The CMMC Accreditation Body has hired its first salaried CEO, former CISA Deputy Director Matthew Travis. Travis worked under noted election cybersecurity chief Christopher Krebs, who was fired by former President Trump for comments that Trump felt ran against his unfounded claims of election fraud. Travis resigned immediately thereafter, a move that many have praised for displaying integrity over personal advancement.
However, Travis is entering the CMMC-AB at the organization’s worst possible time. The AB faces over 15 investigations for fraud, waste, and abuse, including at least two criminal allegations. The bulk of the issues stem from a flood of conflicts of interest perpetrated by the CMMC-AB Board of Directors, a condition which has existed since nearly the first few hours the organization was formed. Worsening matters, current Board Chair Karlton Johnson has shown no interest in reining in the conflicts, instead allowing his Board to continue them unfettered and working to promote one conflicted Director — Jeff Dalton — to Vice Chair.
Multiple Board members have been found openly operating consulting companies or offering services that conflict directly with their need to operate an objective Accreditation Body that is impervious to threats of impartiality. As if to enable the conflicts to continue for as long as possible, the AB has put off implementation of ISO 17011 — a DOD requirement — until 2023. The AB knew this would be a requirement since 2019, and also knew that ISO 17011 prohibits these conflicts, meaning they will have slow-walked the shutdown of the COIs for four years.
So far, the CMMC-AB has generated more than $3M by engaging in the conflicts, through the sale of unaccredited “badges” for a consulting industry that is wholly unnecessary to CMMC’s success. Tone-deaf to the accusations of profiteering, Vice Chair Dalton actually said the quiet part out loud and praised his efforts in creating a consulting “market” instead of performing accreditation, the group’s actual job:
We’ve created a market that didn’t exist before … we created opportunities for business and revenue for training organizations for consulting organizations for assessment organizations.
The idea was then to seed the market — this market we created — to seed it with people who could start working with companies to help them get ready for CMMC.
In reality, the CMMC-AB is wholly prohibited from “working with companies to help them get ready for CMMC” due to the massive conflict of interest. An AB can’t consult, period, since they will have to adjudicate issues and oversee audits of the recipients of that consulting.
Meanwhile, implementation of ISO 17011 would have taken only a few months had the AB been dedicated to the effort, not four years.
Coming In Handcuffed
The deck is stacked against Travis. The current organizational chart (see right) holds the CEO in thrall to the Board, not the other way around. As a result, it will be Johnson and Dalton who control Travis’ reach, and for sure this will mean crippling his ability to course-correct and purge a Board of Directors that many feel is just outright corrupt.
Given what we know about Travis, it doesn’t seem a purely rubber-stamp role will suit him, so his tenure may be brief.
Meanwhile, however, other adults are (fortunately) circling the room. Investigators at the DOD Inspector General, Defense Logistics Agency, and Dept. of Justice are still actively working various filings put before them. Both the Senate Armed Services Committee and House Armed Services Committee are actively monitoring events as they unfold. The concern include the allegation that the AB committed felony fraud by falsifying its tax-exempt status to DLA in order to obtain a CAGE code which it later used to win a sole source contract with DOD. The DOJ is investigating the complaint that the CMMC-AB is discriminating against service-disabled veterans by refusing to make its Provisional Assessor training materials compliant to the Americans with Disabilities Act, thus denying disabled assessors from working at all in the CMMC space. The issue of possible felony tax fraud for the group’s widely-panned “$500,000 Diamond Membership” pitch is still reverberating, too.
And — ouch — the CMMC-AB still hasn’t gotten its tax-exempt status from the IRS, and its lapsed SAM.gov filing still isn’t corrected. If the AB can’t manage the little things, it doesn’t give confidence it will manage an international network of CMMC certification bodies.
Then there’s the not-so-insignificant issue that the parties agreed to allow China to oversee the entire thing so the scheme will look like this:
That’s not workable, but the pieces are on the board right now to have Congress intervene and shut it down entirely. Let’s be very clear: there is no way the CMMC scheme advances if China will have final authority over appeals filed against the CMMC-AB.
I’ve also got some “spider-sense” tinglings telling me the DOD CMMC Program Management Office is positioning to throw the AB under the bus, in order to save their own skin. At the end of the day, Katie Arrington — a Trumpie herself — is not going to let her future political career suffer over this, even if it was her decision to put China in the mix here. Arrington is gearing up to exit for some future campaigning, and if political ambition is the unstoppable force, Travis may not be the immovable object necessary to stop her.
On paper, the hiring of Travis is a spectacular improvement. His reputation is solid, he’s shown an interest to put country first, and he has remarkable experience that any other candidate is unlikely to match. And he may be granted some courtesy burn-in time, with the parties waiting to see if he can fix these messes. But with Johnson and Dalton in his way, this may not end well.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.