The Information Security Institute popped up on my radar thanks to paid LinkedIn ads, specifically for its Certified CMMC Professional (CCP) course, which offers a “guarantee” that attendees will pass. This is worrisome, because the CMMC Accreditation Body (CMMC-AB) has announced that the CCP courses will be a mandatory first step for any eventual CMMC Assessors. And, sure enough, ISI is credentialed by the CMMC-AB as a Licensed Training Partner (LTP) and Licensed Publishing Partner (LPP).
Let’s quickly unpack that. ISI pays $10,000 to the CMMC-AB for the LTP and LPP credentials ($5k each). It then gets the right to sell officially-branded CMMC courses which the CMMC-AB then claims are “prerequisite to Certified CMMC Assessor Level 1, Certified CMMC Assessor Level 3 and Certified CMMC Instructor certifications.”
The course provider then sells the course, but offers a “guarantee” that students will pass, regardless of whatever skills — or lack thereof — they bring with them. In the case of ISI, their website clearly declares “we guarantee you’ll pass your exam on the first attempt.” They even created an entire page explaining the guarantee.
The ISI website makes no mention of any preliminary requirements to take the course, either. Other providers of the CCP courses mandate that students must first have a technical college degree and/or a certain amount of prior industry experience.
The official CMMC-AB website says that people who pass the CCP course are “authorized to participate as an assessment team member under the supervision of a Certified CMMC Assessor.” This means the end result is the injection of potentially unqualified candidates into the CMMC auditor pool, who will be providing input during CMMC assessments. The results of those assessments will then determine if DIB companies can win a DOD contract or not. Given the inevitable contract protests and legal battles that will ensue, it’s not clear why anyone would think it’s wise to dumb down assessor qualifications.
So if this sounds like another literal example of pay-to-play, I wouldn’t argue. CMMC-AB issues badges to anyone who can pay, and those folks go on to sell course certificates to anyone who can pay. If you don’t pay, you don’t play.
ISI Admits to Plagiarism
Things get worse, though. The CMMC-AB’s official Code of Professional Conduct includes a requirement that LPP and LTP organizations “respect intellectual property.” In fact, there’s an entire clause on this subject.
ISI, meanwhile, has a turbulent history with this concept. The website Attrition.org branded ISI a “charlatan” and lists nine separate incidents of ISI or its CEO, Jack Koziol, allegedly plagiarizing other people’s writings and then using them in official ISI course materials, seminars, and publications. The Attrition page then shows the original source material as compared to the ISI material, heavily documenting its allegations. While some of the allegations date back to 2010, the most recent was captured in 2017, with numerous screenshots then published on the alleged victim’s website.
The biggest case appears to be surrounding material plagiarized from Corelan Cybersecurity Research, and ISI’s treatment of the matter was less than transparent. According to Attrition.org, ISI initially published an apology, admitting to the plagiarism, writing:
ISI admits that it used certain of Peter Van Eeckhoutte’s work without his permission, proper attribution of authorship, or proper copyright notice. ISI takes full responsibility for its actions.
It then deleted that post, but a copy remains available on the Wayback Machine. A legal battle ensued, resulting in some form of “settlement”, but ISI then deleted that information as well. Again, all of this stuff is still out there if you dig around.
Despite ISI having publicly admitted to plagiarism, and suffering a host of other plagiarism charges they haven’t admitted to but which are heavily documented, the CMMC-AB nevertheless granted ISI its badges, ignoring its own Code of Professional Behavior.
Now, of course Koziol and ISI might have reformed in the past four years, since the last known allegation. That’s entirely possible. But offering a glaringly suspicious “guarantee” in their CMMC course in 2021 won’t help redeem them as an ethical organization. It seems to show an ongoing pattern, and plagiarism tends to be something a person finds difficult to stop, like kleptomania or mythomania. It should have been something the CMMC-AB flagged early on.
I’ve reached out to Matt Travis, CEO of CMMC-AB, and Koziol himself for comment on these issues, and will update this if I hear back.
UPDATE 24 May 2021: Just to clarify, apparently the ISI course is a pre-cursor course to prepare you for eventual CCP certification. Per a source on LinkedIn, the final CCP exams don’t exist yet, pending some intellectual property that is still locked behind nondisclosure agreements with the DOD.
But that’s not what ISI is marketing. In multiple locations, they clearly imply this is for your final CCP certification. The banner ad on LinkedIn reads as follows:
The page itself then says “Earn your CCP, guaranteed.”
So far, neither Matt Travis nor Jack Koziol have replied.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.