Multiple probes into Dr. Greg McVerry, an Associate Professor with Southern Connecticut State University, are moving forward after a set of formal complaints were filed by Oxebridge. The issues were being processed in confidence for months, but were recently made public when one of the complaints was leaked on Reddit, either by McVerry or someone who obtained the filing from him.

McVerry has emerged as an outspoken promoter of CMMC, the cybersecurity certification program currently under review at the Dept. of Defense. Primarily through social media, McVerry has become an industry gadfly who routinely praises key CMMC leaders, while attacking critics or skeptics.

McVerry originally engaged in a series of conversations with Oxebridge founder Christopher Paris in which he admitted to multiple problems with the CMMC program and its managers. He raged against CMMC-AB Board member Ben Tchoubineh after the AB awarded a contract for curriculum development to Southern Connecticut University, rather than to McVerry himself, saying he was “screwed by ethics.” McVerry also claimed Tchoubineh admitted he had his own company ready to do CMMC training.

After claiming he was “screwed by ethics,” McVerry later claimed he was teaching ethics at SCSU, and has written about “CMMC and Ethics” for his blog.

Despite being a public supporter of the CMMC-AB, in private McVerry railed against the organization, largely because of his inability to personally profit from the scheme:

At one point, McVerry admitted he did not confront the DoD’s CMMC lead, Katie Arrington, because his company does “10 million [dollars] a year in DIA/DOD work.”

Multiple CMMC Revenue Streams

While publicly claiming to be an unpaid “volunteer,” McVerry actually collects at least three separate streams of income from his CMMC work. At SCSU, he gives formal classes on CMMC. His public reported salary was over $58,000 per year in 2018. Whereas a prior version of the SCSU listed McVerry as a member of its CMMC “Learning Team,” the most current version removes McVerry’s information entirely. McVerry is currently in the process to obtain a full Professorship at SCSU.

At the same time, McVerry holds the title of “Chief Learning Officer” for cybersecurity firm Data Intelligence Technologies (DIT), which offers CMMC consulting. It is this company that does the work with DoD generating at least $10M per year.

Finally, McVerry also sells “CUI” sticker packs through his blog page, which can be used to satisfy some CMMC requirements to identify controlled unclassified information.

The financial arrangements — which McVerry does not disclose in his public posts — raise ethics questions related to Connecticut State rules which limit conflicts of interest for State employees. Specific to University professors, additional limitations are imposed on “side work” which can be done by professors, especially when “consulting” on subjects for which they teach.

Despite his involvement in CMMC, McVerry is not a cybersecurity expert, but instead a professor of Education who holds a Ph.D. in Educational Psychology.

Oxebridge has submitted filings with the Connecticut State Board of Regents and state ethics board, asking the bodies to investigate whether McVerry is “double-dipping” by pulling a state salary for his CMMC classes at the same time as being paid by DIT for his time in giving them.

McVerry denied any impropriety, claiming his State salary is public information, but did not address his private streams of CMMC-related income.

In November of 2020, DIT published a press release announcing it had partnered with SCCU on “developing a three-credit elective course that incorporated taking certified CMMC courses from CMMC-AB certified instructors into Southern’s Master’s program.” The press release referred to McVerry only as an SCSU professor, and did not mention his role as a Chief Executive in the company.

Shift in Tone

At some point, McVerry’s behavior with Paris changed, and he launched into a series of increasingly unhinged attacks.  McVerry repeatedly injected himself into threads posted by Paris, and engaged in vicious ad hominem attacks. These included jokes questioning Paris’ mental health, and then progressed to falsely accusing Paris of lying. He approached Paris for permission to use his name in a joke suggesting Paris was a drug user.

Eventually, McVerry latched onto Paris’ co-residence in Peru as an attack vector, and repeatedly claimed Paris was “hiding” in Peru, presumably to escape some unnamed crime. Despite multiple warnings, McVerry’s behavior declined until he was attacking the country of Peru and Peruvians in general.

Click to enlarge.

At one point, McVerry tried to argue that simple machine shops would have to implement CMMC because “5-axle” CNC machines were required to have their ovens subject to “continuous temp[erature] monitoring” per some unspecified, new “ISO requirements.” In that exchange, McVerry — whose role as a University professor grants him heightened free speech protections — argued that Paris should not be allowed to comment on CMMC unless he had US residency.

The posts by McVerry were also troubling as they showed him to have no understanding of quality management, despite positioning himself as an expert.  CNC machines are “5-axis” and do not have ovens in them that require temperature monitoring. McVerry consistently referred to a “quality management system” (QMS) as “QMP.” When asked to provide the “ISO requirements,” McVerry instead launched into a series of attacks against Peru. He never provided any citations of any such ISO requirements.

In reality, no such ISO standards exist. The exchange, made on LinkedIn, showed just how far promoters will go to sell CMMC to potential customers.

After Paris branded the rants as “racist,” McVerry claimed he couldn’t be racist because he had read a book on racism by author Imbram X. Kendi, and had once seen a Peruvian dance at an SCSU cultural event.

Complaints Filed with SCSU

Oxebridge then filed a complaint with the SCSU Diversity Equity and Inclusion office for McVerry’s conduct, citing University rules against bullying, harassment and racist statements made while invoking one’s University role.

After a formal review, the Diversity office determined the complaint had merit enough to recommend it be escalated to SCSU Human Resources and their legal team “to determine suitable further action.”

Without waiting for a resolution, however, a copy of the complaint then appeared on Reddit, falsely framing the situation as McVerry being reported for merely “interacting online for help with CMMC/DFARS.” The post made no mention of the core elements of the complaint related to bullying and racist attacks against Peruvians.

McVerry was the only person, other than University officials, to have received the complaint.

Advertisements

Surviving ISO 9001 Book