Fair warning here. The following document was sent to me by a third party source, and attributed to a current CMMC Accreditation Body Board member. Normally I steer clear of this stuff, but this was addressed to me personally and claimed to want to “correct the record,” implying it was intended for publication. But when I reached out to confirm directly with that Board member if he wrote it, I received no reply. A flurry of other messages ensued, letting me know the CMMC-AB knows I have the document, and they haven’t stepped forth to deny they wrote it. So I am not sure what to make of it, and you need to know that as you step into this.

The document appears to be a Q&A between the CMMC-AB and (possibly) the DOD, and specifically related to the Oxebridge reporting on the AB’s conflicts of interest and official complaints filed on the issues. The punctuation is hosed up (I’m presenting it exactly as I received it) so the questions don’t have question marks, making it difficult to understand. I suspect this was text taken from a table and then pasted as plain text, without formatting.

Remember that Oxebridge filed formal complaints with the CMMC-AB for ethics and ADA violations. Officially, the CMMC-AB has ignored those complaints to this day, forcing them to be escalated. The ADA complaint now rests with the Dept. of Justice, and the ethics complaint was raised with the AB’s current oversight body, the US Dept. of Defense Office of the Undersecretary for Acquisition & Sustainment (“OUSD A&S”). That office initially ignored it as well (they’re in bed with the CMMC-AB and not a fair broker), but when I then escalated it to the DODIG, I suddenly received confirmation from the CMMC Program Management Office head Stacy Bostjanick that she was working on the issues after all. (She’s named in the complaints and has to recuse herself, so that was weird.)

Thus, it’s likely this document represents questions posed by OUSD A&S (likely Bostjanick) followed by the AB’s replies, drafted by one or more unknown Board members. The comments track with public statements made by the AB’s Jeff Dalton and Ben Tchoubineh during official “Town Hall” meetings and other webinars (they really love getting in front of blurry webcams), so this appears to have their fingerprints on it.

Again, though… we can’t be sure. So read the following with suitable grains of salt in hand.

This may help Paris correct the record.

The DoD requires the CMMC-AB to be ISO 17011 at some point in the future. The CMMC-AB needs to be prepared to meet and certify for all ISO 17011 standard requirements.

Though the ISO 17011 does not currently apply to the AB, nor does any other ISO standard apply. It’s clear the CMMC-AB is not prepared to meet the ISO 17011 requirements. It takes time to prepare, but the CMMC AB needs to begin now in order to avoid any future issues.

When reviewing the actual ISO standard regarding impartiality and how it will impact the AB, Section 4.4. Directors must be removed from their ability to impartially influence accreditation and certification activities. Certification activities which include certain duties and responsibilities must be delegated to the certifying bodies, C3PAO’s and their certified assessors. Of course Directors lead and influence the strategic decisions impacting the AB and the DIB, but ISO requires they do so in an impartial way with certain safeguards in place. Most recognize the AB’s Board members industry expertise and experience has been, and is critical to the launch of the organization. Yet no policy or statement, or interview of their Directors demonstrates they understand the 17011 requirements. How can the AB members avoid the pitfalls and meet the requirements if they don’t even know them? It’s also important for the public to know and understand these areas of potential and actual conflict of interest.

Any “hands on” activities outside of accreditation must fully transition to the AB staff as the organization matures and prepares to meet the ISO 17011 standard. They have said there is process, transparency, and oversight within the organization, but they have not demonstrated the readiness to meet ISO 17011 standard. What evidence is there that AB committee chairman are accountable to their committee members and also accountable for critical decisions to avoid any impartiality. There is no “evidence” that the AB has provided the public such as AB policy or even an explanation about internal processes. No timeline has been published for the transition of Directors who now function as “day to day” managers to fully transition to the AB staff as they prepare to meet the ISO 17011. It’s necessary to do this to meet the ISO standard in a transparent manner.

It’s very important to be clear, the ISO 17011 standard does not require the “top management” of the AB to have “no” commercial and financial interest, but the ISO standard specifically safeguard against “undue” commercial, financial, or other pressures that compromise impartiality. It’s also important the AB and certifying bodies establish mechanisms to prevent Board members’ commercial and financial interests to compromise the impartiality of the accreditation and certification of DIB companies. If those mechanisms are in place, then there is much less chance of undue influence and impartiality by the Directors.

While none of the areas of concern raised in previous articles or the DoD complaint represent an “undue” commercial interest or provide any evidence of impartiality, transparency is important to hold the AB Directors, the AB, and C3PAO’s accountable. Is there any evidence that Directors have disclosed their commercial or financial interests as part of their appointments. The AB’s rapid schedule and challenges make the Director’s industry experience important, but these dark waters have to be carefully navigated by all. It’s important to raise these cautions, but avoid the appearance of promoting allegations that would damage Directors reputations and handicap the AB’s mission.  They have a long way to go to meet their ISO requirements.

That’s a lot to take in. But does it help their case?

Unfortunately, no, and it only makes things worse. In no particular order:

(1) Wrong Posture, Bad Optics

In general, the overall posture is one that defends conflicts of interest, rather than trying to free the AB from them. That’s just wrong off the bat and does little to allay fears that the CMMC-AB is led by leaders who don’t understand why avoiding conflicts is important in the first place.

And the statement “none of the areas of concern raised in previous articles or the DoD complaint represent an “undue” commercial interest or provide any evidence of impartiality” is patently false.  In fact, the Oxebridge reporting and DOD complaints specifically spell out the undue influence, and any four-year-old could spot them. Jeff Dalton certifying himself, or Regan Edens selling CMMC consulting services to companies he will later have to conduct witness audits on are direct and irrefutable risks to impartiality.

The reason RAB was split into ANAB and RABQSA (now Exemplar), and the reason A2LA had to spin off its training wing are exactly because of these conflicts. It’s not clear why the CMMC-AB Board thinks it’s going to get away with things that other companies tried — and failed — to weasel through in decades past.

(2) Delaying Compliance

The document takes the monumentally ludicrous position that the rules against conflicts of interest and corruption in ISO 17011 don’t apply because the AB isn’t accredited yet. This argument is wholly disingenuous and makes me wonder if I’m dealing with functioning adults.

The CMMC-AB knew it was going to held accountable to ISO 17011 as early as late 2019; according to witnesses, the discussion of “ISO accreditation” was raised during the initial Industry Day event in November of that year. The CMMC-AB then signed an MOU in March of 2020 agreeing to “implement a quality assurance program with respect to training and CMMC assessments,” and “achieve and maintain ISO 17011 accreditation.” It did none of those things.

The OUSD A&S office then arranged meetings with ANAB (ANSI) and A2LA to explain the ISO 17011 requirements to the CMMC-AB in Q3 2020. While I don’t have the meeting notes for the A2LA meeting, I do for the ANAB meeting. Here’s a shot from the September 2020 meeting presentation, showing the agenda and participants:

Again, the CMMC-AB just plowed ahead, never bothering to launch its ISO 17011 program.

Ignoring this, the DOD — led by Katie Arrington — nevertheless rewarded the group that had been lying to it for nearly all of 2020 with a (possibly illegal) no-bid contract. This makes the OUSD A&S appear as corrupt, if not more so, than the AB itself. That contract then reiterated again that the CMMC-AB would have to implement ISO 17011.

And, as I’ve written previously, the CMMC-AB’s public stance that implementing ISO 17011 will take years is false on its face. They could have a compliant system in less than two months. The AB, however, has kicked the can down to 2023. See this shot from a January 2020 CMMC-AB / OUSD A&S Town Hall in which Dalton delays implementation for “24 months”:

Again, this shows how the document tracks closely with the public statements by CMMC-AB officials. Also, remember that Arrington was literally sitting in that webinar, personally endorsing these delays.

But if you want to delay cleaning up conflicts of interest so you can continue to benefit from them, then yes, you might want to drag this out for as long as possible. And it’s the beneficiaries of those conflicts who are making the decision to kick that can, exposing just how conflicts of interest manifest as actual policy decisions.

(3) Feigning Ignorance

The document then goes on to have us believe that somehow the CMMC-AB was wholly clueless on ISO 17011’s requirements, anyway. It asks, “How can the AB members avoid the pitfalls and meet the requirements if they don’t even know them?”

Answer: because normal people don’t naturally gravitate to corruption, and don’t need these things spelled out for them. Anyway, see (2) above. They have known about these requirements since late 2019.

(4) Falsifying ISO 17011 Requirements

As if to undermine their entire “ignorance” argument, the document then goes on to discuss the ISO 17011 standard in detail… the very requirements they just claimed they can’t “know.”

But to do so, the document outright misquotes the ISO 17011 standard to make a point favorable to the CMMC-AB. Which means in crafting their response to corruption, they just lean further into it.

For example, the document claims, “When reviewing the actual ISO standard regarding impartiality and how it will impact the AB, Section 4.4. Directors must be removed from their ability to impartially influence accreditation and certification activities.” It then goes on to say:

It’s very important to be clear, the ISO 17011 standard does not require the “top management” of the AB to have “no” commercial and financial interest, but the ISO standard specifically safeguard against “undue” commercial, financial, or other pressures that compromise impartiality.

In fact, ISO 17011 says nothing of the sort, and quite frankly, says the opposite.

First, the word “director” appears nowhere in the standard at all and certainly does not spell out special rules or exceptions for such management. Instead, clause 4.4 clearly states the following:

4.4.3 The accreditation body shall have top management commitment to impartiality.

The CMMC-AB Board members are currently the “top management,” at least until replaced by permanent staff.

The standard then goes on to require (emphasis added):

4.4.4. All accreditation body personnel and committees who could influence the accreditation process shall act objectively and shall be free from any undue commercial, financial and other pressures that could compromise impartiality. The accreditation body shall require all personnel and committee members to disclose any potential conflict of interest whenever it may arise.

ISO 17011 then repeats over and over the fact that it applies to everyone within the CB, and makes no exceptions whatsoever for “Directors” or anyone else, for that matter. In fact, clause 4.4.6 includes a note that appears to have been specifically written for the CMMC-AB’s situation (emphasis added):

Sources of risks to impartiality of the accreditation body can be based on ownership, governance, management, personnel, shared resources, finances, contracts, outsourcing, training, marketing and payment of a sales commission or other inducement for the referral of new clients, etc.

Clearly, the work of “directors” would fall under “ownership, governance [and] management.”

Conclusion

In short, the document reveals an organization that is so addicted to conflicts of interest, it has become dependent on them. It then uses feigned ignorance, obfuscation and outright deceit to craft an argument that allows them to continue engaging in such conflicts, rather than taking a posture that shows they are serious about acting like an ethical, responsible international accreditation body.

Keep in mind, too: this is before they have even started performing any actual accreditations and taken the reins on what is likely to be a $95B cottage industry, invented by them (and the OUSD A&S) almost overnight. Things are going to get a lot worse when they start to get appeals or lawsuits filed against them for incompetence or corruption, and their conflicts of interest are put under scrutiny by people with subpoena power who storm in wearing blue nitrile gloves to cart away their hard drives, while carrying zipties in case someone gets mouthy.

(This isn’t helping their CEO search, either. Who would want to join this nest of vipers?)

The best we can hope for is that this document never gets filed as an official response, or that it was never crafted by the AB at all. But even if they didn’t write it, because it tracks so clearly with the public comments by Dalton, Tchoubineh, Edens and others, the AB still has to dig out from under this mess.

In the meantime, this won’t help the AB dodge the avalanche of ethics and criminal complaints before it. Board members can quit all day long, but that doesn’t get them out of the investigations.

Congress will have to step in and shut this down. There is no way this iteration of the CMMC-AB nor this CMMC Program Management Office can carry the ball of supply chain cybersecurity risk management any further. They are too conflicted, too corrupt, and must be shut down and replaced. The alternative is a disastrously, bank-breaking debacle that will weaken the nation’s cybersecurity footing, not strengthen it. Already defense contractors are leaving the market, telling DOD “you can buy from China instead.”

Postscript

Oh, yeah, about that. What’s noticeably absent from the document? Any mention of DOD and CMMC-AB having handed control of the entire CMMC scheme to China. That’s indefensible, so they don’t even try.


UPDATE 29 March 2021, 9:00 AM Easter: Within a few hours of posting this, O-Fans responded by finding increased conflicts of interest by CMMC-AB Board members Jeff Dalton and Regan Edens.

First up is the newly-revised LinkedIn profile for Edens’ company DTC. He’s now openly marketing third-party CMMC certification because of all the fucks in the world, he gives not a one:

Next up is Dalton, who apparently has all of Peru geoblocked to avoid me from seeing his Broadsword Solutions website, since I get this error message saying when accessing it.

I’ve only recently installed fiber, so have new IP addresses as of a few days ago, meaning he can’t have blocked my specific IP, so must have blocked an entire country to try and hide his activities. But toggling on the VPN reveals this:

You can find that yourself at his consulting company’s website here.

Dalton also added the “#CMMC” hashtag when marketing his consulting on LinkedIn:


UPDATE 29 March 2021 3:05 PM Eastern: The DTC LinkedIn page has already been altered to remove the references to “CMMC Certification.” This comes as the information was reported to the CMMC Program Management Office and the CMMC-AB’s current Chair, Karlton Johnson.

In the event someone tries to gaslight folks and suggest that I manipulated the evidence to Photoshop DTC’s LinkedIn page, here are the results of a Google search, showing their cached version of the DTC profile and still indicating it was touting “CMMC Certification”:


UPDATE 30 March: A recent interview between CMMC-AB Board member Regan Edens and the consulting firm Preveil is being taken down after comments on LinkedIn pointed out that Edens was openly promoting Preveil. From the original article:

Most organizations don’t understand what they are doing and they need to make the process affordable then a menu type option is ideal. If an organization needs to make quick and easy choice, then PreVeil is a good choice.

On the DTC site, Preveil is listed as a “partner.”

Screenshot from dtcglobal.us as of 03-30-2021.

The article being removed was “Part 2” of an interview series between Preveil and Edens; in Part 1, Edens openly admitted he launched DTC specifically to provide CMMC-related consulting services:

DTC is rooted in my interest of applying technology to hard problems. So, when DFARs and CMMC came up in 2019, I thought it was a fit for the type of challenge and digital transformation I thought I could help with. You had the important national security interest, the compliance requirements of DoD and then the cybersecurity aspect. Through conversations, I realized the size of the challenge and need for manpower to establish the DFARS framework.

That’s when I started DTC.

Today, DTC focuses solely on defense companies and helping them with their ITAR and CMMC compliance issues.

Unedited versions of the interviews remain cross-published on Security Boulevard, here and here.

Meanwhile, Edens operates another business venture, CUI Supply, which sells labeling products for controlled unclassified information. Whereas prior versions of the CUI Supply website had made little to no mention of CMMC, the site was updated to directly market the products as being needed for “CMMC compliance”:

Edens then sells an $80 “CMMC Compliance Pack” and a $185 “Ultimate CMMC Compliance Pack.”

The site’s “CUI Requirements” page then makes the dubious claim that “as the DoD’s Cybersecurity Maturity Model requirements expand, employees need to be proficient in labeling and safeguarding.”

It just goes on and on. The CUI Controls site also includes an embedded YouTube video that refers to the “CMMCSmart” products sold by DTC, while slathering the official CMMC-AB logo over nearly the entire runtime. (Check this timecode for an example.) The video ends with a copyright notice attributed to DTC, thus linking the marketing of DTC, CUI Supply, and the CMMC-AB in one video.

Meanwhile, the CMMC-AB Conflict of Interest Policy for Board Members reads:

Each Director has a duty and a continuing obligation to disclose any actual or potential conflict of interest as soon as it is known, or reasonably should be known. Each director annually attests to lack of conflicts of interests and full disclosure of situations where the interests or concerns of a Director may be competing with, or may be seen as competing with, the interests or concerns of the CMMC-AB, which may include:

Financial Interests where a Director may directly or indirectly may benefit or profit as a result of a decision made or transaction entered into by the CMMC-AB.

 

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.

Advertisements

ISO 14001 Implementation