James Soriano, the defendant in multiple Federal bribery and conspiracy cases surrounding Cask Government Services, has pleaded guilty and now faces years in prison. Three defendants, including one former Cask employee, have now pleaded guilty and provided information on Cask’s criminal activities. Cask, one of the first C3PAO auditing bodies provisionally approved by the Cyber AB for the DoD’s CMMC scheme, nevertheless remains in good standing with the accreditation body, which has refused to enforce its code of ethics.

CMMC Scheme Illegal

A non-elected staffer of the Dept. of Defense, Katie Arrington, used her position to create the Cyber AB as a private not-for-profit company to oversee the CMMC scheme. The US government is prohibited from creating private companies without the passage of a law, such as in the case of the US Post Office or Tennessee Valley Authority, but Congress was never notified nor involved in the creation of the Cyber AB. The Cyber AB competes with pre-existing accreditation bodies, such as ANAB and A2LA, which already provide similar services. Arrington then allowed her former boss and political donor, Ty Schieber, to take over as the Cyber AB’s executive leadership, and used her office to create a mandate that all defense companies purchase services under the AB or face debarmet from all Federal procurement.

Arrington left the DoD after the National Security Agency stripped her of her government clearances, claiming she had leaked classified information to at least one Federal supply chain vendor. Arrington sued the government for a “name-clearing hearing,” but never received it. She then went to work for Exiger, selling consulting services for the CMMC scheme that she, herself, created.

The arrangement would allow any low-level Federal bureaucrat to create a company overnight to compete with existing American companies and then use their position to mandate citizens use their services or face Federal penalties. Alternatively, any government staffer may now use their Federal position to create a private company, grant it Federal contracts, and then go work for that company after they leave government.

The scheme appears to be illegal under multiple Federal laws, the the DoD Inspector Gernal has refused to investigate, closing multiple ethics and legal complaints made against CMMC without action. The DoD has also refused to release the sole-source contract it made with the Cyber AB, in violation of US law which says all such contracts are public documents. The DoD then refused to honor multiple FOIA requests to have the contract published, with DoD middle manager Stacy Bostjanick declaring she had personal authority to decide what information the American public sees and does not.

The DoD worsened matters by granting oversight of the Cyber AB to the Inter-American Accreditation Cooperation, a Mexican company. This means that Mexico — not the United States — will adjudicate any complaints filed against the Cyber AB. The DoD has refused to correct this error.

Cask Criminality

The Cyber AB then awarded early approval to Cask Government Sercies, a cybersecurity consulting firm with offices in Virginia and California, as a “C3PAO,” or auditing body for CMMC assessments. Schieber previously worked with Cask’s Stacy High-Brinkley at a prior company, Qinetiq.

Soriano was a central figure in multiple Dept. of Justice criminal investigations involving Cask.

As reported in December 2021, Oxebridge identified Cask as “Contractor-1” in the criminal case USA v Gutierrez. In that case, former Cask employee Liberty Gutierrez pleaded guilty (here) to conspiracy to commit money laundering and fraud. According to the court records, Cask hired Gutierrez upon the prompting of Soriano and, in return, Soriano steered at least one government opportunity to Cask.  Gutierrez then shared a portion of her illegal salary with Soriano, who hid some of the money in a “golf bag,” according to court filings.

Later, the court record revealed that Cask hired Soriano’s wife, Weng “Rowena” Cornejo Soriano. In exchange for the hiring, Soriano helped illegally steer Dept. of Defense contracts towards Cask.

In a second case, from October of 2023, the DoJ arrested another Soriano colleague, Dawnell Parker, who was also involved in the various Soriano schemes. Like Gutierrez, Parker pleaded guilty (here), further embroiling Cask.

Soriano himself was finally arrested and indicted in a third case, in which he is the defendant. Now, Soriano has pleaded guilty and is providing the Department of Justice with information on Cask and other companies that had illegally given him bribes to drive contracts their way. Soriano’s guilty plea may be read here.

It is widely assumed that the unnamed Cask executives named in all three cases are either Mark Larsen or Elizabeth Guezalle, or both, but to date, neither has been arrested.

Cyber AB Stands by Cask

Despite the public nature of the cases, the Cyber AB continues to maintain Cask’s status as an approved C3PAO for the CMMC scheme, and has refused to invoke its code of ethics in the matter. This means that Cask, found to have been illegally steering contracts to itself, will now have the authority to determine what other defense industry companies get contracts, through its performance of CMMC assessments. Without Cyber AB enforcing its ethics code, if Cask “fails” any CMMC company, questions can be raised on whether it did so to ensure that Cask itself wins contracts sought by that same company.

The Cyber AB is under Federal contract to implement controls for such scenarios under ISO 17011, but has not done so, continually violating its own Federal contract. Rather than debar the Cyber AB, the DoD Chief Information Officer has worked to protect the AB, allowing it to ignore contractual requirements.

The Cyber AB runs the CMMC auditor certification company, “CAICO,” which is prohibited under ISO 17011, but the DoD has also refused to force the AB to divest it.

As a result of these and other conflicts of interest, as well as questions of criminality embedded with the CMMC scheme, the resulting certifications issued under the Cyber AB’s authority will likely be questioned in eventual court proceedings. Given that CMMC will be required to achieve multi-million-dollar DoD contracts, the likelihood of such protests is high.

Soriano faces sentencing soon, and may be put into Federal prison for a decade or more.


Aerospace Exports Inc

Why we report on these topics

Since 2000, Oxebridge has worked to improve ISO and related certification schemes by identifying problems and then proposing solutions. We report on issues affecting standards users because so few other news outlets do. Our belief is that in order to fix the problems in these schemes, we must first understand the nature and breadth of those problems. Our reporting aims to do just that. Elsewhere on the Oxebridge site you will find White Papers and other articles proposing ideas to correct these problems.