Oxebridge has filed a complaint with the Defense Logistics Agency’s Inspector General alleging felony fraud by the CMMC Accreditation Body, putting its exclusive contract with the US Department of Defense in jeopardy.

In March 2020, the CMMC-AB filed an application with DLA to obtain a “Commercial and Government Entity” number, known as a CAGE code. A CAGE code is a mandatory requirement to obtain a Federal government contract under most conditions. Within its application package, the CMMC-AB included two documents related to its “representations and certifications,” known as “reps & certs documents.” These attest to certain legal conditions for which the applicant must pledge prior to obtaining a CAGE code.

In its reps & certs filings, the CMMC-AB had to identify the “type of organization” it was at the time of signing. CMMC-AB representative Ty Schieber checked the box identifying the CMMC-AB as a “Corporate entity (tax-exempt).” The form allows for the selection of an alternative option, “Corporate entity (not tax-exempt),” but Schieber did not check that.

In March of 2020, the CMMC-AB had not filed an application with the IRS for tax-exempt status, according to witnesses, which Oxebridge has confirmed. As of that date, the CMMC-AB was a for-profit entity, making the statements on the reps & certs documentation untrue.

The reps & certs document clearly indicates that falsifying information on the submittal is a crime. The header on the documents reads:

I have read each of the FAR and DFARS provisions presented on this page. By submitting this certification, I, Ty Schieber, am attesting to the accuracy of the representations and certifications contained herein, including the entire NAICS table. I understand that I may be subject to criminal prosecution under Section 1001, Title 18 of the United States Code or civil liability under the False Claims Act if I misrepresent CYBERSECURITY MATURITY MODEL CERTIFICATION ACCREDITATION BODY, INC. in any of these representations or certifications to the Government.

The law indicates that violations are punishable by fines and up to 5 years in Federal prison.

The Dept. of Defense has made tax-exempt status a condition for the CMMC-AB to obtain its position as the nation’s sole CMMC oversight body. Despite that, the CMMC-AB has so far resisted that requirement. As of February 2021, the CMMC-AB has still not obtained any tax-exempt status. It operated for the entirety of 2020 as a for-profit organization, selling “badge” programs and allegedly generating millions in revenue. Because it has not filed as a tax-exempt entity, the group’s 2020 tax filings will remain secret, prohibiting both the government and public from knowing if any financial conflicts of interest were conducted in that year. It is largely assumed that Board members personally reaped some level of financial reward from the CMMC-AB’s activities to date, ignoring their own ethics rules.

The Oxebridge complaint to the DLA IG alleges that the Schieber filing represents an intentional violation of Title 18 Section 1001, a felony, and that as a result, the contract between DoD and CMMC-AB is automatically null and void. The latter argument assumes that if an organization cannot obtain a government contract without a CAGE code, then it must lose that contract if the CAGE code was obtained through fraud.

In a separate filing with the Dept. of Defense Inspector General, scheduled to be filed later today, Oxebridge intends to allege that staffers within the Office of the Undersecretary for Defense for Acquisitions and Sustainment were also aware. This would include former Undersecretary Ellen Lord and current Chief Information Security Officer Katie Arrington.

Weeks after the CAGE code filing, Lord signed an MOU with the CMMC-AB which admitted the organization had not yet obtained its tax-exempt status. Schieber signed on behalf of the CMMC-AB. In December of 2020, Lord’s office signed a contract with the CMMC-AB, intended to replace the MOU, again including language that admitted the DoD was aware the CMMC-AB still did not have its tax-exempt status. Oxebridge alleges that this shows the OUSD A&S office not only knew the CMMC-AB had falsified its CAGE code filing, but was attempting to work around the issue, rather than report it to DLA.

Instead, Lord’s office openly shilled for the CMMC-AB’s various “badge” programs, helping it generate revenue.

The DODIG complaint will also allege that Arrington and CMMC PMO head Stacy Bostjanick violated the law by engaging in “misuse of position” and “misuse of official title” regulations under 5 C.F.R. § 2635.702 by falsely claiming trainers or consultants not authorized by either the CMMC-AB or DOD are somehow acting illegally. Ms. Bostjanick repeated this false claim as late as yesterday, in an article published by Federal News Network, while Ms. Arrington made the claim last week on LinkedIn. The law prohibits government employees from using their positions to promote private companies, especially doing so by falsely implying some government approval of the companies. There is no law prohibiting private companies from providing consulting, training, or other services related to CMMC.

The DODIG filing will also allege that Arrington’s office intentionally puts at risk the national security of the United States by demanding the CMMC-AB subject itself to oversight by the IAAC, which operates out of Mexico, and the IAF, which is managed by China. This matter was the subject of a White Paper published by Oxebridge founder Christopher Paris. Arrington was warned back in September not to allow the IAF and China to have oversight in the CMMC program, but she ignored the warning.

At the same time, Oxebridge is pushing for the IRS to investigate the CMMC-AB for tax fraud. Statements made during 2020 appear to solicit donations, and one statement falsely claimed that paid appearances by Board members were “tax-deductible.” Doing so without having obtained tax-exempt status is illegal. So far, the Maryland Secretary of State has declined to investigate, indicating there is insufficient evidence, but did suggest the matter be examined by the IRS. A separate complaint has been filed with the Maryland Attorney General, regarding the fraud allegation.

The CMMC-AB is already the subject of a Dept. of Justice complaint alleging the group discriminates against service-disabled veterans. A whistleblower reported the CMMC-AB’s Provisional Assessor training materials fail to comply with the Americans with Disabilities Act, and thus make employment as a CMMC assessor impossible for disabled veterans. The complaint was originally filed with the CMMC-AB directly, but Board leaders Karlton Johnson and Jeff Dalton elected to ignore the filing, rather than process it per standard accreditation body rules. CMMC-AB training developer Ben Tchoubineh later indicated that future materials “will be compliant with ADA,” but has refused to stop training and correct the materials so they comply with the law now.

The Oxebridge ISO Whistleblower Program has received nearly ten complaints about the CMMC-AB, most of them alleging ethical violations of CMMC-AB Board members, specifically related to conflicts of interest and self-dealing.


ISO Benchmark