Shakeup at CMMC board

The independent board charged with implementing the Defense Department's unified cybersecurity standard has new leadership as it announces new milestone hit.

automated security (Oskari Porkka/Shutterstock.com)
 

There's a major leadership shakeup at the independent board charged with implementing the Defense Department's unified cybersecurity standard following allegations of pay-for-play funding.

Karlton Johnson, who originally served as the vice chair for the Cybersecurity Maturity Model Certification Accreditation Board, is now the new chairman, the Defense Department confirmed in a statement to FCW. He replaces Ty Schieber, who served as the chairman since the organization's launch in January.

FedScoop first reported the news of the CMMC board's leadership change and the resignation of Mark Berman, the board's communications director.

The leadership shift follows news reports surrounding conflicts of interest with the volunteer-based board's fundraising model that "solicited payments of up to $500,000 in exchange for 'partnerships' that carry the board's seal of approval," the Washington Post reported.

The CMMC board is charged with developing the education and training needed for organizations and individuals looking to become certifiers of the CMMC standard that will become mandatory in future DOD contracts. But the enormity of the board's responsibility has drawn scrutiny over its organizational structure, particularly because it screens and picks entities that will ultimately determine if a company meets the standard.

Schieber told FCW via email that he resigned as the board's chair and director effective Sept. 11 because he felt "it is time for a change in leadership" and "staunch support" for the board.

Berman told FCW via phone that he "made a decision to transition away from the board to focus on other ways to serve my business and family," denying reports that he was ousted and submitted his resignation "early Friday" ahead of a board meeting he did not attend. Berman said he was still on the all-volunteer board, is in the process of shifting his responsibilities to other members, and "willing and able to continue to do all in my power to support the CMMC effort."

Eric Noonan, the CEO of CyberSheath, told FCW that issues of conflicts of interest within the board were likely a fundamental issue with structure of DOD's relationship with the board and "distracting" from CMMC's goal.

"I don't think the issues were unique to specific board members as much as they appear to be foundational in the overall approach. Any approach to supply chain cybersecurity that places the CMMC AB or any other entity in between the Department of Defense and industry is unnecessarily complex and probably flawed," Noonan said.

As news of the board leadership changes broke, DOD and the board later announced that the CMMC accreditation board "reached a monumental milestone with the initial training of provisional assessors," according to DOD's statement. "The CMMC-AB is now moving through the initial stand-up phase and working to meet the requirements of the DOD."

DOD's statement didn't address funding issues with the CMMC accreditation body or how the leadership change might affect implementation of the CMMC standard, which was originally expected to appear in requests for proposal this fall.