The CMMC Accreditation Body (CMMC-AB) has ignored all input on how it can maintain the impartiality and objectivity required of an accreditation body, and rolled out its controversial “Registered Practitioner” personnel certification program anyway. It’s a wholly unforced error that further damages the AB’s integrity and reputation.
Recall that the CMMC-AB was formed under US Dept. of Defense mandate with the intent of accrediting and overseeing “CMMC Third Party Assessment Organizations,” or “C3PAOs.” These organizations will act as certification bodies for the Cybersecurity Maturity Model Certification program, auditing companies and issuing their results in the form of official CMMC certifications. To ensure the C3PAO activities are not viewed as a “diploma mill” scam, these companies are then required to become accredited by the CMMC-AB. That role is literally embedded in the name of the CMMC-AB.
This is not trivial. The CMMC-AB will “audit” potential C3PAOs and then only grant official C3PAO status to those that comply with certain rules governing the CMMC scheme. This is to ensure that the C3PAOs themselves operate under the principles of objectivity and impartiality, and don’t grant CMMC certifications based on things like influence, bribes, cronyism, or conflicts of interest. Failure to ensure this invites full-on corruption.
The AB has never grasped this, and instead pursued a course of maximizing its revenue stream by offering all sorts of conflicted services. It has advertised for months its intent to launch as many as eight certification schemes, ignoring the conflicts of interest.
But why is the certification of persons a conflict of interest for an accreditation body?
If the role of the CMMC-AB is to audit the C3PAOs, we have to know that the CMMC-AB’s decisions (on granting or withholding accreditation) are, themselves, made objectively and impartially. The AB’s decisions also cannot be swayed by influence, bribes, cronyism or conflicts of interest. But by certifying the people working within the CMMC scheme, the CMMC-AB has surrendered this fight, and given in to conflicts of interest.
Say two potential C3PAOs submit applications to the CMMC-AB for official accreditation. Company A has staff members who have paid the CMMC-AB for its “Registered Practitioner” personnel certification. Company B, however, does not. If the AB grants Company A the accreditation, but not Company B, questions can be asked — in court, mind you — of whether the AB did so because Company A “paid to play.” Even if the AB did nothing wrong, it’s not a good look.
Now imagine a more likely scenario. Let’s say the CMMC-AB audits Company B and cites them with nonconformities; Company B will have to correct these nonconformities in order to attain C3PAO status and begin conducting assessments. If any of those nonconformities are related to the competence of its staff — and such nonconformities are common — then one possible “fix” for the nonconformity could be to pay the CMMC-AB additional money by having its staff obtain a personnel certification like RP (or one of the other various certifications the AB is cooking up.) Now you have a scheme whereby the CMMC-AB can generate additional revenue by issuing nonconformities, a gross and potentially illegal conflict of interest.
And you’re back to “pay to play.”
This is why ISO 17011 specifically prohibits accreditation bodies from offering simultaneous certification, especially that of personnel. The United States’ largest ISO accreditation body, ANAB, was forcibly split in 2005 for this very same conflict of interest. ANAB was forced to divest its personnel certification operations to an Australian company, and give up the practice entirely, after ANAB’s certified bodies claimed it was issuing nonconformities in order to drive revenue through its personnel certification program.
Initially, it was assumed that the CMMC-AB’s initial members, led by Ty Schieber, were simply clueless as to the accreditation rules. The invitation to have Ben Tchoubineh join the AB was another blunder; Tchoubineh’s day job was IT personnel training and certification through his company Phoenix Technology Solutions. Tchoubineh appears equally uninformed on accreditation (his company was not, itself, accredited to issue training certificates), and so he brought those same conflicts into the AB, organically. He now works for CyNtell, a firm offering cybersecurity consulting; awkward.
But since then, the AB has been informed of the conflicts, both in public and private. I personally provided the Board both a white paper on the conflicts, and then — at their request! — a detailed roadmap on how they can avoid these conflicts. That roadmap indicated that the CMMC-AB must, like ANAB before it, divest all personnel certification schemes in order to ensure their decisions on accrediting C3PAOs are made impartially and objectively. On September 23, CMMC-AB Board Member Jeff Dalton wrote to me that the group was “busy working on ISO 17011.”
So it’s frustrating to find out that the CMMC-AB has launched the RP program anyway. Posted today on LinkedIn was an announcement by CMMC consultant Amira Armond that she had received her RP “badge” from the CMMC-AB. The post is a perfect, condensed snapshot of the conflicts of interest created by the CMMC-AB. Armond lists her company as a “C3PAO Candidate” and herself as a “CMMC Registered Practitioner.” So if her company, Kieri Solutions, is awarded final C3PAO status, we cannot ever know if that decision was made wholly without subjectivity or influence, or because she is paying extra money to the CMMC-AB that others may not be. The CMMC-AB has polluted its award decisions before it has even made them.
This is willful, at this point. The AB was formally advised that this conflict cannot stand, and they pursued it anyway. The Board, led by Karlton Johnson and Yong Gon Chon, simply do not care if they project conflicts of interest, so long as they can generate revenue by charging people for their various certifications.
(The influence of Chon, who sits in “Acting Treasurer” capacity, is specifically troubling. Chon runs GroCyber, a firm that provides investment opportunities and capital for cybersecurity investors. By creating a cottage industry of certified people and companies, Chon stands to personally profit by having created a massive pool of investment opportunities for his GroCyber clients. It remains to be seen if this will simply sit as a major conflict of interest, or eventually evolve into something more problematic, like fraud.)
There’s no turning back from this now. It’s assumed Armond is the first RP, but not the last. The bulk of those talking about their RP application in public appear to be CMMC consultants who have also applied for C3PAO status, just like Armond. This injects even more conflicts of interest. CMMC consultants will not be allowed to simultaneously audit CMMC clients, or they will be auditing their own work. The CMMC-AB alleges they will prohibit this, but at this point there seems to be nothing about the AB we can trust.
The problem isn’t limited to the CMMC-AB’s RP program either. The AB is also certifying auditors, another thing which forced the split of ANAB in 2005. A few days ago, cybersecurity consultant Jason Vik of Vistrada announced his certification as a CMMC Provisional Assessor by immediately offering his consulting services.
When I challenged him, Vik angrily accused me of “trolling”, but explained that he would not provide consulting to his audit clients. Fair enough, but still furious, Vik then deleted my comment and his own explanation, leaving up the conflicted statement. In a private message, Vik then accused me of “harassing” him. If auditors like Vik are upset this early in the game, one can only imagine how their thin skins will manifest during an actual audit, when a client challenges them on one of their findings.
So the CMMC-AB is now an official personnel certification body. That means it cannot become an accreditation body — ever — and maintain compliance with international accreditation rules. It may pretend to do so anyway, but its decisions will be viewed as conflicted and invalid.
And that means the CMMC program overall cannot be trusted. This is a failure of national proportions.
UPDATE: Within minutes of posting, the CMMC-AB’s Acting Treasurer, Yong Gon Chon, responded with an angry and potentially defamatory reply on LinkedIn. Here it is in its entirety:
NEWS FLASH: Christopher Paris stands to personally profit from attention driven by articles written that contain partial truths and by demonstrating his ignorance on the differences between Certification and Registration. FACT: Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB) has not CERTIFIED anyone. If accepting registration fees from people who want to be part of a community and giving them a badge they can proudly display is wrong in your world, then perhaps your energy would be better spent fixing Webster’s Dictionary and ISO. The definition of libel is a published false statement that is damaging to a person’s reputation. The accusation that I stand to personally profit from being a CMMC-AB because I work with investors and cyber startups ignores the fact that all boards members sign a conflict of interest agreement. You can find our policy on our website. I stand to make no money from my role in the CMMC-AB. What i do stand to gain is satisfaction in helping advance cybersecurity which is my chosen career. I also stand to gain a sense of payback for being given the opportunity immigrate the US as a child and become a citizen through the grace of the US Army. Not something you can appreciate.
It’s worth pointing out that as Chon claims expertise in identifying “libel,” his post meets the legal definition. Whereas I am clearly indicating my article is “opinion,” he states his false accusation as a fact, declaring it a “NEWS FLASH.” This is why I win defamation suits. It’s also not a good look for the AB to attacking critics and whistleblowers while trying to claim moral superiority.
Full stop: I’m not “personally profiting” at all by this. It costs me money to report on CMMC.
Next, Chon imagines some difference between “certification” and “registration”, but it’s moot: if the AB is accepting money for credentialing people it then audits, and if that credential might be used as a means of clearing audit nonconformities, it’s a conflict of interest. Chon openly reveals that he cannot recognize a conflict of interest when it’s revealed to him, and thus has no business working in the accreditation market.
The last part, about Chon’s citizenship status, was not raised by me, but appears to an attempt to address concerns that a Chinese-born immigrant is heading up the country’s CMMC accreditation program, or that he might have Chinese family back home who could be leveraged against him. I had already done a background check on Chon and confirmed that his social security was issued in New York when he was a baby, and that he has full citizenship, so this is not an issue. I have no idea why he’s raising it, but I think that’s aimed at someone else.
UPDATE 2: The CMMC-AB has apparently also begun issuing “Registered Provider Organization” (RPO) badges to CMMC consultants, further increasing the conflicts of interest. This raises the question of whether companies who have hired RPOs will get favorable treatment by their C3PAOs and the CMMC-AB over those that have not.
One of the first organizations granted RPO status is Zartech.
UPDATE 3: 19 November 2020
Former CMMC-AB Board Member Jim Goepel has now come onto LinkedIn and joined in the attacks against me, aping the points made by Chon. He again seems to think there is a distinction between “registration” and “certification,” and therefore there is no violation. And he falsely accuses me of not having provided any solutions, and just griping.
So I brought receipts.
Goepel has now shuffled back to his den and gone silent.
But if the CMMC-AB wants to prepare a defense against the charges of conflicts of interest by claiming they are selling “registrations,” and not “certifications,” they’re going to have to go a bit further than gaslighting me, and instead gaslight the entire planet. From the CMMC-AB website as of this very minute:
UPDATE 22, 2020: As if intent on proving it is dedicating itself to conflicts of interest, the CMMC-AB is worsening its reaction to criticism. Joining current AB members Yong-Gon Chon and Jeff Dalton in their attacks, as well as former Board member Jim Goepel, now Provisional Assessor Tara Lemieux has opened a few salvos of her own.
Lemiuex is the recently certified Provisional Assessor who is falsely claiming she will be conducting 100% free CMMC audits “every damn day” in order to show her patriotism. Let’s be very clear; no one, including Lemiuex, will be performing CMMC appraisals for free. No one.
The fact that she made this claim while posting a photo of her hand on the American flag only makes it more nauseating.
Rather than defend her ludicrous claim, Lemiuex then blocked me on LinkedIn, and launched into a cowardly personal attack against me, where I can’t post to defend myself. Let’s unpack that:
A Provisional Auditor authorized by the CMMC Accreditation Board itself, and personally endorsed by Board member Dalton, is found potentially violating the Code of Conduct she signed only a few weeks ago, by attacking an industry whistleblower and reporter. This puts the AB in the unenviable position of having to rein in Lemiuex or face some awkward problems with the Dept. of Defense. Given the posts by Chon and Dalton, which appear to violate the Board’s own “Code of Ethics,” a pattern is forming.
It’s more troubling because Lemiuex, as an auditor, will have to sign nondisclosure and confidentiality agreements with clients. Yet her posts point to a disdain for adhering to things she signs.
Worse, if the AB’s auditors are this thin-skinned before audits have even begun, how will they react when clients push back against potentially bogus audit nonconformities? When they face formal complaints and escalations? Will they dox their critics online? Harass them? Defame them?
Everyone involved is going to need both corporate and personal attorneys at this rate.
Let’s hope saner minds in the AB prevail, and curtail this behavior now.
In the meantime, we are preparing the first of a set of formal complaints against the AB for other matters. I have requested the AB provide its official complaints procedure, as required by ISO 17011, but have not gotten an answer. If they don’t have one, that’s going to be … interesting.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.