The world’s “first” certification issued under the Dept. of Defense’s CMMC cybersecurity program was apparently the product of pre-existing conflicts of interest that the scheme’s governing body, the CyberAB, failed to rein in.
Aero-Glen International has announced it received the first CMMC certification under the program’s “voluntary assessment” scheme. The voluntary scheme is a stop-gap measure put into place by the CyberAB — formerly known as the CMMC Accreditation Body — which is still awaiting formal US rulemaking to make “CMMC 2.0” an official, and recognized, certification scheme.
Aero-Glen utilized the consulting services of DTC Global, a company operated by Regan Edens, a former CyberAB Board member. Edens had been consistently criticized for selling CMMC consulting services and products while holding his Board seat, in apparent violation of the CyberAB’s policy on conflicts of interest. Despite this, the CyberAB refused to take action against Edens, or any of the other Board members who were found selling CMMC services while acting for the CyberAB.
Edens was forced off the AB only after he publicly attacked a member of the CyberAB’s own Industry Advisory Council, Jake Williams, who had called out Edens on his conflicts of interest. Edens posted a public personal attack, savaging Williams, while invoking his service in Afghanistan. Oxebridge called for Edens to be removed from the AB after the post, and he was forced to resign a day later.
But the CyberAB’s move to oust Edens was motivated not by his conflicts of interest, but by his public behavior on social media. The CyberAB has continued to allow its Board members to sell consulting products and services, and ignore the group’s impartiality rules.
Edens has not toned down his posture, and continues to use hypermasculine, militaristic rhetoric to appear “tough” on issues. He was recently seen during a CMMC webinar in what appears to be a bedroom affixed with medieval weapons and a samurai sword on the walls and door, with a sign reading “FAILURE IS NOT AN OPTION.” The image also appears to show a non-ITAR visitor badge, which is typically surrendered by the visitor and not retained.
Edens had repeatedly claimed that CMMC assessors would be required to audit the personal residences of all work-from-home employees of companies seeking CMMC certification. Dalton supported that position, but the DoD pushed back. The rule was never upheld and appears nowhere in any of the official CMMC assessment practices documents to date. Mandatory “employee home assessments” would have triggered a legal battle on the grounds of the Fourth Amendment of the US Constitution.
The Aero-Glen certification shows just how infected the scheme is with such conflicts. The assessment was carried out by the official CMMC certification body (called a “C3PAO”), Redspin. Redspin was the first C3PAO approved by the CyberAB, and was approved while Edens held his Board seat.
Edens then participated in at least one public CMMC event marketing Redspin’s services, while boasting of Eden’s role as “CMMC-AB Board Director.”
From a practical perspective, this means that Redspin may have been unlikely to deny Aero-Glen a CMMC rating given that Aero-Glen had used the services of a Board member for whom Redspin owes its official C3PAO status.
The voluntary assessments are supposed to be overseen by assessors from the Defense Department’s DIBCAC program. It is not clear why DIBCAC failed to identify the Edens conflicts during the Aero-Glen assessment, and allow the assessment to proceed.
Redspin itself was identified as one of the many official C3PAOs who were found selling CMMC consulting. Redspin sells CMMC documentation and “remediation support,” and then markets those services directly alongside the CMMC assessment services, on the very same webpage.
Weak Oversight Rules Benefit their Authors
The CyberAB has published a draft CMMC Assessment Plan (CAP) document which, while waiting for the final approval to conduct formal CMMC 2.0 assessments, is being used to manage the voluntary assessments. The CAP rules require that conflicts of interest be identified at multiple stages during initial assessment planning and that they be mitigated. But the CyberAB wrote the rules to emphasize conflicts between the client and the individual assessors, leaving out any potential conflicts between the client and the AB itself. While a general reading of the rules could be interpreted to include AB-generated conflicts of interest, it is not explicit.
This means that CyberAB Board members are free to use their positions to market their CMMC consulting services, sell those services to any client in the world, and potentially ensure their clients get favorable treatment from C3PAOs, who ultimately owe their status to the AB itself.
Despite warnings dating back to 2020 on conflicts of interest within the CyberAB, the body has simply refused to enforce its conflict of interest rules, which allow banning a party who violates them from participating at all in the “CMMC ecosystem.” Had the AB exercised its rules, Edens would have been forced to shut down DTC’s consulting work when he was working for the Board, and likely during a cooling-off period thereafter. By failing to enforce its rules, the CyberAB now sees the very first CMMC-certified company being a product of Edens’ conflicts of interest.
In reality, those rules would have been hard to enforce without legally binding non-compete or other agreements for each Board member, which the AB appears not to have.
CAICO Conflicts Emerge
Oxebridge has warned the CyberAB of additional conflicts which it appears to be willfully ignoring. This includes the spinoff of training and credentialing services to a “wholly owned subsidiary” known as CAICO. The DoD’s contract with the AB requires it to operate under ISO 17011, the standard for accreditation bodies, and that standard prohibits the AB from having such relationships with organizations under shared management, shared finances, and shared marketing. Nevertheless, the AB has recently published materials showing it not only continues to market credentialing, on behalf of CAICO, but that any fees paid for CAICO credentials will be paid directly to the CyberAB itself.
The CyberAB put its own Board member, Melanie Kyle-Gingrich, in charge of CAICO. It has defended the move by saying it is an “interim” position, awaiting the assignment of the role to a fully independent executive.
The prior DoD contract demanded that the AB itself accredit CAICO, but the AB did not want to pursue that angle. Oxebridge has now learned that a contract mod with the DoD was implemented, outside of the public’s view, in which the DoD approved the CAICO subsidiary arrangement.
CAICO will now undergo accreditation by a third-party body, injecting new conflicts of interest. That third party will have ties to China and Mexico, under the IAF scheme, meaning that problems with CAICO or the AB will eventually be adjudicated by foreign actors, many of whom have an interest in weakening the US’ cybersecurity footing. Both the DoD and the AB were warned not to pursue the IAF connections, but have persisted nonetheless.
The CyberAB has heavily relied on advice from current Board Chair Jeff Dalton, who himself has engaged in conflicts of interest by selling CMMC consulting services while acting on the Board. Dalton has claimed to be an ISO expert, and internal sources report that he has insisted the conflicts of interest issues are overblown. The CyberAB CEO, Matt Travis, reports to Dalton and the Board, and appears unable to correct the AB’s course.
The conflicts all but ensure that the CyberAB, and possibly the various C3PAOs, will be awash with lawsuits once the final CMMC certification scheme is launched. Competitors to firms like Aero-Glen are likely to claim that the AB’s conflicts of interest resulted in phony CMMC ratings being granted, costing them the ability to bid on multi-million dollar contracts because of favoritism and rampant corruption.
Under the voluntary program, the rules are laxer, so arguments over the Edens conflicts can be made with some validity. However, the CyberAB plans to automatically transfer a CMMC level 2 rating issued during a voluntary assessment to an official rating once the final rulemaking is complete. This will put companies like Aero-Glen under the spotlight despite their rating having been issued during the voluntary assessment period.