We’ve obtained a copy of the revised contract between The Cyber AB (formerly CMMC Accreditation Body) and the US Dept. of Defense and… there are problems. The short version: in its exclusive contract with The CyberAB over the administration of cybersecurity contractual obligations between the DoD and the entire defense industrial base (DIB), the DoD is giving The CyberAB a free pass on violating contractual obligations.
Not a good look for the DoD. If they give the Cyber AB a free pass, why not everyone else?
(You can follow along with the contract by grabbing a copy here.)
The original contract was issued in late 2020 and was kept secret, with the DoD refusing to honor multiple Freedom of Information Act (FOIA) requests to have it unsealed. Eventually, DoD relented, first releasing only the Statement of Work (SOW) portion, and then refusing — for two years — to release the entire document. Keep in mind, under Federal law, government contracts are public documents, unless a few conditions are met (such as national security), none of which the DoD even tried to invoke. They just ignored Federal law.
Then, the DoD ignored potential felony violations by the CyberAB, which — back when it was still called the CMMC Accreditation Body — falsely claimed to be a non-profit organization when filing for its mandatory CAGE code. Without a CAGE code, The Cyber AB couldn’t have gotten any government contracts, much less the DoD exclusive one, and so they lied on their CAGE application. The DoD refused to investigate, working instead to protect their pals at the AB, again ignoring Federal law. It wasn’t until years later that the AB actually got its not-for-profit status from the IRS.
So, again, more great examples from the DoD! They have no patience to comply with the law while insisting everyone else does.
Finally, Oxebridge was successful in getting its FOIA honored, and the DoD released the entire contract, but with the names of the DoD contracting officer redacted. It is not clear why that redaction was necessary, except that it was done to protect Katie Arrington. It’s not like we don’t know who held the title — which wasn’t redacted — of the contract signatory. The only explanation is that DoD was hoping people would forget that Arrington signed a contract handing her former boss, Ty Schieber, the exclusive AB contract.
We haven’t forgotten.
But during the time the DoD delayed the FOIA requests, it had revised the contract with the AB. The DoD then refused to release the revised version, again pushing against legally-submitted FOIAs. In a fit of “malicious compliance,” the DoD’s FOIA office claimed that it was not obligated to release the revised contact, since the original FOIA only asked for the original contract.
Now the DoD has released the revised contract to various news outlets. It’s still too late, as the contract is effectively voided by the fact that it still references requirements from CMMC 1.0, and hasn’t been updated for 2.0. But legally, it’s still the contract of record, and the parties are held to federal and civil contract law to abide by it.
Oh, but they are not.
In reviewing the most recent contract modifications, we see The CyberAB remains in violation of key requirements, and yet the DoD continues to refuse to hold them accountable. I’m just going to summarize a few of the violations, but there are quite a lot.
- The contract required The Cyber AB to become an associate member in IAAC by October 2021. I checked the IAAC website — which, yes, is a Mexican organization — and The Cyber AB is still not listed. It’s not listed under its old name, either.
The Contract requires the CMMC-AB to become a full member of IAAC and “achieve compliance with” ISO 17011, but the exact dates are confusing. One section says that the deadline is October 2022, which has already passed by, and this clearly states that The Cyber AB must be undergoing peer evaluations by IAAC (again… Mexico.) But a table of milestones at the end of the contract then says that full membership is required by October 2023 (“36 months after contract signature.”) But it’s moot. Without The Cyber AB already being an Associate Member, it’s unlikely they could suddenly become a Full Member in the next three-and-a-half months and undergo the required IAAC peer evaluations. (Did I mention that the DoD handed complete control of the CMMC scheme to Mexico?)
Next, the contract required The Cyber AB to develop a quality assurance program related to the accreditation of the C3PAOs and CAICO no later than January 2021. That never happened. In fact, The Cyber AB hadn’t created the CAICO until years later, and technically it’s still owned by The CyberAB, making an insurmountable conflict of interest the parties have not yet resolved. That conflict makes all these accreditations increasingly unlikely. Instead, The Cyber AB was supposed to sell off CAICO and has refused to do so.
The Contract claims the DOD is tasked with developing “CMMC Assessment Guides,” but has not done so. Instead, the CMMC-AB developed their own “CAP” guides, which they were expressly not given the authority to do.
The contract demands that the “authorization” of C3PAOs by The Cyber AB was to end in October 2022. In reality, it’s still ongoing. (I have no idea why the DoD put an end date on this at all, but, hey, I didn’t write it!)
The contract then says each C3PAO must become accredited to ISO 17020, by the AB, “27 months” after being “registered” as an authorized C3PAO. The first C3PAO, Redspin, was “authorized” in June 2021. 27 months from that date would have put them in June of 2023 (which is right now) and, obviously, they are not accredited to ISO 17021, because The Cyber AB isn’t accredited to ISO 17011. So none of that happened.
Per the contract, CAICO was supposed to be formed in October 2020 and begin issuing credentials in October 2022 for credentialed persons (like C3PAO assessors.) The AB was supposed to yield that activity entirely. It has not.
- The contract demanded CAICO achieve ISO 17024 accreditation — also by The Cyber AB — in November 2022. Obviously, that hasn’t happened because CAICO wasn’t even formed at that time. Furthermore, sources tell me the new plan is to let the third-party accreditation body ANAB — which reports to both Mexico and China (yes, you read that right) — accredit CAICO instead. So The Cyber AB changed the contractual requirements entirely without any contract mod.
- The contract requires The Cyber AB to hold “annual management reviews per ISO 17011,” which it clearly cannot be doing since it doesn’t actually comply with ISO 17011. Those reviews are supposed to discuss the status of the IAAC peer reviews, but have never happened because The Cyber AB isn’t a member.
A fun aside. The contract says, “The CMMC-AB cannot enter into any agreements with international entities without the approval of DoD.” But The Cyber AB has been pretty aggressive in marketing itself, and the CMMC program, overseas. It’s also not clear how officially-authorized C3PAOs like RSM, which has offices in India and El Salvador, fit into this prohibition. I guess not, but that contract language is pretty poorly worded.
So the message is clear. The DoD is entirely hypocritical on contract requirements — and complying with Federal laws — when it suits them. They are stamping their feet like petulant five-year-olds, demanding everyone else respect their authoritah, while showing nothing but contempt for the same rules in order to ensure their friends hold onto a sole-source contract.
Arrington is out, and by all signs it seems her protege Bostjanick will be leaving any day now, too. So why is the DoD so dead-set on maintaining this overt cronyism? I have to imagine at this point it’s all about saving face. If they scuttle the AB now — which they absolutely should do — they risk sending a message to China and our enemies that this was never a real thing, to begin with.
Guess what! China already knows that. The minute the DoD told The Cyber AB it had to join IAAC (again, MEXICO), and participate in the IAF accreditation scheme — which until recently was literally run by China — China knew the DoD had lost their minds.
Scuttling this thing and putting the AB role out for competitive bids, with AB oversight to be conducted by the DoD itself, and not outsourced to some folks south of the border, will actually save face. It will show the world the US is serious about cybersecurity, and about the rule of law.
I’ll leave you with this last question. If you’re a DIB company, selling to the US government, how long do you think you could go with this many contract violations before the DoD stepped in and fined you into oblivion?
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.