[UPDATE: the C3PAO has responded by accusing Oxebridge of “trolling.” See update at end.]
In the first formal complaint filed since the CMMC Final Rule went into effect, a CMMC auditing body, known as a C3AO, has been accused of multiple violations.
The issue arose when it was found that Willrich Precision included a “CMMC 2.0” logo on its website, implying it was certified. Oxebridge challenged that, and representatives of Willrich wrote that they assumed they were “compliant.” Willrich attached a PDF document featuring the US Dept. of Defense logo on the cover and the company’s confidential NIST 800-171 SPRS self-assessment score.
Upon reading the report, it was evident that it was not a DoD report, but a NIST 800-171 assessment prepared by Lazarus Alliance, an “authorized” CMMC C3PAO. Oxebridge investigated and found that the DoD cogwheel logo used was taken from a CMMC consulting company, Continuum GRC, which is run by the same management as Lazarus.
In its response to Willrich. Oxebridge clarified that whatever the report represented, it was not related to CMMC and was not an indication of “certification.” Oxebridge then raised questions for Lazarus, and sent the response to both parties.
Rather than answer the questions, Lazarus admitted that Willrich was not certified, but then gave them two logos to use “as you see fit,” creating more problems. Both logos referenced the Continuum GRC software product “IT Audit Machine” while one clearly uses the word “CERTIFICATION” and another uses the logo of The Cyber AB.
Logos provided by Lazarus (marked by Oxebridge to prevent unauthorized use)
Oxebridge has now filed a formal complaint against Lazarus, alleging multiple violations of the CMMC Assessment Process (CAP), the CMMC Code of Professional Conduct, as well as the overall rules governing CMMC services. The allegations include:
- That Lazarus is conflating its non-certification services, such as a NIST gap analysis, with CMMC certification.
- That Lazarus is providing logos that improperly use the DoD and Cyber AB logos, to mislead readers into believing these organizations endorsed the Lazarus services.
- That Lazarus conflates its consulting wing, Continuum GRC, with its CMMC certification services.
- That Lazarus is setting a precedent by allowing clients of any service to use CMMC logos, even if the service is not CMMC-related.
For the latter issue, Oxebridge wrote in its complaint:
If this practice is allowed to stand, CMMC C3PAOs will be allowed to hand out official-looking CMMC certification marks to clients who hire them for any service at all, even those unrelated to CMMC. This dilutes the mark and the CMMC scheme itself.
The complaint was filed with Lazarus, and copies were sent to the DoD’s CMMC Program Management Office as well as the official Cyber AB complaints address.
The incident highlights the worry that the CMMC scheme will become a “logo-based” scheme where official-looking logos are issued to companies regardless of their actual CMMC compliance. The cybersecurity profession, in particular, is highly dependent on personnel certifications and logos, regardless of their actual merit or credibility.
Certification schemes like those of ISO and CMMC rely heavily on the impartial and objective processing of complaints in order to ensure the credibility of resulting certifications. Since 2000, Oxebridge has processed complaints on behalf of stakeholders, industry organizations and the public, at no cost.
CMMC stakeholders and the public may file confidential or anonymous reports of fraud, scams, conflicts of interest or other problems through the Oxebridge ISO Whistleblower Reporting tool.
UPDATE: Less than 90 minutes after the complaint was filed, the Lazarus CEO responded with a dismissive rant, saying, “I’ve never heard of Oxebridge Quality Resources, but your website appears to represent a one-man-shop focused on trolling ISO certification bodies.” He then said he would respond to the complaint only after “conferring with our partners from the DoD, CyberAB, and Willrich Precision Instruments.”
