The Cyber AB continues to mire itself in the very conflicts of interest it is tasked by the US Dept. of Defense to manage within the nascent CMMC scheme.
In January 2023, The Cyber AB added Katherine Gronberg to its official Board of Directors. Gronberg is Head of Government Services for the NightDragon, a cybersecurity venture capital firm.
In May of 2022, however, just eight months before her appointment with the AB, NightDragon announced that it had entered into a partnership with the CMMC assessment body Coalfire. That press release openly announced the partnership included CMMC-related services:
Coalfire will partner with NightDragon companies to accelerate their approach to the key government certifications that are necessary to capture that market opportunity, including FedRAMP, CMMC and StateRAMP.
In 2020, Coalfire was approved by The Cyber AB as a provisional C3PAO, or CMMC assessment body. The Cyber AB is tasked with eventually accrediting bodies like Coalfire, and adjudicating complaints and appeals against them. As a result, The Cyber AB is supposed to ensure no conflicts of interest emerge in its dealings, to ensure impartial and fair oversight.
Nevertheless, The Cyber AB appears to have failed to vet Gronberg’s conflicts of interest before approving her for the Board. The AB has likewise not taken action related to Gronberg’s conflict of interest since her appointment. As of this writing, in January of 2024, NightDragon is still listed as a “partner” on the official Coalfire website. Likewise, the NightDragon website still also markets the relationship.
The Gronberg scandal is just the latest in a long list of ethical lapses and self-dealing by Cyber AB Board members. Previously, former AB members Ty Schieber, Mark Berman, Ben Tcoubineh, Reagen Edens, Karlton Johnson, and Jim Goepel were all found to be engaged in some activity that conflicted with their role at the AB. Current Board members Jeff Dalton, Paul Michaels, and Clifton Poole all previously marketed some form of CMMC-related products or services, but have since scrubbed their company websites of the claims.
Gronberg is the only current Board member working with a company that still openly markets its conflict of interest.
Despite the long history of problems, the US Dept. of Defense has published its Proposed Rule mandating CMMC, and re-asserting that The Cyber ABI will be the sole arbiter of conflicts of interest within the entire CMMC scheme. Since 2020, the DoD has refused to hold The Cyber AB, previously named the CMMC AB, accountable for allegations of corruption and fraud. Instead, DoD representatives Katie Arrington and Stacy Bostjanick repeatedly promoted the AB, and blocked attempts to have it investigated.
The CMMC program is currently headed by DoD CIO John Sherman, who has also refused to probe the problems.
UPDATE: A reader pointed out that the C3PAO entity is Coalfire Federal, while the company partnering with NightDragon may be, simply, Coalfire. The reader claimed that Coalfire is a foreign-owned entity, and as a result cannot meet requirements prohibiting foreign ownership of C3PAOs, whereas Coalfire Federal can. Coalfire was acquired by French venture capital firm Apax Partners in 2020.
The distinction relevant to CMMC work is not clear, however, as the official Coalfire site markets both Coalfire and Coalfire Federal as a single CMMC C3PAO. According to that page:
Coalfire and Coalfire Federal have more than 20 years’ experience providing advanced cyber support to highly regulated organizations in the defense industrial base. As one of only a handful of CMMC Third-Party Assessor Organizations (C3PAOs), we’re uniquely qualified to guide you in your CMMC compliance journey.
Furthermore, Coalfire names Coalfire Federal President Bill Malone as one of its own executive management team members, suggesting that Coalfire Federal is still dependent on its relationship with the French-owned Coalfire.
It appears, therefore, that there is insufficient firewall between the two organizations to make the distinction meaningful.