Sources report that Katie Arrington’s volatile reaction to the CMMC-AB’s decision to remove Ty Schieber as the Chairman of the Board is threatening to disrupt the CMMC program. The Board accepted Mr. Scheiber’s resignation after the controversial “partnership program” was released without the Board’s review and approval.  The CMMC-AB Board is undergoing significant changes to address the public concerns and still meet the DoD’s aggressive timeline. Sources report that Arrington has contrived a scheme to minimize or eliminate the CMMC-AB’s role and replace it with the ANSI National Accreditation Board (ANAB), which is operates under a Multilateral Agreement with the International Accreditation Forum (IAF). The current IAF President is Xiao Jianhau, the CEO of China’s official accreditation body, CNAS.

Arrington is the Chief Information Security Officer (CISO) for the Office of the Undersecretary of Defense for Acquisition and Sustainment. She heads up the DoD’s plan to implement the Cybersecurity Maturity Model Certification (CMMC) program, intended to shore up the Defense Industrial Base’s (DIB) cybersecurity defenses. Arrington works under Undersecretary for USD(A&S) Ellen Lord and the Assistant Secretary of Defense for Acquisition, Kevin Fahey.

In March, Lord signed a Memorandum of Understanding (MOU) (pdf) that established the private CMMC Accreditation Body (CMMC-AB) as the sole accreditation authority for the CMMC certification scheme. The MOU declared that the CMMC-AB would accredit and oversee a network of CMMC Third Party Assessment Organizations (C3PAO’s), who would audit companies for compliance to CMMC.

MOU signature page.

If Arrington followed through on her threat to disband the CMMC-AB, she would unilaterally negate the MOU, and it is not clear how she would have the authority to overrule Ellen Lord.

The MOU was signed on behalf of the CMMC-AB by Ty Schieber, who took the position of Board Chairman. Schieber’s placement has been met with accusations of cronyism; according to their LinkedIn profiles, Schieber was the Executive VP of Military & Government Sales at Dispersive Technologies, while Arrington was VP of Sales for the same company. Arrington and USD(A&S) CMMC Director Stacy Bostjanick defended Schieber’s placement as being coincidental in the “small world” of the DIB. This appears to contradict Arrington’s claim that the DIB is comprised of over 300,000 companies.

Schieber and one other Board Member, Mark Berman, were ousted by the Board after they concocted a plan to sell $500,000 “Diamond” memberships to donors. That campaign, which Schieber approved without a Board vote, was quickly branded “pay to play” and was pulled within 48 hours. The Board called an emergency meeting on Sept. 11 to decide the fate of Schieber and Berman. Sources reported to Oxebridge that the two men were voted off, and this was simultaneously reported by FedScoop. Arrington and Schieber have since insisted that the men simply resigned, and have downplayed any linking of their departure with the “Diamond” program debacle. Sources are very clear, the CMMC-AB’s Board of Directors considered the scheme unacceptable and one of many “fatal errors” by Schieber and Berman.

FedScoop issued a statement to Oxebridge standing by its reporting.

Screenshot from the original “Diamond” membership page of the CMMC-AB website.

In multiple interviews since the departure, Arrington has repeatedly gone to Schieber’s defense, personally attacking those that claim he was ejected. This raised speculation by some that she “was not over this,” and was planning revenge.

Arrington then made a number of bizarre public statements that seemed to undermine the CMMC-AB and even the CMMC model itself.

After spending months chastising DIB companies for doing too little to prepare for CMMC, and claiming CMMC would appear in Federal contracts within 2020, on Sept. 16 Arrington gave an interview for InsideCybersecurity (paywall) advising companies to hold off, and implying that even the CMMC Model was not even finished. She told the outlet that the “additional 20 controls that are incorporated in the maturity level that go beyond NIST 800-171” may be removed based on “feedback from industry.” That comment led some to speculate that Arrrington was working to weaken the CMMC controls to appease companies who are not willing to implement the necessary controls.

On Sept. 18, in another Inside Cybersecurity interview (paywall), Arrington announced that the Canadian Commercial Corporation was already approved as a CMMC certification body for all of Canada, despite the CCC never having applied for C3PAO status, and such decisions falling under the sole authority of the CMMC-AB.

On Sept. 22 a summary of the DFARS Interim Rule was released which made no mention of the CMMC -AB. Despite having given multiple interviews on the Rule, Arrington began berating people for commenting on it before final publication. On Sept. 28, the Interim Rule was published, and only makes reference to “a CMMC accreditation body,” and does not hard-code the official CMMC-AB as that sole authority.

On Sept. 24th, Arrington publicly commented on LinkedIn regarding the CMMC Center of Excellence, a group formed by former CMMC-AB Board member John Weiler. Weiler had previously launched an attempt to oust Schieber, and then resigned when that effort failed. The CMMC-AB signed an MOU with Weiler’s Center of Excellence as part of his departure. Arrington’s comments again reveal her tendency to inject herself into matters pertaining to the CMMC-AB and its partners, over which the DoD has no say.

In an early public appearance, Arrington garnered some snickers from industry professionals when she referred to CUI – the abbreviation for Controlled Unclassified Information – as “cooey.” This has since led to a host of cooey-related internet memes mocking Arrington. In Peru, “cuy” is fried guinea pig.

Sources believe Ellen Lord remains in the dark about Katie’s scheme to disrupt the CMMC Program as she is set to address Congressional concerns this week. It appears that Arrington’s volatile personality continues to create instability and chaos as the program struggles to mature from concept into reality under her inexperience.

Industry Day Bloodbath

Two weeks ago, a source reported that Reinaldo Figueiredo, the Senior Director of Accreditation Programs of ANAB, had been in behind-the-scenes discussions with DoD to take over for the CMMC-AB.  Figueiredo is a foreign national from Brazil, although has worked in the US for decades. Previously he was with the Brazilian accreditation body INMETRO.

At the same time, another source reported to Oxebridge that a representative of A2LA, a laboratory accreditation body, was also in behind-the-scenes discussions related to the CMMC-AB. Both ANAB and A2LA are accreditation bodies within the ISO certification scheme, and are competitors to each other.

Prior to any plan to have the DoD form an accreditation body, the DoD released a “Request for Information” (RFI) in 2019 that called for an “Industry Day” event to solicit feedback and white papers from existing accreditation bodies on how the CMMC accreditation program might be crafted. According to one white paper drafter:

[Arrington] made it clear that no RFP would result from the RFI, but they wanted to know how to perform the functions of an AB, and if this company were to become the AB what were they willing to offer DOD for free.

Oxebridge has obtained a copy of the RFI, which reveals the DoD never intended to provide funding for the eventual AB, and reinforced the use of the MOU as the eventual governing contract (emphasis from the original):

This RFI seeks information on how to define the long-term implementation, functioning, sustainment, and growth of the CMMC Accreditation Body.

The Government’s goal is for a non-profit Accreditation Body to complete all activities described in Section 4, Accreditation Body Activities, using revenue generated through dues, fees, partner relationships, conferences, etc. with no additional funding or resources provided by the government. The Government intends that the relationship between the Government and the Accreditation Body will be managed through the use of a Memorandum of Understanding (MOU).

Many of the ABs in attendance hoped at that time to win sole-source authority to become the DoD’s CMMC scheme oversight body. While the DoD made it clear that the RFI would not result in an RFP, it confused matters by then specifically asking those submitting white papers to “describe how you would potentially accomplish one or all of the above work areas.” It was generally understood that the event was “an audition.”

Multiple witnesses have said the event left attendees shocked, after Arrington said she “couldn’t pick just one” of the white papers, and left the room to have the attendees coordinate their efforts on their own. According to one witness in attendance:

The RFI basically said, we (DoD) want to do this CMMC thing but don’t know what to do or where to start.  41 entities provided white papers in response to the RFI.  At the Industry Day a few hundred people in attendance and another few hundred watching via live streaming, Arrington and Fahey were there.  Katie walked through the major issues driving the need for CMMC and then asked industry to solve the problem.  Dropped the mic and walked out. We all sat there in shock for a minute and then slowly started to self organize.

One industry attendee called the event, which required competitors and old industry enemies to suddenly work together for an uncertain purpose, a “meat grinder inside a blender.

Meetings with ANAB

On Sept. 4, Oxebridge founder Christopher Paris wrote to ANAB urging it to nevertheless investigate the use of its white paper and “step up” to ensure the CMMC-AB did not become a massive “certification/accreditation mill” without oversight. ANAB did not reply. Since then, Paris reversed his position, citing concerns over ANAB’s own conflicts of interest and links with foreign powers. Paris followed up with an Opinion Paper on how the CMMC-AB can comply with ISO 17011 and ensure proper independent oversight through the use of an Ombudsman role. That paper was welcomed by the CMMC-AB which is reportedly adopting portions of the suggestions.

After Schieber’s departure on Sept 11th, the relationship between Arrington the CMMC-AB became strained, and was described as “hostile” by one industry insider.

Five days later, on Sept. 16th, Arrington’s office contacted the International Organization for Standardization (ISO) for information on the ISO 17011 accreditation standards. ISO referred Arrington to ANSI, the US national ISO member. ANSI then put Arrington in touch with Figueiredo. It is not clear if ANSI alerted Arrington that it owned ANAB.

Two days later, on September 18th, the CMMC Project Management Office, led by Bostjanick, arranged a teleconference with key CMMC-AB Board Members and Figueiredo, along with Mary Saunders of ANSI. Arrington was reportedly on the call as well.

The purpose of the meeting was reported to be related to “restructuring” roles and responsibilities of the CMMC-AB, as well as compliance with ISO 17011.

During that meeting, Figueiredo was only presented to the Board as the “ISO/CASCO Chair,” a reference to a position he currently holds as a volunteer within ISO. He was not referenced by his official ANAB title. Figueiredo’s status as a foreign national does not seem to have come up as an issue of concern for any of the attendees, despite the fact that he was being consulted on matters pertaining to the US’ cybersecurity footing.

A source reported that after the meeting, Figueiredo had additional contacts with the intent of embedding ANAB into the accreditation conversation. Roger Muse, the VP of Business Development for ANAB, had confirmed as recently as late September that his organization was seeking to take on the role as a CMMC accreditation body, whether working under the Accreditation Board or as its replacement.

The meeting was seen by some as an attempt by Arrington to show the CMMC-AB that she was not above going to a third party.

MOU to SOW

Arrington is attempting to extricate the DoD from the MOU, and force the CMMC-AB to sign a Statement of Work (SOW) attached to a controversial no-bid contract.

Oxebridge previously reported on problems in the MOU’s requirements, which include “impossible contract” requirements that cancel each other out. For example, the MOU requires the CMMC-AB to pursue ISO 17011 accreditation, but then directs the body to certify persons as well as accredit C3PAOs;  ISO 17011 prohibits that arrangement as an insurmountable conflict of interest.

Oxebridge obtained an April draft of the SOW which still retained many of the contradictory clauses from the MOU, however. The SOW reportedly underwent 66 edits, many made personally by Schieber without the Board’s review. It is not clear what currently exists in the SOW, and Oxebridge has not obtained a copy.

Nevertheless, Arrington has now notified the AB that it must sign the latest draft of the SOW or it will be disbanded entirely, allowing the DoD to pursue a replacement, most likely ANAB.

That move was branded by sources as a “vendetta” by Arrington, in response to the ousting of Schieber and the AB’s attempt to assert its independence per the MOU.

Chinese Oversight of US Cybersecurity

Arrington and the DoD appear to have failed to fully vet ANAB, however, and their lack of understanding of the ISO accreditation standards and international accreditation hierarchy would doom any handover to ANAB — or A2LA — before it began.

ANAB currently accredits certification bodies who issue certificates to ISO standards such as ISO 9001, the world’s most famous quality system standard. Such certification bodies are audited by ANAB against ISO 17021, the standard for “conformity assessment bodies.” This is to ensure the certificates are issued under a process free from conflicts of interest, bribery, corruption or other irregularities.

At the same time, ANAB itself must comply with ISO 17011, a similar international standard aimed at governing accreditation bodies. Under that scheme, ANAB is not audited by any single oversight body, but instead undergoes “peer audits” by other international accreditation bodies, such as Germany’s DAkkS or Brazil’s INMETRO. Those audits aim to ensure ANAB itself is complying with ISO 17011, and operating free of conflicts of interest. The peer review process is then managed by way of ANAB’s signatory membership in an organization called the International Accreditation Forum (IAF), which is tasked with overseeing such accreditation bodies.

Both ANAB and A2LA are IAF signatory members, having signed the IAF Multilateral Agreement (MLA). That MLA requires ANAB and A2LA to undergo the IAF peer audits to confirm ISO 17011 compliance.

IAF’s Xiao Jianhua with former ANAB VP Randy Dougherty in 2016. Source: http://ukaschina.com/html/news/44.html

Problematic for ANAB, however, is that the current IAF President is Xiao Jianhau, the CEO of China’s official accreditation body, CNAS. China has made great efforts in the past ten years to have Chinese executives and government officials placed into key international organizations such as ISO, UNIDO and the IAF. These officials are then primarily sworn to uphold the directives of the Chinese Communist Party, with the concerns of their various organizations being secondary or tertiary.

Furthermore, the IAF operates through a network of six Regional Accreditation Groups (RAGs), each assigned to a geographical region of the world. These RAGs oversee the ISO 17011 peer review process for ANAB, A2LA and other bodies. For its US activities, ANAB would fall under the Inter American Accreditation Cooperation (IAAC) which is currently operated out of Mexico, not the United States. For any activities in Asia, Australia or the Middle East, ANAB would fall under the Asian Pacific Accreditation Cooperation (APAC), for which another Chinese official – Yang Zhe of CNAS – is the Director of Quality.

Finally, the IAF itself, while registered in Delaware, is ostensibly managed by a single Canadian private consultant, Elva Nilsen. Nilsen acts as the primary executive manager of the IAF, answering all queries, emails and conducting nearly all of the IAF’s business, according to its annual tax filings. Nilsen collects approximately half of the IAF’s annual earnings, through her consulting company EJN Consulting. The IAF tax filings, submitted annually to the IRS, list Xiao as “Director”:

Xiao as been a longtime fixture in the IAF scheme, for almost two decades. In 2006, Xiao was personally tasked with overseeing the Joint Working Group for the training of peer evaluators later used to audit ANAB and other IAF MLA signatory bodies. At that time, Xiao was also Chairman of the IAF MLA Committee, responsible for crafting the IAF multilateral agreement itself.

Prior to taking over as IAF President in 2015, Xiao held the position of Vice President, alongside the former ANAB VP, Randy Dougherty. A 2015 presentation included a slide representing the IAF “leadership” comprised of Dougherty, Xiao and Nilsen.

The ASQ logo appears on the slide because ANAB was previously co-owned by the American Society for Quality. A Senior Fellow of that society, American Jack Pompeo, held the position of VP of Global Quality at Huawei, and was heralded by ASQ for his role in helping bring American ingenuity to the Chinese telecom company. President Trump has since banned Huawei products, claiming they include technology to spy on the US. Katie Arrington praised the ban.

The inclusion of Chinese officials in an accreditation scheme involving the US cybersecurity footing of the nation’s Defense Industrial Base would mean Arrington’s move would likely be thrown out by the Undersecretary or a higher DoD authority, as a significant risk to national security.

Illustration of what the CMMC hierarchy would appear like under an IAF-managed ISO 17011 accreditation scheme.

Real World Impact

This IAF hierarchy — with China currently sitting at the top of the pyramid — is not merely bad optics, but would have practical implications for the CMMC accreditation scheme. Under the IAF MLA and ISO accreditation standards, a DIB organization could file complaints against C3PAO or ANAB auditors for perceived violations or inappropriate activities, such as the solicitation of bribes. Any appeal of complaints would be escalated through the hierarchy to the RAG and, eventually, the IAF itself. This means that Mexico, China, Canada and other foreign powers would eventually rule on matters affecting ANAB under the CMMC scheme.

This has already occurred. As part of its international ISO Whistleblower program, Oxebridge often files or elevates complaints and appeals to both ANAB and the IAF. During the routine email exchanges with IAF, Nilsen has often cc’d communications regarding the complaints to Xiao directly. The example below comes from an email sent by Nilsen in June, acknowledging a complaint against a different IAF member accreditation body, and shows Xiao was copied on the communique.

Issues related to ANAB or IAF activities subject to APAC oversight were similarly cc’d to Yang Zhe of CNAS.

In both cases, the officials were emailed directly to their “.cn” official Chinese email addresses.

The routine peer audits that ANAB must undergo to prove ISO 17011 compliance also present problems for US security. Those audits are conducted by a rotating set of accreditation bodies from other nations. During such audits, the representatives of those international bodies would have access to ANAB’s audit files, potentially allowing them to see information related to the DoD’s CMMC program, the certified organizations. Such peer reviewers would specifically have to examine ANAB’s audit reports of C3PAOs and their CMMC certified clients. The audit reports include “nonconformities,” which under the CMMC scheme would represent highly confidential lapses in cybersecurity controls by each DIB company, and thus potentially exposing US weaknesses to foreign powers.

The only way either ANAB or A2LA could avoid such conflicts is to operate the CMMC program outside of their ISO 17011 accreditation scope, which would negate the benefit of having them provide the service to begin with. Only through their status as an IAF MLA signatory body can either group claim ISO 17011.

ANAB’s Troubled History

The selection of ANAB is problematic for reasons beyond its relationship with its Chinese counterparts. The organization has a long history of abdicating its responsibilities under ISO 17011, in order to support the certification bodies under its banner, even in cases of extreme violations. Over 15 years, Oxebridge has filed a number of complaints with ANAB, only to have ANAB repeatedly side with the certification bodies despite whatever evidence is presented.

ANAB President Keith Greenaway is the son of Skip Greenaway, the president of the certification body EAGLE Registrations, which ANAB then accredits.

In one Whistleblower investigation, it was discovered that the international ISO registrar BSI had established nonconformity “quotas,” measuring auditor performance on how many negative findings they wrote for audit clients. Internal BSI memos showed senior executives openly tying the issuance of client “nonconformities” to the company’s financial health, in a gross violation of ISO 17021 which requires that audit decisions be based on evidence, and not financial pressure. Despite the documentary evidence, ANAB ruled on BSI’s behalf, and rejected the complaint. It is estimated that BSI may account for up to 10% of ANAB’s annual revenue, meaning that it has little incentive to enforce the rules, lest BSI switch accreditation to an ANAB competitor.

If ANAB were to allow similar conflicts of interest to fester in the CMMC scheme, DIB companies could find themselves being “written up” purely for the financial gain of a corrupt C3PAO.

That case was the tip of the iceberg, as the ANAB accreditation logo appears on related certificates for companies who had been involved in major product recalls, medical device adulteration, and deadly disasters:

  • In 2008, FLIR Surveillance, a company certified to the aerospace standard AS9100 by an ANAB accredited body, was fined $30M for ITAR violations, and ANAB took no action.
  • In 2017, the company Seiler Instrument & Manufacturing was fined $1.5M for use of Chinese components in parts made under the Buy America Act, even as the company was certified to ISO 9001 by an ANAB-accredited registrar.
  • In 2018, SEC and the DOJ had alleged that Panasonic Avionics was forced to pay $137M to “resolve Foreign Corrupt Practices Act violations,” and yet was certified to AS9100 under an ANAB accreditation logo.
  • In 2019, Perceptics faced full debarment from all US federal contracts following a massive cyber attack that exposed company records, and was accused of “lack of business honesty or integrity.” The company held certification from an ANAB-accredited registrar.
  • ANAB had accredited the certificates issued to the Takata plants responsible for defective airbags which resulted in the largest automotive recall in history, and which led to the resignations of senior Toyota and automotive executives.

ANAB took no action in any of these cases, and where the companies survived the scandal, they retained their various ISO certifications even after the problems were widely reported.

Likewise, the IAF has denied any accountability and refused to take action. To date, Oxebridge is tracking over 100 scandals or disasters affecting IAF MLA signatory bodies. Over 1700 people have died from defects or damages in just the tracked cases alone.

A2LA has suffered from similar problems. Despite ISO 17011 explicitly prohibiting consulting by an accreditation body, A2LA created a spinoff organization called “A2LA Workplace Training.” A2LA executives denied the two companies were related, despite A2LA having previously issued a public press release declaring Workplace Training “an A2LA company,” and featuring the A2LA logo. The deal was reportedly approved by APAC, and was ignored by IAF.

Repeat Controversies for Arrington

Even without the latest ANAB/China misstep, Arrington was on the defensive. Sources insist that the requirements for the CISO position were “dumbed down” to allow Arrington – who has no degree – to apply. The official USAJobs posting for Arrington’s CISO position was written to include the statement “there is no education requirement for this position.” Meanwhile, nearly identical postings published recently for the Department of Energy, the Public Company Accounting Oversight Board and other government agencies all require Bachelor’s degrees at a minimum for a CISO position.

Coming off a failed Congressional bid in South Carolina despite an endorsement from Donald Trump, Arrington was brought on by Fahey to serve as a “Highly Qualified Expert” (HQE) for the OUSD(A&S).  Arrington took over DIB work from John Gartska, a highly respected cybersecurity expert with a Masters Degree from Stanford.

HQE positions are typically granted on a temporary basis, and Arrington was given a 5-year post related to the DIB and CMMC work. At some point, however, Fahey and Arrington opted to create a permanent role for Arrington under the Senior Executive Service (SES) program. As a result, the CISO position was created and put out for “competitive selection.” Under rules established by the Office of Personnel Management (OPM), SES positions must cast a net for candidates, who are then reviewed via a selection matrix and hired from a selection of candidates pared down by the Executive Resources Board. The DoD claimed Arrington won the selection process from a pool of alternate candidates, but many within the industry dispute that, citing the coincidence required.

Since taking the job, Arrington has enrolled at Walden University for a degree in Political Science, according to her LinkedIn page. It is not clear how she is studying for a degree while performing her CISO work.

The bungling of the review of ANAB’s ties to the Chinese National Accreditation Service stands in stark contradiction to Arrington’s prior anti-Chinese statements, in which she praised President Trump’s Huawei ban, and has repeatedly warned of Chinese incursions into the nation’s security systems.

Arrington is expected to win her bluff, as the interim CMMC-AB Chair, Karlton Johnson, has signaled his intent to sign the new SOW in order to save the CMMC-AB from being replaced.


CORRECTION: The article originally indicated the DOD formed the AB “immediately” after the Industry Day. In fact, the AB was formed after a few months of work by select attendees of the event.

Advertisements

ISO Benchmark