CMMC World is ablaze with the literal overnight implosion of darling consultant NeoSystems. The cybersecurity firm allegedly fired its entire staff on Friday night (1 May 2026), and ceased all operations without notifying its clients. The company was a managed services provider and sold various CMMC solutions, including “NeoEnclave,” which hosted clients’ information in an (allegedly) secure environment.
Per the NeoSystems website, as of 4 May (and likely to disappear any minute from now):
NeoSystems operates and provides clients with compliant work environments – fully built, fully documented, zero-trust environments that are capable of handling CUI including export controlled (ITAR/EAR) data. Our solutions are purpose-built to meet your business needs while maintaining DFARS, NIST, CMMC, and ITAR compliance.
NeoSystems has not notified any clients of its closure, which was reported on Reddit. I have since confirmed that none of the Oxebridge clients who used NeoSystems were notified.
It’s not clear what will happen with the client data housed by NeoSystems, as they appear not to have made any provisions for helping migrate it to a new supplier. This raises questions about the company’s legal liability, since the data being held by NeoSystems would be controlled unclassified information (CUI) or even that of a higher classified status.
Neosystems was one of the earliest — and annoyingly noisy — CMMC shills, dating back to the program’s earliest days. Representatives of the company routinely sucked up to CMMC architect Katie Arrington on social media, and even had another shill, the late attorney Robert Metzger, help sell their products on NeoSystems webinars. NeoSystrems claimed Metzger was part of their “extended team,” and continued to use his photo more than a year after his death in April of 2025.
Other NeoSystem speakers included the CyberAB’s Jeff Dalton and Katie Arrington herself.
Currently, Reddit is the main source of information on the closure, since NeoSystems has not chosen to issue any public statements. According to one post:
I’ve confirmed with multiple people across the organization that on Friday they were told the company was being dissolved and everyone was terminated. There appears to be no transition plan and no means to support clients for a transition. At this point, if you don’t have admin credentials to your own stuff, you may need to start the support process to get it. It’s a huge mess.
On that same thread, someone identifying themselves as a former employee confirmed:
Yeah, former employee here. Email went out about 5PM Friday night saying everyone was fired. Last paycheck might show up by May 7. Benefits retroactively canceled so no health insurance, COBRA, etc.
Another ex-NeoSystems employee accused the company of rampant fraud, including around the CMMC program:
I joined NeoSystems during their descent into madness as a VP in August 2025. Three months later, I left after myself and other VPs/Managers reported rampant fraud proliferated across their entire service delivery of “CMMC services” and were summarily ignored. Reports of the many and many recorded video sessions to try to convince them to stop this train and right the ship. Now we are here.
People can say it was private equity that ruined the company, but the reality is that Neo was in 18 million of debt before PE stepped in after a failed CMMC service implementation under their CISO/CEO in 2021. PE intended to get their money back after “righting the ship.” What they didn’t contend with was the maliciously negligent executive leadership, exceptionally manager/director heavy staff, and purely fictional architecture/services when it came to their bread and butter.
Do not work with any of their executives. They’re absolute snakes and I have witnessed (first hand) fraud encouraged by individual executives to make sure clients pass assessments. Word is they’re forming a new LLC under “Adventures Security Advisors LLC” based in CO to attempt to collect discards (right now a 2-3 man quasi team of execs with no delivery staff). Stay farrrrr away.
Another apparent ex-employee doubled down on the fraud allegations, saying that NeoSystems top management — which, per LinkedIn, is led by CEO Brad Mitchell — told employees not to tell clients of the closure:
Plenty of signs. Team members started leaving in July/August and they couldn’t keep staff. Raises were denied. At some point a few of the VPs pointed out to leadership that Neo was not being truthful in assessments, so most customers that they took through should probably seek another partner and start over. Leadership for compliance and service delivery resigned in protest in November before Thanksgiving.
No, no transition plans. Lots of people put OOO’s on their emails saying NeoSystems has closed, which is causing panic naturally.
After sending the email that everyone was fired with no insurance, leadership then tried to claw back and tell people not to tell customers. Shitshow would be an improvement.
Lots of us called customers offering suggestions and help to transition. Neo refused to give most customers their own credentials, so they’re high and dry. No idea what it means for licensing, tenant renewals, etc.
Meanwhile, NeoSystem was, itself, CMMC Level 2 certified by an unknown CMMC C3PAO (assessment body) since March of last year. Given some of the allegations made by former employees, this should not have been possible unless the C3PAO involved was doing the usual half-asleep audits we see in the ISO scheme. From their no doubt soon-to-be-deleted website:
Some of this fraud was reported by Oxebridge to the CyberAB, which refused to take action against NeoSystems or other CMMC “ecosystem” members. NeoSystems still holds CMMC RPO credentials per the Cyber AB’s Marketplace website.
I spoke with CMMC shill and former NeoSystems “Senior Alliance Manager,” Jerry Leishman, and he refused to comment, suddenly having found his CMMC mute button.
It’s nearly guaranteed that NeoSystems will face class-action lawsuits, if not a Federal probe, given that they just abandoned the management of the super-crucial “CUI” data they claimed to have the expertise to protect. Since NeoSystems had Federal contracts, they could also find themselves on the wrong side of False Claims Act charges.
I would suspect they will file for bankruptcy in about seven minutes, but I am not sure that will save their exec team from the hellstorm they created for themselves. Expect visits from stern-looking men with scary windbreakers, badges, and zipties.
The CMMC scheme has been rife with fraud and corruption, with nearly all of it known by the Cyber AB, which just ignores it so long as the parties keep paying for their credentials. Whistleblowers, including yours truly, have been demonized and banned from all discussions and fora on the subject of CMMC for reporting on it, and now the bills are coming due.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
