OP-ED: SecureStrux Defense of CMMC-AB Highlights the Real-World Fallout of Conflicts of Interest

As previously reported, CMMC-AB’s (now former) head of training, Ben Tchoubineh, stated in an interview published by AppTega that he “owned a company” that does CMMC gap analysis. There’s actual video and a transcript of Tchoubineh making this statement. The AppTega interview included participation by Thad Wellin of SecureStrux, a CMMC consulting firm.

Over at LinkedIn, Wellin tried to provide cover for Tchoubineh with an increasingly bizarre “alternative facts” defense, by suggesting Tchoubineh didn’t really say what the audio recording and transcript reveal he said. First. Welling claimed I was taking Tchoubineh “out of context.”

I then asked Wellin to provide the context, and he replied by shifting to an entirely different defense, arguing — in a now-deleted post — that I failed to provide any “proof” that any of Tchoubineh’s companies performed CMMC consulting. Wellin again ignored the fact that it was Tchoubineh himself who made this claim, and I was merely republishing that quote.

Instead, Wellin left up this post:

Well, yes, it was an example: an example of how yet another CMMC-AB Board Member operates a company that is involved in the CMMC consulting field.

It could well be that Tchoubineh merely stepped on his own tongue, and misspoke. If so, then why not just say that? Then the entire problem goes away. Certainly, none of Tchoubineh’s companies are actively selling CMMC services, unlike those of fellow Board members Jeff Dalton and Regan Edens. It was only because Tchoubineh told the world he was running a CMMC “gap analysis” company that this problem emerged.

I invited Tchoubineh to reply, but he has so far declined. Instead, he ran to the ever-friendly news outlet Inside Cybersecurity and softball pitcher Sara Friedman, who allowed him to declare (paywall) the following:

“Salespeople” at companies where Tchoubineh was involved answered calls from some individuals “that are out there always being naysayers” of the CMMC program, he said. “They would ask ‘If you guys provide CMMC services’ and the answer was always no because we have always been very, very concerned about conflict of interest on the board. It was made clear from the very beginning that the companies I was involved in could not be involved in CMMC. I made sure of that and everyone knows that” was the case at his companies.

Clearly, Tchoubineh’s statement made to Friedman in May of 2021 contradicts entirely the statement he made publicly in October of 2020, but Friedman’s site relies on paywall subscriptions, and that means they need CMMC-AB access to generate content, so she’s not about to ask a follow-up question and risk losing access to CMMC-AB.

(We had previously contacted Phoenix TS, the training company owned by Tchoubineh, to find out if they did offer CMMC consulting, and they responded they did not. It appears that Tchoubineh was referring to Oxebridge in the Friedman piece. Again, Tchoubineh could just call me personally to clear this up, but he’s electing not to.)

Pro tip: calling out conflicts of interest to improve the trust of CMMC certifications is not being a “naysayer of the CMMC program.” It’s being a naysayer against the possibility of corruption. Maybe the CMMC-AB should get on board with that, instead of taking swipes at those of us trying to fix this mess.

Real-World Implications

And so the CMMC-AB has made another self-induced error, admitting — whether accidentally or not —  to a conflict of interest and violation of their official policies, Articles of Incorporation, and corporate Bylaws. They allowed this information to be added to an ongoing DOD Inspector General investigation which is digging into the conflicts of interest alleged by Oxebridge and others. Tchoubineh’s interview with AppTega and Wellin is now part of that official record. Oops.

In the meantime, though, SecureStrux — through Wellin — has proven that it’s a “good soldier,” going to the mat and fighting to defend the honor of the delicate, virginal CMMC-AB. At the same time, CMMC-AB continues to market SecureStrux as one of its Registered Practitioner Organizations (RPOs) over at the AB’s “Marketplace.” Super-badge-powers activate!

Now fast-forward a bit. Imagine a day when one of SecureStrux’s clients is undergoing an official CMMC assessment by one of the CMMC-AB’s accredited C3PAO certification bodies. Imagine something goes wrong, and the C3PAO wants to cite the client with a nonconformity, or deny them Level 3 certification.

Because of all the conflicts of interest, we can’t trust that whatever decision will be made will be honest and impartial. Will the C3PAO give the client a free pass because SecureStrux was in the room, boasting a CMMC-AB minted “RPO” badge? Will the C3PAO hesitate, knowing that SecureStrux is within the good graces of the CMMC-AB? Will the CMMC-AB itself step in and stop any “soft-grading” of assessment findings if it means the client might sue SecureStrux for malpractice?

Now let’s say the opposite happens, and the client has a spectacular CMMC implementation in hand, and deserves to be certified. And maybe a lot of that is because SecureStrux does an amazing job at prepping their client. Will anyone believe it, given their public, online lambadas with the CMMC-AB?

Now fast-forward a bit more. Let’s imagine that SecureStrux’s client is awarded CMMC Level 3, and then gets a multi-million-dollar DOD contract. Every company that competed for that contract will have reason to launch a contest protest, alleging that if the base CMMC had not been awarded improperly, the DOD contract might have been won by someone else. Call in the lawyers.

Clearly, no one at the CMMC-AB nor SecureStrux nor AppTega bothered to think about any of this, in their rush to pump out misguided marketing webinars.

Under a real accreditation scheme environment — not this CMMC shitshow — the parties are all unrelated, fully independent, and entirely impartial. Certainly, you wouldn’t have a situation where the consultant (SecureStrux) has a history of “going to the mat” to defend the accreditation body (CMMC-AB) and thus injecting all sorts of “will they or won’t they” rom-com type theories.

Tchoubineh and the CMMC-AB should never have given this interview to begin with, nor participate in any events at all where they could be perceived as promoting one consultant over another. Or any event where the consultant could be seen as promoting the CMMC-AB. The CMMC-AB’s new CCO Matt Travis can play dumb all he likes, claiming not to fully understand their own Board-approved conflict of interest policy, but the rest of us aren’t hoodwinked. Like porn, we know conflicts of interest when we see them.

As it stands now, thanks to the Tchoubineh interview, the CMMC-AB would have to recuse itself now from any decision related to any client of SecureStrux. Is that likely to happen? Of course not. Because we don’t have a competing AB, it’s also technically impossible.

And that makes the entire CMMC certification scheme questionable, and only helps the argument that it’s a giant DOD-endorsed pay-to-play scam.

The CMMC-AB will also have to instruct its Board members and others to stop promoting consultants, period. Since that’s not likely to happen either, the AB will probably be forcibly disbanded or restructured based on the results of the many investigations it now faces. But all of this could have been avoided, had people simply followed their own Ethics policies, and the decades of prior accreditation history that the United States has at hand.