Meet Rob MacDonald, supposed “CMMC Marketing Expert,” whose self-made claim to fame seems more focused on using the Cybersecurity Maturity Model Certification program as a tool for advertising than for, you know, shoring up the nation’s cybersecurity footing.

That it itself deserves our disgust. CMMC, which is being mandated by the US Dept. of Defense, should be something that is trusted and wholly without any sense of charlatanism. But since its launch, it’s been anything but. But this latest work by MacDonald drops the scheme even further into scum-filled muck. MacDonald isn’t even pretending that CMMC is anything but a marketing boon. He runs an assortment of websites dedicated to marketing the DoD cybersecurity program, but does not appear to have any cyber experience himself. A long career in marketing, sure, including what appears to be a gig as one of those “paid content” blog writers, but nothing in cyber.

MacDonald runs a company called “PlumDIBS CMMC Marketing.” Here’s how MacDonald pitches his services:

We have a marketing system that helps compliance leaders attract great clients on LinkedIn by positioning them as the go-to experts in CMMC.


PlumDIBs Marketing is different. We have a marketing system for attracting great clients by positioning you as the go-to expert in CMMC.

He’s not even trying to sell the sober necessity of bolstering the country’s cybersecurity using CMMC.  Instead, he’s going to get you Linkedin leads and (one source told me) email lists to help you push your products in the face of Defense Industrial Base companies.

But hold on. It gets worse.

These Aren’t The Droids We’re Looking For

MacDonald claims to have written a book on this subject, called CMMC Marketing: 7 Strategies to Remain 3 Years Ahead of Clients as a C3PAO. If you recall, a “C3PAO” stands for “certified third-party appraisal organization” and refers to the companies that will be eventually accredited by the CMMC-AB to conduct CMMC audits and issue certifications.

In what appears to be a shameless email harvesting tactic, you can sign up to get a “free chapter” from the book on the website 7×  I did so and never got a reply, even four weeks three months later, so I’m starting to think the book doesn’t actually exist.

But we’re still not done. The self-proclaimed “marketing expert” MacDonald tries to play on the term C3PAO by using the image of the Star Wars droid C3P0 on the book’s cover:

Quick reminder for the kids at home: Disney owns Star Wars, and they do not take infringement of their licensed characters or trademarks lightly.

Maybe MacDonald got permission from Disney, but it’s nearly impossible that would be the case. First, he doesn’t include any required language indicating this (“used with permission” or “used under license by Disney”, etc.) Next, what’s the honest likelihood that Disney would grant a license to some largely unknown guy pushing a book on cybersecurity certifications?

(I’ve written to Disney’s IP legal enforcers to find out. MacDonald himself has not replied to my request on this issue, but I’m open to updating this article if he can prove he has the Disney license.)

And it’s not the first time, either. Here’s a PlumDIBs ad using the creature from the Alien franchise, also owned by Disney now:

So we’re supposed to be taking both cybersecurity and marketing advice from a guy who apparently does not understand trademark infringement. Sigh.

Oh, but there’s still more. This is like medieval dentistry performed by tree sloths.

Endorsements Gone Awry

Both MacDonald’s LinkedIn promo and his PlumDIBS website included an endorsement by Jeff Dalton, one of the CMMC-AB’s Board of Directors members. The endorsement listed Dalton under his official CMMC-AB title, making it appear to be a de facto endorsement by the AB itself, and claiming the AB was a “client” of PlumDIBS:

When I pointed this out on LinkedIn, Dalton initially snapped back angrily, denying any problem and accusing me of “slandering” him for suggesting there was a problem here.  He ran to the Trump “fake news” because, why not? Said Dalton:

That’s just Orwellian fake news and a cheap shot. I’ve known the author for years and he’s one of the brightest and most successful marketing talents in the tech world, so of course I’ve endorsed him. Everyone should.

In an hour or so, common-sense set in — or maybe because I contacted other AB Board Members and alerted them to this debacle — he apologized and had MacDonald remove his name.  Now, the Dalton quote is still up on the PlumDIBS site, but is attributed to an anonymous “CEO & Compliance Leader.” Apparently, MacDonald couldn’t get anyone else to quote? I guess Chewbacca was busy?

Again, there’s so much wrong here, it’s hard to absorb. The general takeaway though is that so many people involved in this CMMC scheme seem wholly incapable of identifying a conflict of interest, even as they insist they are free of them. They also really don’t seem to understand that getting CMMC right is critical to national security, and that this isn’t some game to be played for one’s personal advancement or “marketing.”

We have seen what happened to the ISO certification scheme when it was overrun by registrars and consultants. The CMMC folks are dead set on ignoring decades of history so they can repeat it.

To which I say, “Maclunkey!”

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 14001 Implementation