The Cyber AB has released a CMMC consulting tool that openly violates ISO 17011, the accreditation body standard under which it is obligated to operate per Dept. of Defense contractual requirements. The release also puts the AB in the position of being a competitor to its own customers.

The tool, called the CMMC Readiness Platform and abbreviated “CRT”, allows those who have purchased Registered Provider Organization (RPO) badges from the AB to gain exclusive access to a set of CMMC-related products and consulting tools. According to the Cyber AB’s official website, the CRT tool:

… automatically generates dashboards, documents and reports which follow the required CMMC standards. Some of these key outputs include as POA&Ms (Plans of Action & Milestones), SSPs (System Security Plans), SPRS scores, prioritized lists of risks, and other similar views, thereby signficantly reducing report generation time and effort.

Accreditation bodies are prohibited from providing consulting tools or services as they are seen as a violation of the principles of objectivity and impartiality. Specifically, ISO 17011 requires:

The accreditation body and any part of the same legal entity shall not offer or provide any service that affects its impartiality, such as: … consultancy.

And

The accreditation body’s activities shall not be presented as linked with consultancy or other services that pose an unacceptable risk to impartiality. Nothing shall be said or implied that would suggest that accreditation would be simpler, easier, faster or less expensive if any specified person(s) or consultancy were used.

Screenshot of Cyber AB website offering as of 27 Sept. Click to enlarge.

According to a post on Reddit detailing the discussions at a Cyber AB Town Hall yesterday, the AB “whitelabeled the Cyturus GRC tool,” for the CRT content. Cyturus is a consulting firm that offers CMMC services, putting it in competition with AB-badged RPOs. The revelation in a public setting again suggests the AB is violating the rule against suggesting “any specified person(s) or consultancy were used.”

In a practical sense, this raises the likelihood that a CMMC assessor will avoid writing findings against any company that uses the AB’s CRT tools, for fear of being de-accredited by the AB. Likewise, RPO consultants who use their own tools, rather than the CRT product, may face higher levels of scrutiny from CMMC assessors who do not recognize the tools.

Companies that do not use the CRT tool can make a reasonable argument that the final CMMC assessment was unfair. meanwhile, Cyber AB RPOs can argue that the body that granted them their credential is now openly competing with them.

The DoD’s sole-source contract with the AB demands it operate in conformity with ISO 17011 right now, while it pursues eventual third-party accreditation to that standard from the Mexican organization, IAAC. Given the CRT release, it now becomes impossible that the Cyber AB could ever achieve the mandated ISO 17011 accreditation.

Oxebridge founder Christopher Paris sent a letter to both the AB, the DoD’s CMMC program office, and DoD CIO John Sherman, saying the move “demolishes” all pretense of objectivity on the part of the Cyber AB. “Not to put too fine a point on this,” Paris wrote, “this reeks of grift. And they are doing this under DoD’s authority.

The move also pits the AB against those who purchased their badges, creating an awkward scenario where the AB is now an open competitor of its own customers.

The Cyber AB was the recipient of controversy from the beginning. In 2021, it launched a “Diamond Member” program that would have given special benefits to members who paid $500,000 or more, resulting in howls of “pay to play” by the defense community. Two senior AB Board members were ejected over the fiasco, and the program was scuttled immediately.

The new CRT program suggests the AB never learned from the experience.

Paris has also warned Cyber AB CEO Matt Travis that such actions may be a violation of civil law, and that both the AB and individual members could face litigation if the program is not taken down immediately.

To date, the AB has earned tens of millions of dollars from selling professional credentials and has not yet accredited a single C3PAO assessment body.

The Dept. of Defense has consistently refused to enforce the contractual requirements on the Cyber AB. The DoD’s CMMC office is now the subject of an Inspector General audit, expected to occur in the next few weeks.


UPDATE 27 September 2023: added link to Reddit post and information on Cyturus.

UPDATE 29 September 2023: Oxebridge has received credible information that key CMMC actors held a conference with The Cyber AB over the CRT consulting packages, and expressed their anger over the move. At the same time, former Cyber AB founder James Goepel announced a competing product on LinkedIn, and took direct aim at The Cyber AB’s offering. While the Cyber AB program is free for RPOs, Goepel is offering to rebate the AB’s RPO fee for anyone who signs up for his paid product. The move marks an immediate turn against The Cyber AB for becoming, overnight, a competitor of its own customers.

Advertisements

Surviving ISO 9001 Book