The US Dept. of Defense CMMC Program Management Office’s representative Stacy Bostjanick has confirmed that the DOD Inspector General is conducting an investigation into the CMMC program based on Oxebridge’s criminal complaint submitted months earlier.

In response to a request for updates on multiple issues, Bostjanick indicated that “there are ongoing IG investigations initiated by” Oxebridge founder Christopher Paris, who filed the original complaints. Paris later participated in interviews with the Defense Criminal Investigative Services office of DOD, but that office has not confirmed any investigations when later contacted by press. The admission by Bostjanick confirms the probes are underway, which includes an investigation into multiple criminal allegations against the DOD’s top CMMC architect, Katie Arrington.

Arrington is currently on suspension for suspicion of having breached her security clearance obligations, and allegedly leaking classified information. Her attorney disputes the allegation by the NSA, and also threatened to sue Oxebridge.

In Arrington’s absence, all communications from the CMMC PMO have come to a halt, with Acting CISO John Garstka refusing to comment on CMMC, and other officials such as Jesse Salazar remaining equally silent. Oxebridge previously criticized the CMMC program for being built on a “cult of personality” surrounding Arrington, and that her departure has left no one to defend the program publicly.

During her tenure, Arrington would repeatedly promise “memos” on significant topics that were then never produced. This prompted Paris to write to DOD to get updates on the claims.

The first was regarding a promised memo on “CMMC reciprocity with FedRAMP,” while another was related to CMMC reciprocity with the information security management standard, ISO 27001. Both were promised by Arrington as far back as February, but Arrington never produced the alleged memos. There is still no official word on how CMMC might align with these current schemes.

Later, a former CMMC Accreditation Board member Regan Edens claimed, during an official Town Hall meeting, that CMMC assessors would be tasked with entering the private residences of work-from-home employees to inspect their cybersecurity controls, triggering an industry minor uproar. In response, Bostjanick publicly reminded stakeholders that the DOD establishes CMMC assessment rules, not the AB, and that a “CIO” would be issuing a ruling on “home inspections” shortly. That, too, never materialized.

In response to these issues, Bostjanick wrote:

While the DoD is undergoing their internal review we have not issued any public comments.  We will release more information once the internal review is completed.  All of the areas you have requested information will be looked at and we will publish whatever information we can, please recognize that some of those areas will possibly illicit additional rule making efforts and final solution may depend on the outcome of that.

Ethics Probe to Advance to DODIG

In a separate issue, Oxebridge had filed additional complaints alleging conflicts of interest of the CMMC-AB and its Board members, many of whom were found operating companies selling CMMC products and services. In three separate emails over a period of six months, Bostjanick confirmed her office had opened an ethics investigation into the CMMC-AB, but then provided no updates.

Multiple Board members have since resigned, but the AB has not taken any actions to stop the conflicts of interest, nor to ban those involved in them as promised by the AB’s published code of conduct. Instead, the AB has claimed the public did not understand its conflict of interest policy, and claims to have taken behind-the-scenes steps to mitigate COI risks. Publicly, however, the conflicts appear in full force.

In her latest email, however, it now appears that Bostjanick’s office did not take action after all, and is instead waiting on the DOD IG investigation. The Oxebridge complaint that led to that probe did not, however, include any allegations of conflicts of interest, which arose afterward, suggesting Bostjanick is confused. In defense of the CMMC-AB, Bostjanick wrote:

As for the ethics and conflict information; I know that the CMMC-AB is dedicated to ensure the integrity of the process and has had several independent reviews done of the allegations.

The CMMC-AB came under fire for having accredited Cask Government Services, a company that is currently under a Justice Department criminal investigation for bribery and money laundering. One of its employees has already pleaded guilty, with more arrests likely. As a result of the CMMC-AB’s actions, a company that was reported to have bribed a government official to illegally steer Federal contracts to itself will now have control over what other companies get Federal contracts through its CMMC assessments.

Oxebridge argues the approval of Cask only provides more evidence of the CMMC-AB conflicts of interest.

As a result, Oxebridge is now preparing a new IG filing on ethics matters, which will be copied to the Armed Services Committee of both houses of Congress, and the GAO.



ISO 17000 Series Consulting