Oxebridge has filed a formal complaint with the US Government Accountability Office (GAO), alleging the Dept. of Defense violated FAR clauses in its creation of the private, non-profit CMMC Accreditation Body (now called The Cyber AB.) Ironically, the main way by which the DoD is pushing CMMC down to defense industry companies is through the FAR clause system.

The Federal Acquisition Regulation (FAR) regulations apply to government bodies and contracting officers and dictate terms and conditions to be obeyed when the US Federal government acquires goods and services. The DoD intends to require hundreds of thousands of Defense Industrial Base (DIB) companies to adopt mandatory CMMC certifications by way of inserting CMMC requirements into the FARs.

In its roughshod attempt to push CMMC through without proper oversight, it now appears the DoD itself violated the FARs in the process.

FAR 6 relates to “Competition Requirements” and requires the government to purchase goods and services through a system of “fair and open competition,” by soliciting bids from multiple vendors. For the CMMC program, the DoD rejected fair and open competition, and instead ordered the formation of a monopoly body, the “CMMC Accreditation Body,” which would be a private 501(c)(3) not-for-profit organization. Oxebridge alleges that not only was the creation of the CMMC AB illegal on its face, but it also violated FAR 6 by circumventing fair and open competition for the AB role.

Oxebridge, in its complaint, points out that existing accreditation bodies, such as ANAB and A2LA, already exist that could provide the service. Nevertheless, the DoD’s CMMC program office, previously led by Trump appointee Katie Arrington, refused to engage with current providers and set out to create a new organization out of thin air.

Making matters worse, Oxebridge points out, Arrington then gave the no-bid sole source contract to the CMMC AB after it had elected her former boss, personal friend, and campaign donor, Ty Schieber, to its seniormost position. Even though Arrington and others were claiming the DIB was comprised of as many as 500,000 companies, the appointment of Arrington’s former boss was dismissed as the DIB being “a small world.”

Arrington later left the DoD in scandal, and immediately opened LD Innovations, a CMMC consulting firm. She recently took a job with Exiger, another cybersecurity firm offering CMMC services. Oxebridge alleges she violated the FAR clauses to create both a private company and an “ecosystem” that she could later personally benefit from, once leaving the government, and which would benefit her personal contacts.

FAR 6 does allow the government to circumvent fair and open competition, but DoD’s CMMC program does not appear to fall into any of the permitted exemptions.

The DoD also violated FAR 5 on “Publicizing Contract Actions” related to the CMMC AB contract, Oxebridge asserts. The DoD has refused to honor legal and valid FOIA requests to release its contract with the CMMC AB. It has released portions of a prior contract, but nothing from a newer contract between the parties. Under US law, Federal government contracts are public documents.

Despite the CMMC program having launched in 2019, it has still yet to be finalized. Not a single assessor or assessment body has been accredited by the Cyber AB, despite that organization having sold tens of millions of dollars in CMMC “credentials”.

The DoD has released an estimate claiming the CMMC assessments will cost the public and government up to $62 billion in the next 20 years. Those figures only include costs of assessments and not implementation.


ISO Benchmark