As reported last week, the DoD finally addressed a Freedom of Information Act (FOIA) request sent to them back in 2021 to unmask their exclusive, no-bid contract with The Cyber AB (formerly the CMMC Accreditation Body.) The DoD had continued to refuse to reveal the contract, only relenting after I threatened to sue DoD with a FOIA lawsuit. Under Federal law, all government contracts are public documents, except for a few exceptions for which the CMMC contract did not come close to triggering.

The DoD has already modified that contract, so the release of the original contract now — some 2 1/2 years after the FOIA was filed (and after everyone involved has fled their jobs in scandal) — is somewhat moot. Now we start the process over again, trying to get the modified contract released under a new FOIA. But let’s be very clear: the DoD is violating the law by refusing to release this contract… again.

But now there’s an interesting wrinkle. A day after DoD released the original contract, I received an email from the DoD Inspector General’s office. DODIG claimed that the FOIA had been referred to them, prompting me to write to them to say that this made no sense, since the contract had already been released a day earlier. Why refer a FOIA that had already been concluded?

At which point, the DODIG called me personally to explain. Apparently, during the FOIA process managed by the CMMC office of DoD, they uncovered documents involved in the contract that were in the possession of the Inspector General’s office, and thus my FOIA split into two. The original request for the contract, was sent to Katie Arrington’s old office at DoD (now run by John Sherman and Stacy Bostjanick), and then another one was sent to DODIG.

Under FOIA rules, a department can only process documents that it actually has authority over, so they had to split some of my FOIA out to the DODIG. Makes sense.

So I told the DODIG to go ahead and process it, then, and see what comes up.

Just a few days later, the DODIG responded and closed the FOIA entirely, saying, “after reviewing the referred records, we determined that they are not responsive to your request. The [DODIG’s] records do not consist of the contract described in your request.

Which, again, is fine… it makes sense. I had literally asked for the “contract” and not much else.

Except for the fact that the DODIG accidentally raised a giant, fat red flag that Sherman and Bostjanick should be very, very worried about.

Time to Panic

The DODIG letter reveals two things.

First, as I said, that the DoD’s CMMC office should never have taken two-and-a-half years to process the original FOIA, since DODG was able to process theirs in just days. Sure, issuing a blanket rejection will be faster than issuing an actual document, but the difference between time periods is vast and stark. It only strengthens the argument that Arrington’s office — now Sherman’s — is/was intentionally blocking the release of the contract, in violation of Federal law, for some unknown reason.

They could explain that away by just claiming incompetence which, based on their history, is something we can all agree on. But DoD did themselves no favors by allowing Bostjanick to send me a series of official emails in which she tossed out a number of excuses as to why she wasn’t releasing the contract. Those emails not only show it was Bostjanick herself — by her own admission — was blocking access to the contract, and thus breaking the law, but also showed she didn’t really have a consistent reason for doing so. So she was either lying or blindingly stupid and had no idea what she was saying in the emails. I vote the latter, because I’ve seen her speak at events.

The second revelation is more damning. By admitting they had records related to the Cyber ABs contract, whether they released them or not, the DoD Inspector General accidentally admitted there is more to this mess than meets the eye.

The question becomes, then, what documents does the IG’s office have after all?

I’m in a unique position to guess, since I filed complaints with the IG and other agencies related to the CMMC program. One of these was related to Arrington’s refusal to investigate potential felony fraud by her friend, Ty Schieber, who appears to have lied on his “certs and reps” documentation when filing for a CAGE Code for the Accreditation Body. In order to get any government contract, a CAGE code is a preliminary requirement, and Schieber claimed at that time the CMMC-AB (again, now called “The Cyber AB”) was a non-profit at the time of the filing. In fact, the Cyber AB received its official non-profit status many years later, meaning it certainly looks like Schieber lied on his CAGE code certs and reps when he filed it.

Arrington was alerted to this and refused to investigate. Worse, she used her office to retaliate against me personally for filing the complaint in the first place, trashing me on social media, and having her lawyer threaten to sue Oxebridge over Twitter.

It’s worth reminding everyone that Schieber was Arrington’s boss at Dispersive Technologies, where she worked prior to taking on the role of DoD’s CMMC architect. The public was told that it was all just some crazy coincidence that out of a defense industrial base Arrington claimed was comprised of “300,000 companies,” her old boss (and donor to her congressional political campaign) just happened to end up being the boss of the AB that she ordered the creation of. Then, when potential fraud was reported, she blocked the investigation and publicly defamed and harassed the whistleblower.

So it’s likely the DODIG’s records on the CMMC-AB/CyberAB are related to that… but there may well be more. Either way, whatever those records have are likely damning, indeed, as they likely show someone (Arrington?) influencing key decisions related to the issuance of the final contract with the AB, over objections and without regard for the complaints and ethics violations reported.

Previously, the DODIG threw out a complaint filed by me against Arrington, for her harassment and whistleblower reprisal. In that response, the DODIG took a tortured (and likely entirely incorrect) interpretation that the DoD’s whistleblower reprisal rules are set up to protect government officials from reprisal from whistleblowers, not the other way around. (The argument was so ridiculous, and because Arrington had already quit her job, I didn’t even bother arguing with them over it.)

But all of that would come up if anyone poked further into the DODIG’s records on the contract. And more, considering others have filed complaints against the CMMC scheme and The Cyber AB’s exclusive contract. We can’t know for sure what DODIG has, nor how they rules, but they just admitted they do have something.

Which should be, as I said, very worrisome for Sherman and Bostjanick, as they continue to forge ahead pretending that CMMC is on track, and there’s nothing to see related to the Cyber AB’s ongoing ethical violations and alleged fraud.

So I’ll file the next set of FOIAs, yes, to unmask the DoCD’s modified contract with the CyberAB and, now, with the DODIG to find out what other documents they are sitting on related to this contract. But this will take years.

Fortunately, CMMC continues to be effectively stalled, so we have the time.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation