If you pay the slightest bit of attention, you will see that the CMMC scheme is proving to be as much of a fake sham as so many had predicted. One clear indicator: everyone who gets audited gets a “perfect score.” This should raise alarm bells like mad.

I work with ISO 17024, the standard for bodies that certify persons. During implementations of that standard, I have to advise my clients on how to ensure their testing methods are fair, based on known methods and standards for testing, and have statistically valid outcomes. When a testing scheme results in an unusually high pass rate, it is a clear indicator that the testing method is deficient. Across a sample set of students, there will be a relatively predictable range of results, from pass to fail, with all sorts of grades in the middle.

Scammers love high-pass-rate certification schemes. Remember serial plagiarist and criminal scofflaw Alex Dali of the risk management group G31000? When he wasn’t posing as a woman online to catfish men into his fake certification scheme, or plagiarizing his alleged academic papers, or publicly posting the test results of a student who filed a billing dispute, Dali was boasting about the insanely high pass rate for his fake G31000 certifications.

Then there are the Turkish criminal scammers Erkan Sutculer and Yuliz Obergfell of Skillfront (among various other pop-up scam companies they create on the fly). These charlatans not only assure 100% pass rate for their fake credential programs (like an overnight MBA), they even issued an “Accredited Professional Certification” diploma to a dog named after a Pokemon.

The CMMC scheme wouldn’t be a proper grift scam if it didn’t have characters like Dali and Obergfell in its ranks, too. So, meet Jack Koziol of the Information Security Institute. After a grueling report by Attrition.org, Koziol admitted to plagiarism and should have been tossed out of the profession. But, no, he was instead rewarded with a plum seat at the CMMC table and now sells official “Certified CMMC Professional” (CCP) credentials. Unable to quell the raging scammer inside him, he then marketed ISI’s CCP course with language promising you would be “guaranteed” to pass your exam and boasted a “93% pass rate.”

Despite the scandal coming to light back in 2021, The Cyber AB’s sister organization, CAICO, continues to allow ISI to sell its wares within the official CMMC ecosystem. “Infosec Institute” remains in good standing on the Cyber AB’s Marketplace listing. So much for the CMMC Code of Professional Conduct.

Back in 2016 — almost a decade ago! — I decried the growing problem within the ISO 9001 certification scheme. Back then I wrote:

In the early days, and by this I mean the late 90’s and early 2000’s, it was uncommon enough for a client to pass an ISO 9001 or AS9100 audit with “zero nonconformities” that the accomplishment came with some bragging rights. At the same time, it was rare for clients to “fail” their audit entirely, but it did happen, so it was something to worry about.

Oh, how naive we were. You see, now everyone passes. In fact, everyone passes every audit, every time, with every CB, and with every CB auditor. Nobody fails anymore…

The problem continues to this day, and companies are lucky to walk out of an ISO 9001 audit with one or two minor nonconformities. Even those are like rare unicorns, as auditors are under pressure to pass their clients so the parent CB can keep that client contracted with them. A CB that threatens to strip a company of its certification can expect to lose that client.

However, ISO 9001 was released in 1987, and I wrote that in 2016. That’s a difference of  — (checks calculator, because I went to LIU) — 29 years. So the “everyone passes” phenomenon took quite a while to bubble up to the mainstream within the ISO 9001 certification scheme.

CMMC is barely a few months old, and the problem has already surfaced. Look at these recent press releases, where every single company claims to have achieved a “perfect” CMMC score of 110:

  1. NeoSystems Achieves Perfect Score for CMMC Level 2 Certification
  2. Cape Fox Corporation Achieves Level 2 CMMC Certification from the Department of Defense With a Perfect Score
  3. ATI Earns Perfect Score in JSVA, Secures CMMC Certification
  4. CyberSheath and Chenega Corporation Achieve Perfect Score on JSVA Validation
  5. ManTech Logs Perfect Score in CMMC 2.0 Assessment
  6. Alutiiq, LLC Achieves Perfect Score of 110 on the CMMC’s JSVAP Utilizing Cyturus Compliance and Risk Tracker
  7. Xometry Becomes One Of The First Companies To Achieve Cybersecurity Maturity Model Certification (CMMC Level 2) For Meeting Rigorous Cybersecurity Standards
  8. MAD Security achieves CMMC Level 2 Certification, setting standard for cybersecurity and compliance excellence
  9. Microsoft Federal Successfully Completes Voluntary CMMC Assessment
  10. Another Defense Contractor Achieves Perfect Score in JVSA (exact company is not named)
  11. SSE Achieves Perfect Score On JSVA for CMMC Level 2 Certification 
  12. Kloud9 Among the First Managed Service Providers in the World to Earn Prestigious CMMC Certification
  13. REI Systems Passes CMMC Level 2 C3PAO Assessment (report says REI met “all the security practices required for a CMMC Level 2″)
  14. Leading Cybersecurity Provider Sentar Achieves CMMC Level 2 Certification
  15. System High Earns CMMC Level 2 Certification
  16. APS Global, LLC Guides Seventh Sense Consulting to Perfect 110 Score on their C3PAO CMMC Assessment in Record Time
  17. Arcfield Receives Formal CMMC Level 2 Certification

Again, alarm bells should be ringing. But CMMC is a cult and a grift, so the two groups most affected by it are unlikely to admit this. Dupes are not willing to acknowledge they’ve been grifted, so they are not going to say anything, and the cultists have tied so much of their personal reputation and emotional energy into CMMC that they couldn’t admit it was defective if they discovered CMMC caused baby brain cancer.

What’s next? Well, as these companies get the shit hacked out of them, it will be fun to see the assessment bodies like Redspin … well, “spin” the news so they avoid any accountability.

But, as I have been saying for years now, the CMMC scheme is a scam. It will weaken national defense, not strengthen it, while bankrupting honest companies who should never have been caught up in this grift in the first place.

UPDATE 4 April 2025: added more press releases to the list above. The PreVeil one is hilarious, in that they provide a “case study” about a company that passed with a perfect score, but they won’t name the company. Whenever I see these totally-unverifiable “case studies,” I call bullshit.

UPDATE 11 April 2025: Added the press release from Kloud9, where they brag about their CMMC being awarded to them in “only a day and a half.” It was awarded by James Goepel, who you may know as a former CMMC Accreditation Body Board Member. Sure, no conflicts of interest there. And who cares about audit duration?

UPDATE 1 May 2025: Added additional press releases of companies announcing perfect CMMC scores.

UPDATE 23 May 2025: Added additional press releases of companies announcing perfect CMMC scores.

 

Advertisements
ISO 14001 Implementation