Back in August, we announced that Oxebridge would be providing independent oversight of the CMMC scheme. It is clear the scheme actors didn’t really know what to make of the announcement, but are starting to see it now.
Here’s a roundup of the oversight activities to date.
Arrington’s Hiring Now Subject to FOIA
We have submitted a Freedom of Information Act (FOIA) request to the US Office of Personnel Management regarding the hiring of Katie Arrington. Specifically, we are looking for records that will prove Arrington faced competition in winning the job overseeing the CMMC program. This has been called into doubt since the normal educational requirements for a Chief Information Security Officer and a Senior Executive Service (SES) government assignment typically has some level of college required. Arrington has no degree, and the CISO role she won was mysteriously stripped of any education requirement, as if the job posting was “tailored” specifically to her. Other people who submitted for the position were not considered, even though their education and cybersecurity experience far outweighed that of Arrington.
ISO 17020 Required for C3PAOs
The CMMC-AB has announced that the US DEpt of Defense is requiring all C3PAOs to achieve ISO 17020 accreditation. That hasn’t stopped the CMMC-AB from approving and announcing a host of C3PAOs, none of which have actually obtained this accreditation. Thus we can assume the procdure will be (a) obtain CMMC-AB approval, then (b) get ISO 17020 accredited.
As a result, none of the C3PAOs who have announced their status are eligible to conduct a single appraisal at this time because none have obtained ISO 17020 for the CMMC scheme. Not one.
Oxebridge will be supporting their efforts, though, by offering ISO 17020 implementation for the C3PAOs. So far, none have stepped up, which is troubling. While the C3PAOs are grunting at the DIB over their footdragging into CMMC compliance, the C3PAOs themselves are dragging their feet getting into ISO 17020 compliance.
And it’s nuts, too, since it only takes a few months.
To make things a bit easier, I have released the following video explaining the ISO 17020 requirements for CMMC C3PAOs:
C3PAOs Already Inventing Bullshit Requirements
A newly minted CMMC C3PAO (certification body) announced an entirely made-up requirement, which it claims it overheard during a CMMC-AB Town Hall. In a post on LinkedIn, a representative of Summit Business Technologies declared the following:
You will need to maintain 6 months of historical artifacts showing compliance. Fail to do that and you will fail your assessment.
Umm, no. Neither the CMMC Model nor the official CMMC Assessment Guide has any requirements for minimum records, so a C3PAO can’t make that up on their own. If the CMMC-AB really does intend for that to be a requirement, it will have to document that within formal procedures that become part of each C3PAO’s accreditation, and which are made available to the DIB community. You can’t audit against “invisible requirements” that no one knows about. (I have been requesting those formal procedures, and they are — as usual — not forthcoming.)
It’s also unworkable. Somewhere, a major firm like E&Y will create a quickie spinoff PMO to support a DOD contract, and need to get CMMC appraised in under six months. They are not going to take kindly to the CMMC-AB making up arbitrary rules that inhibit their ability to win contracts worth hundreds of millions of dollars. The CMMC-AB will be sued until blood runs from their eyes.
Again, we see the CMMC-AB and its scheme actors making the same mistakes the ISO community made back in the late 1980’s and early 1990’s.
CMMC-AB Tax-Exempt Status in Question
The tax-exempt status of the CMMC Accreditation Board continues to be a (needless) mystery. We have had multiple people scouring IRS records, and today alone I went through thousands of tax-exempt filings made since September of 2019. In the end, there is no evidence that the CMMC AB ever filed for any tax-exempt status.
There may be some explanation, but as usual, the CMMC-AB won’t talk. That’s suspicious, and a huge problem for the CMMC-AB since it has been collecting revenue for over a year.
In the interim, we have filed a FOIA request with the IRS to have the group’s tax status revealed, as well as filed a Form 4506A to have the IRS provide copies of whatever filings the group may have made to date. We will see if that dredges up anything.
Some have suggested this will make the CMMC-AB’s recent contract with the DOD null and void, but I am not an expert on that. I do have some pings out to attorneys asking that every question, though, and will report back.
Victory — Of Sorts — In ADA Complaint
As you may recall, we filed an official complaint against the CMMC-AB alleging violations that its various training programs violated Federal law by failing to comply with the US American with Disabilities Act (ADA). In a remarkably bad move, the CMMC-AB Board not only ignored the complaint, and refused to acknowledge it, but they took moves to cut off avenues for communication by blocking me on LinkedIn.
That resulted in the matter being escalated to the US Dept. of Justice, which enforces ADA, with an allegation that the CMMC-AB was actively discriminating against those with disabilities. Since the DOD has dictated that only CMMC-AB approved assessors will be able to work as assessors, the CMMC-AB’s discriminatory acts would prevent those with low hearing or low vision from obtaining employment — thus, in violation of ADA.
That complaint came through the ISO Whistleblower Program from someone who was a service-disabled veteran, and at least we can announce a small victory. While ignoring the complaint and establishing a hostile posture with both disabled veterans and folks like Oxebridge who file official complaints, the CMMC-AB’s head of training, Ben Tchoubineh, did announce, during a recent “Town Hall” meeting, that the updated materials “will be ADA compliant.”
Still No Complaints Procedure
The CMMC-AB still has not published an official procedure on handling complaints and appeals, and it’s not like they don’t need one (see item above.) they are wholly unprepared to handle the coming flood of complaints from DIB companies, aggrieved C3PAOs, and other stakeholders. But, as usual, the Board members posture as if they know better than anyone else, about everything else. That never ends well.
CMMC Could Have Prevented Solarwinds Hack
No, of course, it couldn’t have. But that hasn’t stopped people from falsely claiming it anyway.
Town Hall Disaster
Speaking of the Town Hall, the CMMC-AB gave its online meeting to a closed group, thus hardly enabling it to be called a “Town Hall.” But the event was eventually released online in video form, and provide a glaring insight into what the CMMC-AB thinks are its priorities.
The video is essentially a long-form “infomercial” for the unending certification schemes the CMMC-AB has cooked up, and which is selling at pace (despite not having settled its tax questions, apparently.)
From certified RPs to RPOs to C3PAOS to PAs, the CMMC-AB has elected to prioritize its own revenue stream over that of the nation’s cybersecurity, all while insisting the people behind it are all “patriots” and “volunteers.” Many of them are getting paid, so it appears that neither of those statements are wholly true.
I’ve said that others are using the term “grift” to describe the CMMC-AB’s model, and I have hesitated from using the word, but that didn’t stop me from coming up with the satirical CMMC-AB badge seen in the accompanying image.
Seriously, it’s gotten out of hand, and there’s likely no way the CMMC-AB can ever be taken seriously until the current Board is thrown out en masse, and the thing started over from scratch. The inclination towards corruption and self-dealing is too strong with the current Board group.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.