The architects of a controversial plan to fund the CMMC Accreditation Board with $500,000 “Diamond” memberships have been ejected from the body after a vote of no confidence.
Ty Schieber and Mark Berman were tossed from the CMMC-AB after industry reporting on the debacle, including initial reports by Oxebridge. Upon learning of the deal, Oxebridge immediately filed a complaint with the Maryland Secretary of State alleging that the CMMC-AB violated that state’s Solicitations Act. Oxebridge also reached out to DoD Katie Arrington, who leads the government’s efforts to establish the CMMC program, alerting her that the Diamond program represented a serious conflict of interest.
Within 24 hours of Oxebridge’s reporting, the “Diamond” offer was pulled and replaced by a message by Schieber. That message failed to take accountability for the error, and falsely claimed the Diamond program was just a “potential” funding scheme, clearly contradicting the information published on the Diamond page itself. Schieber also promised not to take funding from potential CMMC certified companies but did not prohibit funding from other scheme actors, such as private consultants or training organizations.
Oxebridge founder Christopher Paris publicly called for Schieber to resign, saying he was attempting to “gaslight” the defense industrial base with his explanation. Paris called the Diamond program a “Who’s Who style vanity scam.”
Oxebridge’s reporting was then picked up by major outlets including the Washington Post, putting more pressure on Arrington and Schieber. At the same time, Paris privately contacted select Board members to relay his concerns. This included a warning that if Schieber was found to have violated any IRS regulations related to the group’s alleged 501(c)(3) tax-exempt status, they could face personal civil and criminal liabilities.
Within a few days of the Post piece, the Board held a vote of no confidence in Schieber, which sources say occurred on Friday, September 11th. Multiple sources reported to Oxebridge that Berman was included in the decision due to his development of the “Diamond” program’s graphics and webpage, and subsequent publishing of it without a formal Board vote. Berman often responded personally when stakeholders reported issues with the CMMC-AB website, and appeared to be the group’s de facto webmaster.
The CMMC-AB then spent the weekend determining how to announce the departure. An announcement was expected last night, but when that did not occur, the industry news journal Fedscoop published the news without waiting for a formal statement. Fedscoop reports that neither Schieber nor Berman would comment on the news.
On LinkedIn, Arrington claimed the Fedscoop report was “incorrect,” and blamed “naysayers.”
The Board has since claimed Schieber and Berman “resigned.” In a public post on LinkedIn, Schieber only claims he “resigned,” making it appear it was his decision:
So we are clear… I tendered my resignation as Board Chairman and Director of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) effective September 11, 2020.
I feel that it is time for a change in leadership to inject refreshed perspectives and energy as the initiative enters its next phase.
One Oxebridge source confirms that Schieber resigned, but disputed the timeline, saying he did so “after he was voted off.”
FedScoop provided the following statement to Oxebridge:
The DOD provided FedScoop with a comment confirming the departure of Schieber and Berman. We stand by our reporting.
The Board had previously faced an exodus of many of its members.
Berman sells a cloud product called FutureFeed, which would be used by CMMC certified companies to ensure compliance, injecting serious concerns over conflicts of interest and profiteering by the Board’s members. A recent editorial by healthcare security professional James Dapper accused the Board of impropriety, saying, “All of these volunteers signed documents regarding conflict of interests and since that time they have ALL started their own companies with [a] set of offerings in this CMMC market without completing the job they were assigned to do as volunteers.”
Both Schieber and Berman may still face investigation if any fundraising or other revenue collection was done outside of established rules governing tax-exempt organizations. The IRS still has no public record of the CMMC-AB formally being granted 501(c)(3) status, but the IRS website does indicate there are delays in public reporting. The formal Maryland filings for the group also do not include mandatory bylaws, which appear not to have been finalized despite the CMMC-AB operating and collecting revenue. As of September 16th, the CMMC-AB website still claims such bylaws are “under development.”
The lack of bylaws and official tax-exempt status may prove critical. Under Schieber, CMMC-AB formed “partnerships” with for-profit organizations such as Dun & Bradstreet which may run afoul of IRS regulations, prompting Oxebridge to file for a formal IRS investigation. The group also collected a reported $1 million in fees associated with applications of potential CMMC certification bodies, or “C3PAOs,” as well as auditor trainees. It is not clear how this money was processed if the CMMC-AB has not yet finalized its tax-exempt status, or is operating without bylaws.
US law requires Board members to comply with bylaws and Articles of Incorporation or face “ultra vires act” suits. For a nonprofit to operate without such bylaws at all may increase the legal liabilities.
The CMMC-AB has struggled to fund itself after a decision by Arrington and the DoD to create the group, but then not provide any funding. Some have suggested that the “self-funding” demand led Schieber to seek creative funding methods that subsequently violated the group’s core mission.
No one on the Board has any experience in accreditation, leading the group to make systemic errors that violate international rules for the operation of an accreditation body. This includes confusing the concepts of “certification” and “accreditation,” and offering simultaneous accreditation of C3PAOs alongside certification of personnel. Such conflicts of interest are prohibited under accreditation standards such as ISO 17011.
Focus now falls on Katie Arrington, who has been criticized for being largely uninformed on cybersecurity matters, even as she was given the task of implementing the CMMC program to over 300,000 defense industry companies. A political appointee of Donald Trump, Arrington recently put out a video urging people to “change their passwords.” The video was seen as largely amateurish given her duties include ensuring the defense of the nation’s entire cybersecurity supply chain.
She recently caused confusion with statements that the planned CMMC ML3 level may undergo changes to pare down requirements, rather than strengthen them. According to an article on Inside Cyber Security (paywall), Arrington has contradicted her prior statement pushing companies to adopt CMMC now, and instead is warning companies to “hold off” on pursuing ML3:
Arrington has been widely mocked for referring to Controlled Unclassified Information (CUI) as “cooey,” prompting a host of memes.
Schieber is a former work colleague of Arrington, and donated money to her failed Congressional campaign, according to Fedscoop. The closeness of Schieber to Arrington led many to suspect the CMMC-AB of cronyism.
Schieber will be replaced by Karlton Johnson.
UPDATE 18 September 2020: the DoD has claimed that Schieber and Berman were not voted off, contradicting sources. The FedScoop reporting was updated with the following statement from the DoD:
The DOD denied that Schieber and Berman were removed, saying “there was no ‘ousting’ of leadership; they left of their own accord.”