As reported earlier, the CMMC-AB has received its first formal complaint as filed through the ISO Whistleblower Program, which we expanded in August to cover CMMC-related matters. That complaint, originally filed by an anonymous whistleblower and then processed by Oxebridge, alleges the CMMC-AB’s various training programs discriminate against those with low hearing or low vision as the delivery methods may not comply with the US Americans with Disabilities Act (ADA).
In a move likely only to worsen matters, the CMMC-AB has elected to ignore the complaint, and then cut off any discussions on LinkedIn by blocking me, personally. The latter move was odd, since at no time had I begun asking them about it on LinkedIn, but it did signal the group’s hostile posture. Acting Board chair Karlton Johnson — who was personally named in the complaint — and Credentialing Committee Chair Jeff Dalton, both blocked me within 48 hours of the filing.
The ADA complaint not to be taken lightly, especially since it alleges a violation of US law. The US Dept. of Defense has declared that the CMMC-AB shall be the “sole” credentialing authority for thousands of future CMMC assessors, who will be tasked with auditing up to 300,000 companies for CMMC compliance in the next five to ten years. By refusing to comply with the ADA, the CMMC-AB makes it impossible for those with certain disabilities to ever obtain the certifications necessary to be employed as an official assessor. It also telegraphs that the CMMC-AB feels its DOD mandate gives it superlegal powers, making it immune to civil litigation or criminal prosecution — both fantasies, of course.
This was a fantastic opportunity for Johnson, Dalton and other Board members to finally get in front of a damning history of accusations of self-dealing and corruption that have plagued the CMMC-AB from day one. Instead, the CMMC-AB appears to have circled the wagons in order to defend their actions, and to resist any industry oversight or feedback.
This will get much worse before it gets better.
Oxebridge has two other whistleblower reports against the CMMC-AB that it is attempting to verify before filing. At the same time, Oxebridge is preparing a number of Freedom of Information Act requests surrounding various CMMC matters that may bring more heat down on the CMMC-AB. It is also preparing two reports for the DOD Inspector General’s office, to be filed as part of the Defense Intelligence Community Whistleblower Protection (DICWP) program.
Meanwhile, the CMMC-AB continues to sell numerous personnel “certifications,” despite rules that prohibit accreditation bodies from doing so. It is a well-known conflict of interest when ABs simultaneously certify the people they are later tasked with overseeing during accreditation oversight audits. The accreditation bodies ANAB and A2LA were each split in two because of similar past conflicts. The CMMC-AB was made aware of these realities, but the Board appears to think it has cracked the case on conflicts of interest, even as it seems their only tactic is to ignore them.
As a result, there is no way the CMMC-AB can actually operate as an “accreditation body,” and will likely be forced to divest actual accreditation activities, retaining only the personnel certification services it is currently selling. (For a better understanding of why this is, see this 30-min video I prepared.)
The CMMC-AB has been desperate to find funding sources, as it was formed by the DOD without significant funding. It is only now advertising for its first CEO, who will come into the role facing widespread doubt, suspicion and frustration with the AB’s actions to date.
We’ve now escalated the complaint to a number of bodies and agencies, most of whom I’d rather not reveal until we get a response. But this did include the Dept. of Justice and the Equal Employment Opportunity Commission, which oversee ADA and employment discrimination cases respectively.
I did escalate this to the DOD’s CMMC Program Management Office, and the Undersecretary of Defense for Acquisitions and Sustainment, Ellen Lord, and received no reply. It’s largely assumed Lord is planning to exit the administration since the election, and may just be ready to hand this problem over to her successor.
The CMMC-AB still has time to get in front of this. The accusations of “pay to play” and self-dealing are bad enough. It really can’t afford a disability discrimination charge — and possibly lawsuits — this early in the game.
It’s not a good look if the organization tasked with ensuring defense companies adhere to cybersecurity regulations cannot, itself, follow the law.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.