The US Dept. of Defense has released the original contract between itself and The Cyber AB (formerly “CMMC Accreditation Body”) in response to a Freedom of Information Act filing issued by Oxebridge in July of 2021. (The contract appears below.)
The DoD fought to prevent the release of the contract, despite the fact that US law demands all government contracts be public documents. The DoD then redacted the names of the parties which represented the CMMC-AB as well as that of the DoD. In its FOIA response, the DoD said that revealing the names “would constitute a clearly unwarranted invasion of the personal privacy of individuals.” The redactions are largely moot, since the redacted version leaves intact the title of the DoD representative as “OUSD (A&S) OCISO” which refers to “Office of the Undersecretary of Defense for Acquisition and Sustainment, Office of the Chief Information Security Officer.” The only person to ever hold that role was Katie Arrington, who led a very public campaign to launch CMMC.
It is unclear why the DoD believes that the names of high-ranking government officials are “personal information.”
Previously, a FOIA issued by Oxebridge resulted in the release of only the “Statement of Work” (SOW) portion of the standard. The DoD resisted publishing the entire document for reasons that were never made clear. As a result, there was no evidence that the SOW was part of a legally binding contract, as it was instead provided as a random text file not associated with any legal document.
The DoD’s Stacy Bostjanick wrote to Oxebridge giving a variety of contradictory explanations for the DoD’s refusal to publish the contract, and thus comply with US law. First, Bostjanick said that the SOW constituted a sufficient portion of the contract, and that the SOW was all that “legally obligated.” negating the need to publish the rest. Then, Bostjanick arbitrarily claimed that publishing the contract would not serve the public, something that she — as a government employee — is not authorized to decide.
The FOIA response now proves that Bostjanick’s explanations were never true, and that she never had the authority to refuse publication in the first place.
In the end, the process took 32 months to conclude, largely due to DoD’s interference.
UPDATE – DODIG is now involved; see below.
The contract published below, however, is not the most recent document. Since that time, the government has entered into a secret “contract mod” with the CyberAB, which alters the contractual obligations from this original contract. The DoD and CyberAB have both refused to reveal the contract mod, which is also supposed to be a public document under US law. Oxebridge aims to file a new FOIA to unmask the contract revisions, but expects that to take another 2-3 years.
Hiding Pay to Play?
The intense efforts by DoD and the CyberAB to obfuscate the nature of their contractual obligations have only increased concerns over the nature of the CMMC scheme.
The DoD was criticized for setting up a “pay-to-play” scheme with CMMC, which — some argue — was intended to create a cottage industry for private consultants. Making matters worse, the AB and DoD have adopted the term “ecosystem” in an apparent nod to the “cottage industry” argument, but have leaned into it as benefit, not a scandal.
Arrington, the former architect of the scheme, had previously worked at Dispersive Technology under her friend and political donor, Ty Schieber. When the DoD called for the formation of a private, non-profit accreditation body to manage CMMC, the resulting “CMMC-AB” was led by Schieber. The DoD rejected criticisms that this amounted to cronyism and corruption, and claimed that the relationship between Arrington’s CMMC DoD office and Schieber’s AB merely resulted from the defense industry being “a small world.”
At the same time, Arrington and other DoD officials made the unsupported claim that the Defense Industrial Base was as large as “500,000” companies, appearing to contradict their “small world” claims in the Schieber appointment.
The DoD then entered into a secret contract with the AB, going so far as to refuse to investigate reports showing Schieber had lied on the AB’s official CAGE code application, under penalty of felony prosecution. At the time, Schieber attested the AB was already a 501(c)(3) not-for-profit, and the AB was awarded its contract on that basis. In fact, the AB had not received its 501(c) status until years later. Arrington defended Schieber against the claims, however, and worked to shut down the investigation into felony CAGE code fraud. She then launched a public defamation campaign against Oxebridge.
Scheiber, for his part, then worked with a few hand-picked consultants to award various credentials and authorities to others in his orbit. Stacy High-Brinkley of Cask Government Services formerly worked with Schieber at Qinetic, and received one of the first AB’s first “Lead Assessors.” Cask was identified as the subject of a DOJ criminal probe, where US Attorneys allege its management bribed government officials to successfully win at least one contract. The AB then approved Cask as an official CMMC certification body even after one Cask employee pleaded guilty and is awaiting sentencing. High-Brinkley has since appeared alongside DoD officials, including Bostjanick, at paid CMMC events.
The CyberAB has generated millions in dollars of revenue since Arrington’s contract, but has still not produced a single fully-accredited CMMC certification body.
While Arrington falsely claimed that CMMC certification was already available in late 2019, it now appears that the program will not actually launch until 2024 or later.
John Sherman has taken over management of the CMMC scheme, as the DoD’s Chief Information Officer, but has declined to rein in the ongoing conflicts of interest and alleged corruption within the “ecosystem.” Sources say that Bostjanick has been sidelined at least from public appearances, after a string of embarrassing showings at CMMC events, but that she remains intent on using her office to push business to the CyberAB and its selected consultants and “partners.”
In a bizarre tweet this week, Arrington claimed that CMMC would have prevented a hack of DoD systems, revealing that Arrington apparently never understood that CMMC was intended for private defense contractors, not for use by the DoD itself.
At no point has the DoD ever published any study showing that CMMC will improve defense industry cybersecurity.
CMMC 1 Scuttled, FOIA Lawsuit Threatened
The CMMC scheme eventually faced backlash, partly led by Oxebridge’s reporting, which provided reports to the House Armed Services Committee and Senate Armed Services Committee. This led to an audit by the US Government Accountability Office, which uncovered irregularities in the DoD’s program. In response to the GAO audit and backlash from defense industry experts, the CMMC program was scrapped and re-released as “CMMC 2.0”. Arrington had her security clearance suspended and was sidelined from all CMMC activities until she quit the DoD entirely.
Arrington then sued the DoD, and official court dockets show that DoD responded to FOIA requests issued by Arrington within mere months or weeks. As a result, Oxebridge threatened to sue the DoD under a FOIA lawsuit for intentionally delaying its FOIA, while prioritizing the processing of FOIAs for Arrington.
The DoD then began providing updates on the FOIA, until its release yesterday.
Oxebridge has warned the parties that it intends on challenging the first CMMC certifications, once the program is fully launched, on the grounds that national security interests are at risk. The DoD contract would have the CyberAB governed by foreign nations, all but ensuring a legal or Congressional battle once the program officially launches. The contract requires the CyberAB to submit to oversight audits by IAAC, an accreditation group out of Mexico, and the IAF, which is heavily influenced by China. The DoD has refused to address these concerns, in its effort to prop up the private consultant industry created by Arrington.
Oxebridge aims to prove that complaints filed against the AB will be adjudicated by Mexico and other foreign powers, thus stripping the US Government of final authority over its own DoD program. The former Chair of the IAF was Chinese Communist Party member Xiao Jianhua, who remains influential in the group.
The full contract may be read here:
UPDATE 6 March 2023: One day after DoD provided the contract, Oxebridge received an email from the office of the DOD Inspector General (DODIG), indicating they had just received the FOIA referred to them. In a subsequent phone call, the DODIG office explained that while the DoD OUSD office may have fulfilled its part of the FOIA, during the investigation some documentation related to the request was identified as belonging to DODIG, thus explaining the “branching” of the FOIA into two paths.
This suggests that there are significant documents behind the scenes related to the issuance of the DoD’s contract to the CyberAB, and that somehow the DOD Inspector General’s office was involved. Oxebridge has no immediate knowledge of this development.
As a result, the DODIG is now pursuing a branch of the original FOIA, and may yet reveal additional documentation somehow related to the CyberAB’s contract. It is likely that the DODIG will eventually redact these documents, or refuse to provided them at all, but the sudden revelation of DODIG involvement suggests that the CyberAB’s contract award was not a routine, normal event.