I’ve reported on the sudden implosion of CMMC darling consultancy NeoSystems (here, here, and here), but here is a far more comprehensive timeline, based on a torrent of information from multiple, well-placed whistleblowers.

There have been two unique aspects to this  information: first, the volume of it, and second, that the accounts are remarkably consistent between the dozen or so whistleblowers. That last point is unusual, since normally, whistleblowers will contradict each other in one way or another. For the NeoSystems story, that has not been the case.

If you’re just catching up on the reporting on the NeoSystems implosion, check these links (in order): here, here, and here. Below is a timeline of events as near as I can parse it, which I will update as new information comes in.

The information here shows the ongoing plague of corruption, conflicts of interest, and backpatting cronyism that have infected the CMMC scheme since its start. It also provides further evidence that CMMC is a pay-to-play scam with no intention of securing the US’ defense posture, but instead to drive money to the Cyber AB and their preferred pals. You will recognize many of the usual suspects here, from CMMC scandals dating back to 2019.

Companies affected by the explosion are urged to reach out to me. I have attorneys on tap for both False Claims Act discussions (criminal) as well as for civil action. To my untrained, non-lawyer eyes, there seems to be a lot of criming and fraud here, but it’s best to leave that to the professionals. I can help coordinate that effort.

Also, if you were affected and your company currently holds CMMC Level 2 third-party certification, I do believe that certification is at serious risk. Not only do you need to talk to an attorney, but you may also need to have an immediate conversation with your C3PAO and the Cyber AB about your current posture.

Ancient History 1:

  • NeoSystems operates as a GSA holder, selling cybersecurity consulting and other services. This includes acting as a Managed Services Provider (MSP) for defense industrial base (DIB) customers who, themselves, are pursuing CMMC. One of the services provided by NeoSystems was the housing of Controlled Unclassified Information (CUI) for clients seeking to obtain third-party CMMC Level 2 certification. This means that clients would trust NeoSystems to hold their CUI and other defense-sensitive data in order to comply with DFARS and other regulations.
  • Ty Schieber, the first Board Chair of the Cyber AB (then called the CMMC AB), previously worked alongside Brad Mitchell at QineteQ. Mitchell would become CEO of NeoSystems, and Schieber would be ousted from the AB due to a Diamond Member” scandal. But the connection between Mitchell and Schieber hints at possible preferential treatment given to NeoSystems by the Cyber AB.

November 2005:

  • NeoSystems announces “strategic partnership” with Cherry Bekaert & Holland LLP (CBH), saying it “will allow both firms to cross-market their services to new and existing clients.”

October 2020:

  • NeoSystems hosts “Town Hall” with DoD’s Katie Arrington, CBH’s Neal Beggan, and NeoSystems’ Ed Bassett. The event is posted on YouTube. The event is noteworthy because it establishes an important three-legged stool of CMMC marketing that was highly visible around this period: NeoSystems, DoD, and Cherry Bekaert.

January 2021:

  • NeoSystems posts another video promoting CMMC alongside Cherry Bekaert’s Neal Beggan.

February 2021:

March 2021:

  • NeoSystems and Cherry Bekaert publish another co-branded YouTube video on the topic of CMMC. Features David Carlino of NeoSystems as moderator, alongside Regan Edens and Jeff Dalton (both of the Cyber AB) and Neal Beggan of CBH. (Allow me to editorialize: the video is hilarious due to how Carlino appears dressed like a Decemberists fan who just ran over from the local hookah bar, and Edens has plastic weapons hung on his bedroom wall like a 13-year-old Dragonball cosplayer. These are, as they say, not serious people. Alright, I will try to contain my comments from here on out.)

September 2021:

  • Private equity firm High Street Capital buys controlling interest in NeoSystems.
  • High Street selects Brad Mitchell to lead NeoSystems. David Carlino becomes CISO. (Note: dates on this are sketchy, as some press releases contradict this.)
  • Mitchell and Carlino tell High Street that CMMC is the “only way Neo could remain profitable.”
  • Brad Mitchell chooses his wife, Susan Mitchell, to be COO.
  • According to a source: “David Carlino was the driving force behind the push for CMMC, and Brad went right along. They continued to push CMMC and had no processes or procedures. Carlino was the person who was supposed to come up with them, and they had nothing but outlines in Smartsheet up until the end of the company. It was asked for the minimum requirements of the offering and they could never be produced.”

January 2022:

  • Cherry Bekaert and NeoSystems co-market their attendance at a National 8(a) Association event; CBH’s Beggan promotes his “friends from NeoSystems” in an associated LinkedIn post.

December 2022:

  • Cherry Bekaert receives Cyber AB authorization as a CMMC C3PAO assessment body. CBH is now held to the (wobbly) ethics codes of the AB and obligated to operate under ISO 17020. Rules are supposed to ensure firewalls between C3PAOs and their “organizations seeking certification” (OSCs) and limit, if not prevent, conflicts of interest.

2021 – 2025:

  • NeoSystems conducts multiple high-profile events promoting CMMC, with guest speakers including CMMC architect Katie Arrington, Cyber AB Board Member Jeff Dalton, and the late attorney Robert Metzger.
  • The Dept. of Defense and Cyber AB both help endorse NeoSystems as a CMMC provider.

2025: (Exact times of the following are not clear)

  • NeoSystems is allegedly hemorrhaging money.
  • NeoSystems employees begin reporting complaints against management, including David Carlino, for harassment and other undisclosed allegations. In the Carlino cases, an external HR firm is brought in to investigate, but clears Carlino; this infuriates employees more.
  • Meanwhile, other staffers report fraudulent billing practices, client scams, insufficient cybersecurity controls, and more. One complaint alleges that NeoSystems “signed clients without proper support personnel and would not listen to the people on the ground.
  • Carlino directs NeoSystems staffers to point all clients to hire Cherry Bekaert as their C3PAO, which (if true) is a potential violation of ISO accreditation rules. Multiple sources report CBH rubber-stamps NeoSystems clients who obtained CMMC certification despite serious gaps in NIST control conformity. Oxebridge has not independently verified these claims yet, however; I am told that there is documentary evidence, so we’re pursuing that angle. [UPDATE 19 May 2026: Three sources have now come forward with first- and second-hand accounts saying that NeoSystems offered clients a list of three C3PAOs, of which only one was CBH; one of the others was Cybernines. Furthermore, these sources insist that CBH did not go easy on NeoSystems’ clients but actually raised issues about their compliance. Two sources indicated that this led Carlino to confront CBH, and one source insists that CBH held its ground. As for CBH’s certification of NeoSystems itself, one source indicated that this was made easier “as their architecture prevented any CUI from entering their environment directly [which] drastically reduced Neo’s scope and exposure.” While the relationship between NeoSystems and CBH was certainly improper and built on conflicts of interest — which CBH chose to ignore — it does not appear that CBH broke any specific rules.
  • In a separate report, a source reported that a different C3PAO — not CBH — had passed a NeoSystems client despite it having “a firewall with no rules between networks.” That C3PAO then passed the client “with a perfect score.
  • UPDATE 20 May 2026: Oxebridge has obtained the list of C3PAO assessors “recommended” by David Carlino to NeoSystems’ clients. This list includes Cyber AB founding member Jim Goepel, along with assessors from Redspin, CBH, Peak Infosec, Strategic IT Solutions, Cybernines, Ozark Cyber Services, Forvis, Ignyte, Insight Assurance, NSF, ATX Defense, and Anthony Timbers. More information has come in that some of these — but not all — did rubber-stamp NeoSystems clients, and that in some cases, NeoSystems provided C3PAOs documentation from one client which was then copied-and-pasted with a new client’s name on them, in order to pass the CMMC assessment. If true, it suggests the C3PAO assessor training has lacked the most basic fact-checking requirements of any third-party conformity assessment scheme.

March 2025:

  • NeoSystems obtains third-party Level 2 CMMC certification from Cherry Bekaert, announcing a “perfect score.”  The possible defense to this obvious conflict of interest would be that the NeoSystems and CBH entities that formed the partnership in 2005 (twenty years ago) are likely different now. But the optics are bad and will get worse (keep reading.)
  • Robert Metzger dies, but NeoSystems would continue to market itself using his image and claiming he was a “team” member until May 2026, when the NeoSystems website was taken offline.

June 2025:

  • NeoSystems brings on Jeff Huckle. Huckle promises to correct course but, according to a source, “installed a bunch of his yes men cronies. He did not replace Carlino. Instead, they came up with a plan to write contracts that pointed to a web page for requirements in the contract. They could change the website at anytime, [thus] changing all the contracts that used them. They would change wording to absolve them of things they didn’t fulfill.

October / November 2025:

  • NeoSystems fails to make payroll, and the staff goes unpaid. Employees quit, threaten lawsuits, and begin to leak information about NeoSystems’ alleged fraudulent practices.
  • High Street removes Brad Mitchell and splits the company into two:
    • Infrastructure Solutions Group (ISG) is led by Jeff Huckle. This side handles CMMC and MSP services.
    • Enterprise Solutions Group (ESG) is led by Susan Mitchell. This side handles accounting, HR, and other services.
  • One source reports there was a plan underway to sell the ESG side, which was profitable, and then file for bankruptcy for the remaining ISG side. NeoSystems would then “spin up a shell company” to buy back the ISG side for “pennies on the dollar.” This would have been a crime; this point has not been corroborated, however, and never comes to pass. Nevertheless, bankruptcy for the ISG side of the house — which covers their CMMC offerings — is well underway.

March 2026:

  • Between February and March, one source reported that NeoSystems had “lost 8 to 10 of their technical SMEs, leaving only 4 junior-level employees to figure out how to manage 70+ clients.

11 April 2026:

  • NeoSystems continues to market its activities and solicit new business, despite management knowing that bankruptcy is imminent. Discussions to sell client assets are already underway.
  • NeoSystems’ Director of Proposal Management, Kathleen Tirella Ecker, posted a sales pitch on LinkedIn just days before the coming closure. (Ecker immediately blocked me after reporting on this, which is never a good look if you’re a victim and not one of the scammers.)
  • One source confirms that “they were signing new clients and new contracts as of Monday [April 11]. You don’t sign new clients with 12-month contracts knowing you are shuttering your doors without intentionally trying to defraud the client.

1 May 2026:

  • With over $18 million in debt, NeoSystems announces its bankruptcy and shuts down all operations.
  • All employees are fired immediately. They do not remove access to systems from any former employees.
  • The termination letter signed by Huckle confirms that clients’ assets are being sold to an unknown third party, indicating that negotiations for that sale had been underway before the company’s sudden implosion. Any contracts signed the week prior would have been fraudulent.
  • Employees are instructed not to tell clients anything.
  • Carlino reactivates his old consulting company, Adventure Security Advisors.

2 & 3 May 2026:

  • Some NeoSystems employees work over the weekend to ensure clients are not left in the lurch. This included clients who had sent physical hardware to NeoSystems for configuration.
  • Huckle again tells employees not to alert customers.
  • Employees and others begin posting content on the implosion on Reddit.

4 May 2026:

  • NeoSystems sells ESG business to BlueStreet, headed by Tim Zullo.
  • According to a source, “Bluestreet acquired the accounting group last Friday (and by extension, the associated data) only to be blindsided by the immediate shutdown of the CMMC side which locked him out from his data. So, the only way he could access the data for the company he acquired was to just acquire all of the infrastructure too. Plausible but unless they are terrible at due diligence, likely this was all expected to go down like this.”
  • According to another source, “I believe [Zullo] did not know what he was getting himself into. I don’t think he knew the liability. I think he was sold a false bill of goods. I think he saw a bunch of dollar signs when he saw a balance sheet where a bunch of companies owed money, and he thought he could swoop in and collect, and didn’t know anything about that. There were live environments in there.

5 May 2026:

  • Some former NeoSystems employees begin to have their access credentials revoked.
  • Carlino reportedly still has access, through his revived LLC, to “all the systems, passwords, SharePoint, Office 365, Azure, basically everything.” Another source contests this, though.

6 May 2026:

  • BlueStreet cannot access its own data, which NeoSystems had been holding through the ISG side of the house, because BlueStreet now lacks access credentials, too. BlueStreet is forced to buy the ISG side now, partly to get access to its own data.
  • BlueStreet does not appear to hold its own CMMC Level 2 certification, which would be a requirement for it to transition the data held on behalf of any clients with CMMC certifications themselves.
  • Neither NeoSystems nor BlueStreet appears to have done any due diligence on transitioning the data while ensuring protection of the data, nor uninterrupted certification of clients holding CMMC certifications.
  • It is now unclear where the client’s data actually is, who has access to it, whether it’s secure or not, or how any of this will affect clients’ CMMC status.
  • One source reported that BlueStreet hired Carlino, under his Adventure Security Advisors company, to assist in transitioning the data, but this was disputed by a separate source.

7 May 2026:

  • Tim Zullo finally issues an email to clients discussing the sale, and insisting that BlueStreet “is now in a strong position to step in and assist” with the transition. Privately, however, Zullo and others are panicking as they uncover more and more problems with NeoSystems.
  • Zullo begins looking for ways to offload NeoSystems entirely and be rid of it. He just wanted the financial side (ESG), and ISG has become an albatross. Zullo begins secretly working to unload the ISG business and talking to potential buyers.
  • New clients are unsure who they should pay for services. They receive no guidance.
  • Third parties review NeoSystems’ contracts and find there were no provisions to manage transitions. Virginia law required NeoSystems’ contracts to include transfer provisions, so the contracts allegedly never complied with state law.
  • This should have been caught by the Cyber AB when approving NeoSystems as an RPO, as well as part of NeoSystems ‘ own CMMC certification, but no one caught it.
  • BlueStreet also appears to have never reviewed prior NeoSystems contracts.

13 May 2026:

  • Clients have still not received access to their data, and talks of lawsuits grow.
  • Zullo is notified, but he holds his ground, claiming BlueStreet will only release the data after a security review, but also only after clients pay BlueStreet any monies previously owed to NeoSystems. This is branded by clients as Zullo holding their data “hostage.” Some clients report that they had only stopped paying BlueStreet for the company’s failure to meet contractual deliverables.

14 May 2026:

  • One client finally gains access to their data from BlueStreet.
  • BlueStreet quietly sells the NeoSystems ISG side to FIT Solutions.
  • FIT Solutions’ CEO Ephraim Ebstein sends letter to NeoSystems clients claiming — perhaps fraudulently — that the sale transferred GCC and GCC High protections as well as CMMC status.

15 May 2026:

  • BlueStreet announces the ISG sale to FIT Solutions.
  • Sources report they had no notion of the sale and that FIT was a “dark horse” that appeared out of nowhere. FIT is an unknown entity in the CMMC space, with no prior known expertise in the area. The FIT website has no content at all on CMMC.
  • FIT Solutions reportedly has a “commercial Microsoft tenant,” and not GCC or GCC High, which would be required to handle clients with CUI, per CMMC. This would contradict his letter to clients yesterday.
  • The email says that BlueStreet will continue to operate the ESG business, “including systems integration and implementation functions and manage accounting, finance, payroll, and HR operations.

16 May 2026:

  • FIT Solutions CEO Ephraim Ebstein contacts Oxebridge via email, insisting that they intend on correcting course.
  • When asked if FIT holds CMMC certification, Ebstein cuts off communication.
  • It does not appear that FIT holds a CAGE code.
  • NeoSystems website goes offline. Its YouTube Channel is still up for now.

18 May 2026:

  • Sources report that FIT Solutions and Ebstein are refusing to release government-owned data, insisting on holding it hostage for past monies allegedly owned to NeoSystems. This may be a crime.
  • Verified that FIT Solutions does not hold its own CAGE code.

Also, Oxebridge filed the following:

  • Complaint with the Defense Logistics Agency (DLA) for failure of FIT Solutions to hold a CAGE code.
  • Complaint with DoD CMMC PMO (via Buddy Dees) and Cyber AB, calling on them to investigate. I have confirmed that the Cyber AB is now looking into NeoSystems’ clients and the associated assessments, but have no other details yet. No response from CMMC PMO.

Unclear: the following was reported to have occurred, but when (exactly) is not clear.

  • Sierra Nevada shut down log management services for NeoSystems, citing nonpayment.
  • NCentral, which was used for crucial patching and other client-facing services, may also have been canceled; this is not yet confirmed.
  • After the shutdown, the canceled services would have only continued for a week. NeoSystems never alerted customers that the services were canceled.
  • Questions arise about the use of Defender XDR as well, which is used for antivirus and vulnerability scanning, but it is believed the license was still active.
  • Neither BlueStreet nor FIT will be able to simply restart these services, as they will need to get their own instances.
  • Client data appears to be currently unprotected?
  • Some clients had sent physical hardware to NeoSystems for configuration; it is unclear what happened to that hardware and whether or not all clients received their hardware back.

Updates and Corrections (as they come in):

UPDATE 19 May 2026: Updated entry for 2025 re: CBH based on new information and entirely new sources. Added new entry for May 19 2026.

UPDATE 20 May 2026: Updated entry for 2025 to add list of C3PAO assessors and additional information.

Advertisements
ISO 14001 Implementation