This is a weird one, and there may be a completely innocent explanation. But, so far, I’m not seeing it.

Sara Friedman (source: Twitter)

Inside Cybersecurity’s CMMC reporter, Sara Friedman, reported the other day on the content of the revised contract between the DoD and The Cyber AB (formerly “CMMC Accreditation Body”), but got a few facts wrong related to ISO standards. In her report (paywalled), Friedman incorrectly reported that The Cyber AB was contractually obligated to comply with three different ISO standards: ISO 17011, ISO 17024, and ISO 17020.

The ISO/IEC Standard 17020 will allow the Cyber AB to accredit CMMC certified third party assessment organizations, while the Cyber AB’s training unit, known as the CAICO, will need to meet ISO/IEC Standard 17024.

In fact, The Cyber AB is only accountable to two standards — ISO 17011 for itself, as an accreditation body, and ISO 17024 for its personnel credentialing body, CAICO. ISO 17021 is the standard that The Cyber AB will be auditing the CMMC C3PAOs against, in order to accredit them.

I wrote to Friedman on this point, and advised her to update her reporting. She did not respond, and later — when I went back to see if the article had been edited — I found my Inside Cybersecurity account blocked.

Now this could be a technical glitch, perhaps a problem with my VPN. Coming from Peru, I have to use a VPN to mimic a US IP address to access some websites, which sometimes incorrectly triggers a website’s geoblocking. But since I was able to log in initially, it doesn’t make sense why the site would flag me afterward. I also am pretty sure I didn’t even have the VPN on when I logged in.

There’s also the timing. My account was banned right after writing to Friedman; prior to that, I had no problem accessing it. Again… strange.

I really hope Friedman and the editors at Inside Cybersecurity aren’t that petty, but it doesn’t look good. Previous attempts to get Friedman to up her game on CMMC reporting fell on deaf ears, resulting in my throwing a few slights her way. I once referred to her as a “typist” rather than a journalist, given her habit of simply copying-and-pasting official CMMC press releases, and never asking follow-up questions. I’ve also repeatedly asked her to explain why she continues to grab meaningless soundbites from attorney Robert Metzger, who appears to be absolutely clueless on CMMC matters but loves to talk about it anyway. Friedman has never responded, which is probably wise.

Friedman has also doggedly refused to cover the “Mexico” problem, where the DoD is forcing The Cyber AB to undergo its ISO 17011 verification audits by the IAAC, a group out of Mexico City. Obviously, the United States can’t have its national security and cybersecurity certification scheme overseen by a foreign country. I mentioned this in my letter to her yesterday, so that might have also been a sore spot.

Myself and others have also criticized the DoD for using Inside Cybersecurity as the main release mechanism for official CMMC policy updates, since the website hides all its news behind a paywall. That’s not how government policies are supposed to be disseminated, but the DoD’s CMMC office and The Cyber AB know they will get friendly, softball reporting from the site, so they continue to do it.

So I suspect there’s no question that Friedman doesn’t like me, but that is no excuse for her to allow incorrect information to be passed off as “reporting” under her byline. And Inside Cybersecurity — if they want to pose as a news organization — does have a responsibility to actually print accurate information.


ISO 14001 Implementation