Katie Arrington, the Dept. of Defense’s lead on the Cybersecurity Maturity Model Certification (CMMC) program, has threatened to “marginalize” the CMMC Accreditation Board if it did not sign a Statement of Work within 24 hours.
Oxebridge has received a redacted copy of an email sent by Arrington to CMMC-AB Acting Board Chairman Karlton Johnson and other Board members in which she threatens to either strip the AB of its accreditation responsibilities or “rescind” the signed Memorandum of Understanding (MOU) which originally created the CMMC-AB.
The entire portion of the email received by Oxebridge follows:
From: Arrington, Katherine E SES OSD OUSD A-S (USA) <email@example.com>
Subject: 24 Hour Ultimatum
if the current SOW is not accepted by the CMMC AB in its entirety, that the 2 courses of action would be to further marginalize the AB to accrediting a now separate training and testing elements entity or to unilaterally rescind the MOU [abrogating the terms of the Undersecretary signed agreement] and move to another Nonprofit 501-C3.
Chief Information Security Officer for Under Secretary of Defense for Acquisition and Sustainment
Two board members — Richard “Doc” Klodnicki and Tim Rudolph — then resigned from the Board. Two other members were reported to be considering resigning, but Oxebridge was unable to confirm their identities.
While Oxebridge was unable to get a second source to verify the email, it did request authentication by Arrington via email. Arrington did not reply, but sources reported she immediately contacted them about “leaks” and set up a teleconference for 5:00 PM today in order to discuss the email and make a final decision on the AB’s future.
The “Statement of Work” is intended to replace the prior MOU. It is not clear how Arrington would have the authority to rescind the MOU, since it was signed by Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment. It is also not clear if Lord even knew Arrington was making the threats. Lord has made no public statements regarding the CMMC-AB and the MOU, and has not responded to requests for clarification.
Another source has reported that Arrington has withdrawn ANAB from consideration in taking over the CMMC-AB’s role, and intends instead to give the oversight of CMMC certification bodies, called “C3PAO’s,” to ANAB’s competitor, A2LA. This has not been independently confirmed, however.
Oxebridge previously reported that both ANAB and A2LA are signatory members of the International Accreditation Forum, which is currently managed by a senior executive from the Chinese Accreditation Service, Mr. Xiao Jianhua. As a result, any complaints or appeals levied against A2LA would eventually be ruled on by the IAF and its Chinese executive leadership.
Arrington arranged one meeting with ANAB and the CMMC-AB Board, although the ANAB representative was introduced as a representative for ISO. Oxebridge was able to confirm the meeting occurred through official meeting records. A source indicates that A2LA also held a meeting with Arrington, but Oxebridge has not been able to confirm this.
An announcement of the A2LA decision is likely to appear next week. If so, A2LA will be forced to explain how it will claim ISO 17011 accreditation status, a status it maintains by being an IAF signatory, while reducing Chinese influence over the DoD’s cybersecurity certification program.
It is expected that Arrington will grant the C3PAO accreditation oversight to A2LA, while allowing the CMMC-AB to maintain personnel certification over things such as CMMC assessors. This will likely lead to more Board resignations from the CMMC-AB.
A2LA was previously investigated for conflicts of interest when it opened a training body, called A2LA Workplace Training. ISO 17011 prohibits such arrangements. In response to a formal complaint filed by Oxebridge A2LA management claimed the Workplace Training company was separate, but this contradicted official A2LA press releases announcing Workplace Training as “an A2LA company.” The IAF refused to take action against A2LA in that case.
Connections Between Arrington and Schieber
Arrington’s latest move comes as she allegedly remains furious at the prior ouster of Ty Schieber, who was removed as CMMC-AB Board Chair after he launched a controversial “Diamond” membership program which solicited $50,000 donations from individuals. That move was branded “pay to play” and led to an emergency vote to remove Schieber and fellow Board member Mark Berman. The two men claim they then resigned, but sources within the AB insist their resignation came after a Board vote to oust them.
Arrington previously worked for Schieber in the Business Development office of cybersecurity firm Dispersive Technologies. The assignment of Schieber as the CMMC-AB Board Chair has been routinely dismissed as coincidence.
Prior to Schieber’s ouster, Arrington was publicly supportive of the CMMC-AB. That changed after his resignation, and sources report that she has been “volatile” in her hostility against the remaining Board members.
Ongoing Problems with Conflicts of Interest
The move is likely to be the final nail in the coffin for the CMMC-AB. The group has been plagued with conflicts of interest, which have not improved since the departure of Schieber and Berman. In recent weeks, remaining Board members made a series of missteps that have hurt the group’s claims of objectivity.
- It was recently announced that Chris Golden, who was expected to take over as permanent CMMC-AB Board Chairman, was taking an advisory board position with the cybersecurity firm, Ariento. That company has applied to be an official C3PAO to be accredited by CMMC-AB.
- Tara Lemieux, one of the CMMC-AB’s first crop of certified Provisional Assessors, announced on LinkedIn that she would provide CMMC audits for free, as a “service to her country.” When questioned multiple times, Lemieux insisted she would do such audits for free “every damn day.” CMMC-AB Board Member Jeff Dalton then joined the conversation to praise Lemieux, rather than call her out on what is clearly an impossible claim. The two then engaged in an exchange of complimentary posts, raising questions over Dalton’s ability to remain objective related to the CMMC-AB’s certified assessors. There is no chance that CMMC audits will be performed by unpaid volunteers, and the DOD itself has stated that the hourly rate for such audits will likely be at least $98/hour.
- A company owned by Board member Regan Edens, called CUI Supply, issued a post on LinkedIn which included a photoshopped image of an Air Force jet with the CUI Supply logo pasted on the side. Again, while not illegal, the post was misleading and did not indicate the image had been manipulated.
- Two companies for which the CMMC-AB’s Acting Treasurer, Yong-Gon Chon, had previously held executive positions have submitted applications to become official, accredited C3PAOs.
Oxebridge has provided both the DOD and the CMMC-AB with guidance on how to ensure the AB operates within the rules of ISO 17011, while not relying on the IAF or its Chinese executives. Arrington, however, appears more fixated on purging leaks and punishing enemies than ensuring the proper accreditation of the nation’s eventual cybersecurity certifiers.
The CMMC program is expected to affect as many as 300,000 defense contractors at a cost of $95 billion to private industry.