Defense

Shakeup at CMMC board

automated security (Oskari Porkka/Shutterstock.com) 

There's a major leadership shakeup at the independent board charged with implementing the Defense Department's unified cybersecurity standard following allegations of pay-for-play funding.

Karlton Johnson, who originally served as the vice chair for the Cybersecurity Maturity Model Certification Accreditation Board, is now the new chairman, the Defense Department confirmed in a statement to FCW. He replaces Ty Schieber, who served as the chairman since the organization's launch in January.

FedScoop first reported the news of the CMMC board's leadership change and the resignation of Mark Berman, the board's communications director.

The leadership shift follows news reports surrounding conflicts of interest with the volunteer-based board's fundraising model that "solicited payments of up to $500,000 in exchange for 'partnerships' that carry the board's seal of approval," the Washington Post reported.

The CMMC board is charged with developing the education and training needed for organizations and individuals looking to become certifiers of the CMMC standard that will become mandatory in future DOD contracts. But the enormity of the board's responsibility has drawn scrutiny over its organizational structure, particularly because it screens and picks entities that will ultimately determine if a company meets the standard.

Schieber told FCW via email that he resigned as the board's chair and director effective Sept. 11 because he felt "it is time for a change in leadership" and "staunch support" for the board.

Berman told FCW via phone that he "made a decision to transition away from the board to focus on other ways to serve my business and family," denying reports that he was ousted and submitted his resignation "early Friday" ahead of a board meeting he did not attend. Berman said he was still on the all-volunteer board, is in the process of shifting his responsibilities to other members, and "willing and able to continue to do all in my power to support the CMMC effort."

Eric Noonan, the CEO of CyberSheath, told FCW that issues of conflicts of interest within the board were likely a fundamental issue with structure of DOD's relationship with the board and "distracting" from CMMC's goal.

"I don't think the issues were unique to specific board members as much as they appear to be foundational in the overall approach. Any approach to supply chain cybersecurity that places the CMMC AB or any other entity in between the Department of Defense and industry is unnecessarily complex and probably flawed," Noonan said.

As news of the board leadership changes broke, DOD and the board later announced that the CMMC accreditation board "reached a monumental milestone with the initial training of provisional assessors," according to DOD's statement. "The CMMC-AB is now moving through the initial stand-up phase and working to meet the requirements of the DOD."

DOD's statement didn't address funding issues with the CMMC accreditation body or how the leadership change might affect implementation of the CMMC standard, which was originally expected to appear in requests for proposal this fall.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • Cybersecurity
    cybersecurity (Rawpixel/Shutterstock.com)

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

  • Comment
    cloud (Phaigraphic/Shutterstock.com)

    A call for visionary investment

    Investing in IT modernization is not an either-or proposition, Rep. Connolly writes. This pandemic has presented Congress a choice: We can put our head in the sand and pretend these failures didn't happen, or we can take action to be prepared for the future.

Stay Connected