but the rollout has been plagued with unforced errors and self-inflicted PR disasters. The Board first registered its business in Maryland in January, but then amended its Articles of Incorporation in May to reword prior language that limited Board members from profiting personally. The amended Articles incorporate by reference a set of Bylaws, but the Bylaws were not included in the filing, potentially in violation of the State filing rules. Immediately upon announcing its Board, some members began operating or promoting their own CMMC consulting companies or websites, showing their intent to engage in such profiteering.
In the ISO accreditation scheme, the US accreditation body ANAB was formed specifically due to such conflicts of interest. Under its prior name “RAB,” the body offered both accreditation of companies and certification of personnel. In the early 2000s, RAB was forcibly split into two, and ANAB took over accreditations while the auditor certification operations were sold to an Australian firm. The ISO 17011 accreditation rules were then strengthened to prevent such conflicts from arising again.
The CMMC-AB also claims 501(c)(3) tax-exempt status, as a not-for-profit “charity,” but it is not clear if the status was officially filed with the IRS. The IRS has no records for the CMMC-AB, but the IRS website does indicate that any filings entered after March may not appear due to COVID-19 delays.
Regardless, the activities to date appear to violate IRS and Maryland rules which limit the activities of not-for-profit organizations, specifically the rules related to UBIT, or unrelated business income tax. If a 501(c)(3) engages in the sale of products or services that do not serve its official purpose, those revenues can be taxed, or the organization can have its 501(c)(3) status stripped entirely, with Board members held individually responsible.
CMMC-AB also announced a joint venture, which it called a “partnership,” with Dun & Bradstreet, prompting questions about whether the venture would result in revenue subject to UBIT. Immediately, D&B began promoting the CMMC scheme in return.
Unforced Errors & Accusations of “Pay to Play”
In addition to questions about its tax status and Board member self-dealing, the CMMC-AB has been plagued with self-imposed missteps that appear to run counter to the notion that an Accreditation Body will operate in a manner that is impartial and free of conflicts of interest.
CMMC-AB is currently selling or plans to sell certifications — branded, in some cases, as “licenses” or “registrations” — for training curriculum developers, training providers, assessors, and “internal consultants.” Each of these programs would violate ISO 17011, which is a requirement for the CMMC-AB imposed on it by the DoD. The schemes have also raised “pay to play” accusations from industry insiders.
On September 4, the CMMC-AB went further, and announced a “Partner” program in which it attempted to sell “Diamond” and other leveled titles to those willing to donate significant amounts of money. The Diamond level required a donation of $500,000. The lowest level donation required a $5,000 donation for “Bronze” partnership.
The program mimics vanity publishing promotions similar to the “Who’s Who” models which have victimized millions over many decades. In such schemes, individuals donate money to be listed in a publication that alleges those included are important people, but in reality the publication is merely a registry of those who paid for the placement. Membership in a “Who’s Who” style vanity directory does not ensure any qualifications of those listed.
Two Board members indicated they were wholly unaware of the program and learned of it only after the post circulated within social media. They indicate that if there had been a Board vote, they were not told.
Upon learning of the scheme, Oxebridge immediately filed a complaint with the Maryland Secretary of State, alleging violations of that state’s Solicitations Act. Oxebridge then reached out to Katie Arrington, the DoD official who is overseeing the CMMC-AB program and who helped establish the CMMC-AB. She did not reply.
At the same time, however, attorney Robert Metzger raised concerns over the offering in a set of posts on LinkedIn, asking them to consider the public relations fallout.
The Cybersecurity Maturity Model Certification Accreditation Body has a vital role to play as the assessment intermediary between Government and industry. It must be trustworthy. Transactions with even the appearance of self-dealing must be avoided. They call into question whether the AB acts objectively or because of purchased favoritism.
Behind the scenes, the move was decried by cybersecurity professionals as an “open invitation for corruption,” and “astonishingly dumb.” One commenter remarked, “it’s like they want to go to prison.”
Following the outcry, on September 6th, the CMMC-AB “Partner” page was amended to remove the Diamond level offerings, with a text placeholder reading “Page Pending Revision.”
It is not immediately clear if the page was pulled because of Mr. Metzger’s prominence, the notifications done by Oxebridge, or a combination of the actions.
The CMMC-AB has another “pay-to-play” scheme already in place, for which it already has collected revenue, however. For $5000, a consulting firm can obtain “Licensed Partner Publisher” (LPP) status with the AB, and be granted the right to develop training programs which CMMC-AB must then “approve.” Oxebridge argues this means CMMC-AB is certifying training providers, which would fall under ISO 17024, and be prohibited under ISO 17011. It is also not clear how such organizations — which are listed here — were vetted. When asked, one LPP provider — Taiye Lambo of Holistic Information Security Practitioner Institute — refused to provide details, instead referring Oxebridge back to the CMMC-AB.
CMMC-AB is offering similar programs for “Registered Practitioners,” “Licensed Trainers” and “Licensed Training Providers.”
Oxebridge is preparing a Freedom of Information Action (FOIA) filing to obtain the CMMC-AB’s “Assessment Guide,” which dictates how CMMC appraisals will be carried out. Requests for the guide made to the CMMC-AB have been refused, with Board members claiming that “the DoD owns the Guide.” If so, the Guide would be a public document, unless declared classified or controlled for some national security reason. Board members and CMMC-AB insiders have been granted access to the Guide, however, prompting arguments of backroom deals designed to give Board members unfair competitive advantage in the CMMC consulting and training space.
Other Actions Pending
Oxebridge has already filed an IRS complaint against CMMC-AB, asking the government to confirm the group’s tax status and investigate if any tax violations have been triggered to date due to the Board’s actions. That complaint did not include the Partner program details, which may prompt a new IRS filing.
Some have defended the moves saying the CMMC-AB is mandated by DoD, but not funded by it, forcing it to “desperate measures” in order to fund Arrington’s rollout timeline. Critics have insisted the profiteering all but ensures any resulting certifications will be suspect, and will not provide assurances of proper cybersecurity improvements.
Despite not having an appraisal method finalized, no listing of staff, no complaints or appeals procedure, and missing many other basic requirements for an accreditation body, the CMMC-AB and DoD — through Arrington — insist the project is on track and will start appraisals within this year. Arrington has claimed that the program will be mandatory, driven by official DoD contracts as early as next year. It has insisted it will be flowed down to over 300,000 companies, but the exact number of DIB companies is not known, and estimated to be smaller.
If Arrington’s numbers are correct, and assuming an estimated implementation and appraisal cost of $200,000 per company, the program would impact on private defense industry to the tune of $60 billion. DoD promises a portion of this would be tax-deductible, but it’s not clear the DoD has the authority to make that claim, given that the fees would be payable to CMMC-AB and countless other “licensed” private firms, many of whom are for-profit companies.
Oxebridge argues that while enhancing the nation’s cybersecurity infrastructure is critical, the current Arrington/CMMC-AB program will likely bankrupt many DIB companies while doing little to improve security.
Instead of a rapid rollout, it instead appears the AB will we swamped with regulatory contests and lawsuits for its actions to date, which are certain to delay the program.
The CMMC program is also likely to be affected if the Presidency changes hands after this year’s US elections.