A formal complaint has been filed with the CMMC Accreditation Body (CMMC-AB) alleging violations of the Americans with Disabilities Act (ADA) related to its various training programs.
The complaint comes after a whistleblower submitted the issue for review through Oxebridge’s ISO Whistleblower Program. That program was expanded in August of 2020 to allow CMMC interested parties and stakeholders to file complaints related to the Cybersecurity Maturity Model Certification scheme.
The complaint alleges that the CMMC-AB’s online training programs for its Provisional Assessor (PA), Registered Provider Organization (RPO) and Registered Practitioner (RP) programs failed to comply with ADA and other Federal requirements for attendees with disabilities, specifically those with low vision.
The complaint then alleges additional violations by the CMMC-AB against ISO 17011, the standard governing accreditation bodies. Under a Memorandum of Understanding signed between the CMMC-AB and Dept. of Defense in March of 2020, the CMMC-AB is obligated to “achieve and maintain ISO 17011 [accreditation].” This thus implies, by extension, that the CMMC-AB comply with ISO 17011, since compliance is required before any final accreditation.
ISO 170111 requires the CMMC-AB to develop and publish publicly a “complaints handling process.” As of 1 December 2020, the CMMC-AB website still does not have this procedure, and multiple requests made to the CMMC-AB and its Acting Board Chair Karlton Johnson were ignored. This denies the public and industry stakeholders the ability to file formal complaints.
The complaint now must be subject to a formal review by CMMC-AB, including a root cause analysis and implementation of corrective action plans to address the two separate allegations. Oxebridge has requested that Johnson recuse himself since he is personally named in the complaint.
Failure to provide adequate corrective action will result in the complaint being escalated to the US Dept. of Defense and other oversight and regulatory bodies, including those responsible for ensuring ADA compliance.
A copy of the complaint may be read here (PDF).
UPDATE 7 December 2020: The CMMC-AB has refused to acknowledge the complaint, a critical first step required to ensure transparency and integrity. Instead, Acting Chair Karlton Johnson and Credentialing Committee Chair Jeff Dalton, the latter of whom oversees the training materials’ compliance with ADA, blocked Oxebridge founder Christopher Paris on LinkedIn.
The CMMC-AB continues to provide the training without updating it for ADA compliance.
Oxebridge has begun the escalation process, starting with a formal report of ADA violations with the US Dept. of Justice.
In related news, according to a post on LinkedIn, Dalton granted himself the first CMMC-AB Provisional Assessor credential, despite being responsible for credentialing. Dalton had previously claimed he was working on ensuring compliance to ISO 17011 to address conflicts of interest.