Oxebridge has filed a formal ethics complaint with the CMMC Accreditation Body alleging multiple violations of the group’s Code of Ethics and policies against conflicts of interest by current and former Board members.
The 8-page complaint cites four specific instances of alleged violations:
- That former Board Chair Ty Schieber violated the Code by apparently falsifying the CMMC-AB’s official “certs and reps” documentation when submitting for a CAGE code. As reported previously, official filings show Schieber claimed the CMMC-AB was a tax-exempt organization in March of 2020, but in fact the AB had not obtained tax-exempt status at that time. Despite this, Schieber personally signed the CMMC-AB’s Code of Ethics, and his name still appears on the webpage for that Code.
- That former Board member Mark Berman was in violation of the Code of Ethics while simultaneously owning FutureFeed, a company that sells CMMC management software products. Berman is no longer with the CMMC-AB, but Oxebrige alleges the Board ignored Berman’s violations for months.
- That current Board Vice Chair Jeff Dalton, who also heads up the CMMC-AB Credentialing Committee, issued a CMMC-AB Provisional Assessor credential to himself. According to a public post on LinkedIn, Dalton granted himself “Provisional Assessor certificate # 1”, thus appearing to violate rules against self-dealing.
- That current Board member Regan Edens operates DTC, which openly markets the sale of CMMC related implementation services — including policy and procedure documentation development and “templates” — which are then sold to companies that the CMMC-AB will have authority over.
The Edens allegation is likely the worst, as Edens gave an interview with Security Boulevard recently in which he openly discusses how he formed DTC as a specific solution for CMMC, while he was a CMMC-AB Board member. In that interview, Edens declared (emphasis added):
So, when DFARs and CMMC came up in 2019, I thought it was a fit for the type of challenge and digital transformation I thought I could help with. You had the important national security interest, the compliance requirements of DoD and then the cybersecurity aspect. Through conversations, I realized the size of the challenge and need for manpower to establish the DFARS framework. That’s when I started DTC.
Today, DTC focuses solely on defense companies and helping them with their ITAR and CMMC compliance issues. We work with small companies (200 employees or fewer) and large Primes but not many in between. We specialize in documentation and providing the templates that can expedite defense companies’ compliance path. We help companies with turnkey solutions as well as audit preparation. So far, we have done around 100 audits since the beginning of 2020.
Previously, Edens was the subject of a separate ISO Whistleblower complaint, and Dalton was the subject of two such reports. At the time, the reports were not seen as strong enough to report any violations, however.
In August of 2020, Oxebridge expanded its ISO Whistleblower program to include CMMC oversight.
The CMMC-AB Code of Ethics specifically prohibits Board members from personally profiting from their roles, and then requires the AB to manage such conflicts of interest when they arise. Oxebridge argues that not only has the CMMC-AB not managed these conflicts, but it has instead worked to ignore or cover them up, and then rewarded those that engaged in them. Dalton, for example, was recently elevated to as Vice Chair of the Board.
The complaint was submitted to current Chair Karlton Johnson, along with others, and will be escalated to the Dept. of Defense and other oversight agencies if the CMMC-AB fails to take action.
Previously, Oxebridge filed a complaint alleging the CMMC-AB’s training materials are not compliant with the Americans with Disabilities Act (ADA), thus discriminating against service-disabled veterans. In response, Johnson and the Board ignored the complaint, and blocked Oxebridge founder Christopher Paris on LinkedIn. CMMC-AB Treasurer Yong Gon Chon then launched into personal attacks against Paris. That resulted in the complaint being escalated to the Dept. of Justice, alleging willful discrimination of disabled persons by the CMMC-AB.
ADA is a Federal law, yet the CMMC-AB has refused to stop performing training and certifications to bring itself into compliance. Instead, CMMC-AB training head Ben Tchoubineh said that his training materials “will be ADA compliant” sometime in the future. US laws cannot be violated upon a defense that one will comply with them at some future point in time.
The latest complaint brings to 15 the number of formal complaints, investigations, or reports filed against the CMMC-AB and the DOD office which oversees the CMMC program. These complaints include filings alleging waste, fraud, and abuse submitted to the Internal Revenue Service, the Dept. of Defense Inspector General, the Defense Logistics Agency Inspector General, the Dept. of Justice, the Office of Personnel Management, the Maryland Attorney General, and a host of congressional and other oversight bodies.
The full complaint may be downloaded here. (PDF – 545 KB)