The Israeli consulting firm Claroty, which has an office in New York City, recently published a series of social media posts falsely claiming that defense industry companies must obtain CMMC certification by May of 2023 or face “missed opportunities” when bidding on US Dept. of Defense work. The company also claimed that June 2023 was such a deadline.

The claim is false, as there is currently no deadline at all for CMMC certification, and the CMMC program is still under US Federal rulemaking. The latest inside information hints that the rulemaking process will push the final CMMC rollout into 2024, and the CyberAB has yet to accredit a single certification body (“C3PAO”), making final assessments of CMMC currently impossible.

Claroty’s US representatives, including Solutions Engineer Peter Franklin, posted the claim on LinkedIn, which included a snippet of the video podcast Industrial Talk. In the video, Industrial Talk host Scott MacKenzie interviews Claroty’s Americas Director Jeff Lauer, who makes the false claim:

MacKenzie: Is there a deadline that I need to be aware of, and if I don’t hit that deadline, what is it?

Lauer: 2023 is a big year for CMMC, especially for level II certification. So the plan schedule calls for the CMMC rulemaking to be completed by May of this year, which means by July of this year, it will be appearing in DoD contracts.

The LinkedIn posts included text which falsely claimed, “The deadline for CMMC certification is May 23.”

One such LinkedIn post made by Franklin on April 13th was met with immediate demands for correction and condemnation from defense contractors, alerting Claroty that there was no such deadline. Readers scoffed at the false claim, and accused Claroty of misleading advertising. The Chair of the CyberAB’s Ethics Committee, Wayne Boline, chimed in as well, condemning the Claroty claims as false.

The post prompted Oxebridge founder Christopher Paris to file a claim with the US Federal Trade Commission (FTC) for deceptive advertising. Paris then alerted Franklin and Claroty’s legal counsel of the FTC filing, and urged Claroty to “rein in its marketing team.” Paris alerted Claroty corporate counsel Hayley McAllister that if the claims were also made in marketing emails, this could amount to wire fraud.

Despite this, Claroty then Tweeted out the same video hours after the LinkedIn debacle, again making the same false claims:

The video has since been removed from the Industrial Talk webpage, and is only available via the snippet published by Claroty itself.

The comments by Boline were particularly rare, since Boline had previously refused to investigate similar false claims made by members of his own CyberAB Board. Multiple Board members have falsely cited fake deadlines for CMMC dating as far back as 202o. Likewise, the CMMC’s original architect, Katie Arrington, claimed in multiple public appearances that CMMC certification could be achieved as early as mid-2020. Boline never attempted to correct these false statements, and ethics questions — for which he remains responsible as Ethics Committee Chair — remain unanswered.

The entire CMMC program has largely been sold to both the US Dept. of Defense and the defense industrial base (DIB) on exaggerations, deceptive claims, and outright lies since its inception. As a result, the program is seen with suspicion by a large number of companies within the DIB, as well as members of Congress.

The CMMC program was an attempt by Arrington to prove she could solve the DoD’s cybersecurity problems at no cost to the agency, through the creation of a massive, consultant-led “ecosystem” that benefitted her former employer and personal friends. Since that time, the CyberAB has raked in millions of dollars through the sale of personal “badges” but has not yet produced a single accredited C3PAO. Companies have spent tens of millions of dollars readying for CMMC based on the ever-changing claims of “deadlines” by CMMC consultants and DoD officials.

The current contract between the DoD and CyberAB hands final authoritative control over to foreign actors, including Mexico, Italy, and China, and will likely face Congressional action once final CMMC assessments begin. Sources within Congress have reported to Oxebridge that they are aware of Mexico’s contractual oversight of the CMMC program, and are giving time to the DoD to see if they intend on correcting it. The DoD, meanwhile, has refused to assess its contract with the CyberAB, and continues to demand that the AB surrender oversight of its activities to the InterAmerican Accreditation Cooperation which operates out of Mexico City.

Advertisements

ISO 17000 Series Consulting

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.