Multiple members of the Accreditation Body’s board of directors also serve as consultants in the cybersecurity space, which critics say gives them an unfair advantage to cash in on the program.
The leadership of a volunteer private-sector group responsible for implementing the Defense Department’s Cybersecurity Maturity Model Certification program said it’s working to address conflict-of-interest issues to allow fair competition within the defense industrial base and among companies that want to advise them on meeting program requirements.
The DOD developed the CMMC to ensure contractors follow cybersecurity guidelines and to stop intellectual property theft by adversaries like China. Officials say the current practice of allowing contractors to simply pledge their adherence to National Institute of Standards and Technology practices has not been reliable. The CMMC program instead will institute a system of independent third-party audits, which all contractors will eventually have to undergo in order to serve the department.
On April 8, Katie Arrington, DOD’s CMMC lead, said a final rule on the requirements will be ready in about a month.
But implementation of the program so far, which is being headed up by the volunteer group that has entered a no-cost contract with the DOD as the CMMC Accreditation Body or CMMC AB, has been controversial. Both large and small contractors are worried about whether they will be treated fairly for a variety of reasons, according to a recent survey and interviews with contractors.
The DOD has said CMMC certification will cost contractors about $3,000 on the lower levels and prospective auditors have lined up to be at the receiving end. There’s also a host of consultants hoping to make money off the process by advising companies on what they need to do to prepare for their audits so they don’t fail them and lose an award.
The CMMC-AB, which must approve the auditors, is funded through fees they collect from those applying to be auditors. It has also collected fees from those it approves as “registered practitioners.” Those individuals enjoy an elevated status as CMMC consultants—they must complete basic online training on the CMMC and sign a code of professional conduct and in exchange can market themselves using the CMMC logo—but aren’t allowed to conduct audits. Conflict-of-interest issues have emerged as members of the CMMC-AB are themselves owners of consulting firms.
Leslie Weinstein, a consultant in the CMMC space, recently posted an article to her LinkedIn page where the encryption provider PreVeil interviewed CMMC-AB board member Regan Edens as the founder of DTC (Digital Transformation Compliance) Global, a company he started in 2019 as the CMMC was emerging. Edens, who is the chief technology officer of DTC Global, is also identified as a member of the CMMC AB’s board of directors on the company’s website.
“This article is wrong on so many levels because a CMMC-AB board member is trying to sell his own services and the product of a partner on the guise of his expertise as an AB board member,” Weinstein wrote. “Matthew Travis, welcome aboard! You can start by policing up your board,” she added, referring to the former deputy director of the Cybersecurity and Infrastructure Security Agency who was just brought on as CEO of the AB.
The PreVeil interview has since been edited to remove reference to Eden’s position as chair of the CMMC-AB’s standards committee. It still includes his promotion of PreVeil’s encryption services. “If an organization needs to make quick and easy choice, then PreVeil is a good choice,” Eden says at the end of the article. The sentence links to PreVeil’s CMMC offering.
Edens told Nextgov DTC Global is in the process of transitioning its website and it was an honest mistake that the PreVeil article mentioned his association with the AB. But promotion of a webinar in February by PreVeil, which Edens describes as a DTC Global “partner,” also noted his role on the AB.
The webinars have also now been taken down from DTC Global’s website, but Edens told Nextgov: “To my recollection, any association by me between the AB, my role on the Board, and my role at DTC Global is incidental to the purpose of the conversation, though it is not prohibited by AB policy. I have requested the AB Board provide written guidance on [the AB Directors and DIB companies] participating in webinars and interviews in the future.”
When reached for comment, Karlton Johnson, chairman of the CMMC-AB’s board of directors, told Nextgov the AB is working to clarify its stance accordingly.
"The activity in question that took place in February did not meet the ethical standards that the CMMC-AB has set for itself,” he said. “The CMMC-AB leadership is currently addressing this instance and continues to evaluate board member and professional staff activities to ensure our conflict-of-interest policies are fulfilled in both letter and spirit."
But while Edens said he takes full responsibility for his actions and doesn’t want to discredit the AB in any way, he’s not entirely sold on the need to prevent members of the AB from putting their finger on the scale for service providers they think are doing a good job, given all the choices defense industrial base companies have.
“Many companies don’t even know where to begin,” he said. “So there’s a balance about informing the DIB and supporting great companies without endorsing them. I feel like if a vendor is willing to go the extra mile, the AB should support their efforts.”
It’s not clear what incorporating that sentiment into further guidance from the AB might look like. And the fact that the AB’s board members are consulting on the CMMC at all—their business affiliations are included in their bios on the AB’s website itself—could be problematic for fair competition.
A major part of the CMMC-AB’s role is approving the third-party assessors who will audit companies seeking certification. These CMMC Third Party Assessor Organizations, or C3PAOs pay a fee to the AB to go through that approval process.
“Maybe they shouldn't be doing CMMC consulting or cybersecurity consulting, that seems pretty, pretty swampy to me,” Weinstein told Nextgov about the AB’s board members. “I have a problem with that because they have inside knowledge that they're consulting with. Why would you not want a board member to be your consultant, because you potentially get inside information and if you want to fight your C3PAO, you know somebody that controls the fate of their company, like that's not OK. There's a ban on board members being C3PAOs for two years, but they should have a ban on doing CMMC consulting in general.”
Asked about the conflict-of-interest issues in an earlier interview with Nextgov, Johnson said the members are committed to standards of ethical conduct. Johnson, who is also the CEO of consulting firm DeLaine Strategy Group, a member of the board for Microchip Technologies and chairman of the board of governors for the National Space Society, said ultimately, it was the DOD’s decision to have the board’s members come from industry, and that the department has oversight over its activities.
Weinstein doesn’t buy Arrington’s argument that the creation of the AB was necessary to scale the auditing operations that would be needed to meet the demand of about 300,000 defense contractors. “Not at all, it’s ridiculous,” she said.
Weinstein, who is an Army veteran and spent 10 years as a DOD contractor working on policy in the offices of the chief information officer and acquisitions and sustainment, recently became solutions director for HITRUST, an accreditation body that performs functions similar to the CMMC-AB. She named the organization along with the International Organization of Standardization, and the American Association of Laboratory Accreditation as entities that the DOD could have turned to instead of creating the AB from scratch.
“If you wanted to scale, you should have gone with a mature organization that already does it instead of having to invent, every single thing, including hiring people, forming the company, asking for tax exemption,” Weinstein said. “There's no reason, no practical reason they had to do that. They chose to.”
Arrington has said the AB was created organically after participants at a kick-off meeting volunteered to serve on the board and that it is a coincidence that her former colleague Ty Scheiber, who also contributed to Arrington’s campaign during a run for Congress, ended up being appointed chairman of the board. Scheiber has since stepped down amid a controversial funding proposal that was perceived as a pay-to-play-scheme.
The DOD did not respond to a request for comment on this story by deadline.
An interim rule to implement the CMMC, which spells out the relationship with the AB, is in effect but is currently under internal review. Weinstein pointed to this window as an opportunity to change the program.