The US Dept. of Defense’s Inspector General has closed a complaint submitted over a year ago against the CMMC program, alleging waste, fraud, and abuse. The DODIG provided no explanation for the decision, while refusing to release documentation that Oxebridge had never requested.

The “omnibus” complaint filed in February of 2021 made a series of allegations related to the DoD’s CMMC program, including that it relied on foreign oversight, that the DoD’s CMMC Program Management Office had engaged in conflicts of interest, and that the CMMC Accreditation Body’s contract should be negated due to CAGE code fraud.

In response, the DODIG appears to have interpreted the complaint as a request for documentation, and rejected the matter — a full year later — by pointing Oxebridge to the Freedom of Information Act (FOIA) process instead. In its reply, the DODIG wrote:

The DoD Hotline is not authorized to release case information or documents. You may file a Freedom of Information Act request with our FOIA, Privacy and Civil Liberties Office to obtain records, which are authorized for public release by the DoD Office of Inspector General.

Oxebridge had not requested the release of any documentation, but was requesting investigations be launched related to the allegations.

Sources had reported previously that the DoD was “slow-walking” any complaint filed against the CMMC architect, Katie Arrington, hoping for her resignation. Arrington, who was suspended from her DoD duties and is under investigation for allegedly leaking confidential information, has not resigned. Last week the DoD announced it had eliminated her position.

The timing of the DODIG response suggests the sources may be right, as the DoD appears to be clearing its desk of all matters related to CMMC and Arrington.

In a further bungle, the Defense Logistics Agency also refused to investigate a complaint filed with it, alleging the CMMC Accreditation Body committed felony fraud in its CAGE code application. The DLA Inspector General instead handed the matter over to DODIG, which compiled it with the prior “omnibus” complaint.

DODIG did refer a portion of the complaint, specific to criminal allegations against Arrington, to the Defense Criminal Investigative Services (DCIS) division. Oxebridge founder Christopher Paris participated in a number of interviews with DCIS on the matter over a course of months, but no action was ever taken. DCIS provided no formal notice that the matter was dropped.

The incidents show the overall ineffectiveness of the IG offices as a whole, and their unwillingness to execute their duties when political firebrands are involved. Arrington had run a failed US Congressional campaign, and had been endorsed by President Trump.

The DOD has received at least half a dozen FOIA requests to unmask the signatories of the DoD’s no-compete contract with the CMMC Accreditation Body, and has repeatedly refused to do so. Oxebridge confirmed that these FOIA submittals came from journalists and attorneys seeking clarity on the CMMC program. The DoD would only agree to release a text “Statement of Work” portion, but not the signature page. To this day, it is not known if the CMMC-AB’s contract was ever actually signed, nor who may have signed it. The contract is legally required to be available to the public.

The DoD’s release of “CMMC 2.0” largely dismantles the entire Arrington approach to CMMC, and cripples the CMMC-AB, restricting its activities to a tiny sliver of what was once promised. US companies spent millions on CMMC-AB credentials after Arrington spent a year and a half promoting the organization’s products, only to now find those credentials may be worthless. Arrington faced no disciplinary action for her promoting a private company run by her friend and former boss, Ty Schieber.

As a Senior Executive Services member, Arrington cannot be fired except under extreme circumstances. The DoD has removed her prior position, but still must re-assign her to some other duty if she does not resign.

The only remaining avenue left to Oxebridge in pursuing the matter would be a Federal Tort Claims Act lawsuit.


Surviving ISO 9001 Book