The first complaint filed against a CMMC certification body has been escalated to The Cyber AB for adjudication.

In February, Oxebridge filed a complaint against CMMC Third Party Assessment Organization (C3PAO) Lazarus Alliance, alleging multiple violations of ISO 17020 and the CMMC Code of Professional Conduct. Lazarus CEO Michael Peters responded with attacks against Oxebridge’s credibility but then said he would process the complaint as required.

On March 18, Oxebridge requested an update, as allowed by ISO 17020. Peters again responded, this time with a vicious attack and threats of legal action. Rather than process the complaint with impartiality and objectivity as required by the CMMC Code of Professional Conduct and ISO 17020, Peters accused Oxebridge of  “criminal social engineering,” illegally mishandling CUI, and other crimes. Peters then said he had advised his client they could file reports with the FBI, “local law enforcement,” and the FTC against Oxebridge, as well as pursue a lawsuit for fraud. Peters himself said he was considering legal action against Oxebridge for defamation.

Oxebridge has now escalated the complaint to The Cyber AB, as allowed under CFR 32 Part 170, the Code of Professional Conduct, and the DoD’s contract with the Cyber AB itself. The Cyber AB has acknowledged receipt of the complaint and is processing it.

The threat of responding to sober, neutral complaints with lawsuits sends a chilling message to the CMMC and ISO certification community. Without robust complaint reporting and handling, the certification schemes would be degraded into pay-to-play scams that abide by no international rules whatsoever. Peters’ reaction should weigh heavily on actions taken by The cyber AB to maintain trust and accountability in the CMMC scheme.

Additional Accreditation Problems Emerge

In his response, Peters invoked Lazarus’ accreditation under ISO 17020 by A2LA, saying he would raise the issue with A2LA during their next surveillance audit. It is not clear why Peters would want to involve A2LA in the matter, but as a result, Oxebridge sent a copy of the escalated complaint to A2LA as well. Oxebridge had initially been intended to keep A2LA out of the issue, but now, Lazarus will be expected to answer why it did not process a complaint as required by ISO 17020. A2LA could hold Lazarus accountable regardless of what The Cyber AB does.

The escalated Oxebridge complaint alleges 33 violations by Lazarus of CFR 32 Part 170, the CMMC Code of Professional Conduct, ISO 17020, and Lazarus’ own internal procedure on complaints handling. That procedure required Lazarus to utilize an independent “examiner” to review the complaint and for anyone involved in the complaint not to be involved. It does not appear that Peters complied with any of those requirements, choosing instead to shut down the complaint, calling the process a “kangaroo court.” Other allegations against Lazarus include using the US Dept. of Defense logo and Cyber AB logos improperly, misrepresenting the scope of the services provided to their client, failing to impartially process a complaint, and commingling its auditing services with the consulting products of Continuum GRC, which is also managed by Peters.

Oxebridge then discovered that Lazarus holds a non-IAF accreditation from the “American Accreditation Association,” an Egyptian-run accreditation mill operating out of a Virginia office spaceThat certificate — which appears to include a typo in Lazarus’ name —  grants Lazarus the right to operate as an official ISO 9001 and ISO 27001 certification body. Since the AAA is not an IAF signatory, any 9001 or 27001 certificates issued by Lazarus would not be recognized nor entered into the official IAF CertSearch database used by Federal agencies. It could be, however, that Lazarus was duped by AAA and was unaware of IAF signatory expectations of CBs. Nevertheless, it raises questions about Lazarus’ knowledge of accreditation scheme ethics and expectations.

The incident puts new pressure on the nascent CMMC scheme, and provides an early test case of how The Cyber AB will uphold the scheme’s rules against the bodies that pay it money for credentials and C3PAO status.

Lazarus may well be found in full compliance and all allegations disproved. The nature of a complaint is to merely raise the allegations and present evidence. Final adjudication is performed by The Cyber AB and any higher authorities it answers to, not Oxebridge.

UPDATE 26 March 2025: The Cyber AB has validated the Oxebridge complaint and has opened an investigation into Lazarus Alliance.

 

 

Advertisements
ISO 17000 Series Consulting

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.