The CMMC Accreditation body (CMMC-AB) has rebranded itself under a new organizational name, “The CyberAB.” The company has created a new website for the brand, located at www.cyberab.org.

The new website includes an updated page dedicated to the latest Board of Directors, led by consultant Jeff Dalton. The pages on ethics, marketplace, and services largely contain similar content to the old CMMC-AB page, but with updated graphics and layout.

The CyberAB page does, however, include a number of demonstrably false claims, even as it boasts about its ethics. On a page dedicated to the subject of ISO 17011, the accreditation standard which the US Dept. of Defense has demanded the group comply with, CyberAB falsely claims, “the Cyber AB aligns with the ISO/IEC Standard 17011 to provide for a consistent application of conformity assessment to international consensus-based standards and conformity assessment schemes, to benefit the CMMC ecosystem and cybersecurity industry.” In fact, the AB’s dedication to an “ecosystem,” comprised largely of consultants, specifically presents hurdles for its compliance with ISO 17011. In order to comply with that standard and meet DOD mandates, the AB would have to divest its relationships and financial ties to consultants, as this creates insurmountable conflicts of interest. The AB has refused to do so, and simply doubled-down on claiming such relationships are acceptable.

The website also falsely claims, “the Cyber AB accredits CMMC Assessors to the ISO/IEC Standard 17020.” In fact, the AB cannot accredit anyone until it obtains ISO 17011 for itself.

On its “Living Our Ethics” page, the AB falsely asserts that its code of ethics requires that leadership “refrain from the pursuit of private gain.” The page is signed by Jeff Dalton, who himself sells CMMC consulting services under his company Broadsword Solutions. Dalton has been the subject of ethics complaints, which the AB later whitewashed.

Of the listed Board members, at least half have existing conflicts of interest that the Board has refused to address, even as AB’s “Living Our Ethics” page claims, members are required “to speak up and take action should anyone encounter situations that are inconsistent with these values.” Consistently, when faced with formal complaints alleging corruption or conflicts of interest, Dalton and the Board have either ignored the complaints, or attacked the complainants.

A new page entitled “Dispute Resolution” is still largely empty, but will presumably provide some form of resolution for disputes. The defense industrial base is keenly interested in how the AB will deal with complaints and disputes, given its history of antagonism with them thus far.

Ignoring the conflicts of interest entirely, the new CyberAB leans heavily into its ecosystem, with multiple pages dedicated to the subject. On a page entitled “The CMMC Ecosystem: A Collective Mandate,” the AB falsely claims, “The Cyber AB, (originally established as the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)), independent of the DoD, was established along with the release of the framework to manage and oversee CMMC accreditation, certification, approval, training, and assessment processes as an intermediary organization across the ecosystem.” In fact, the contract between the DOD and CMMC-AB only allows the AB to manage limited aspects of the scheme, makes no mention of an “ecosystem,” and demands that the AB spin off its personnel credentialing program to an independent body, to be called “CAICO.” The demand was made by DoD in order to ensure the AB could comply with the impartiality requirements of ISO 17011.

Instead, the new CyberAB ignores CAICO entirely, and claims the authority to certify persons for itself,  saying, “The Cyber AB aligns with the globally accepted benchmark referred to as the ISO/IEC Standard 17024 for organizations operating certification of individuals.” Under decades-long rules, an accreditation body operating under ISO 17011 cannot also be a certification body operating under ISO 17024. This is because accreditation bodies accredit certifications bodies, and therefore an AB cannot, itself, be a CB.

The claim reveals the lack of basic understanding by the AB and its leaders of the ISO 17000 series of standards under which they are required to operate. The AB has resisted all attempts to inform them of these basics, with Dalton claiming to other Board members that he is an expert in this subject.

At the same time, sources tell Oxebridge that as part of the rebranding members of the AB itself will announce shortly that they have formed CAICO, as a related organization to the new CyberAB. If this proves true, the relationship between CyberAB and CAICO will not comply with ISO 17011. It is thought that Dalton believes the AB can hold ISO 17011 and have CAICO run as a subsidiary under ISO 17024. Such an arrangement would not be recognized by international accreditation oversight authorities, and essentially turn the AB into an “accreditation mill.”

Sources say the term “ecosystem” was adopted by Dalton to describe the full breadth of AB players, including consultants, trainers, and assesso0rs. It was then embraced by CMMC-AB CEO Matt Travis, and largely turned into a standard talking point within the CMMC community. To those outside the CMMC world, however, the scope of the “ecosystem” represents gross conflicts of interest. The AB will eventually be tasked with ruling on assessments and disputes involving the consultants and trainers it has credentialed, making it impossible for them to rule objectively.

The DoD contract is with the “CMMC Accreditation Body, Inc.,” registered in Maryland. But the new website claims the site is copyrighted “CyberAB,” suggesting it is its own legal entity. Maryland business records do not show a listing for the new company.  It is likely, therefore, that “CyberAB” will be a “DBA” (doing business as) designation. Had the AB formed as a new legal entity, it would have to obtain its own CAGE code and tax-exempt status for it to be recognized by the DoD. As a result, the CyberAB is likely still the CMMC-AB, with just a new brand name.

Advertisements

ISO 17000 Series Consulting