Editor’s Note: This story has been updated with additional comment from the DOD on the removal of the two CMMC-AB members.
Recent tumult in the independent board tapped to implement the Department of Defense’s new cybersecurity policy has come to a head with the chairman and communications lead being forced out.
Chairman Ty Schieber and head of communications Mark Berman were voted off the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) after the recent launch of a controversial sponsorship scheme.
Their ouster comes at a critical time for the AB and the CMMC program writ large. The first cohort of provisional assessors — cybersecurity professionals that will be tasked with assessing the networks of defense contractors — just recently got underway. And the Defense Federal Acquisition Regulations (DFARs) rule change required to get CMMC provisions into contracts is also near completion.
“Several board members who were critical in establishing this solid foundation are transitioning off the board. We thank Ty Schieber, chairman, and Mark Berman, communications director, for their thoughtful leadership,” DOD said in a statement to FedScoop.
Karlton Johnson, a decorated combat veteran who served as the board’s No. 2, will take over as chairman. It is unclear if he is acting or the permanent chair.
“We are excited to welcome Karlton Johnson as the new CMMC-AB chairman,” DOD’s statement continued. “We look forward to a continued strong relationship moving forward.”
The DOD denied that Schieber and Berman were removed, saying “there was no ‘ousting’ of leadership; they left of their own accord.”
However, several people familiar with the transition described a tense vote that resulted from the controversy surrounding the creation of a “Partner Program.”
Some outside observers said the program, which Berman and Schieber pushed for without full-board approval, created a conflict of interest by allowing for the Accreditation Body to take up to $500,000 to promote companies it could have been in charge of overseeing. The AB quickly removed the program from its website after negative response flooded in from the DOD contracting community.
The AB is critical to the new CMMC standards for 300,000 defense contractors. It has a memorandum of understanding to be the sole accreditor for the new army of cybersecurity assessors in the CMMC program. The program assesses contractors on five tiers of security controls and will require all DOD contractors to have a verified cybersecurity audit by an assessor accredited by the AB. Schieber led the AB’s efforts from the start, being selected as its chair when the board incorporated in January.
The controversy over the Partner Program is not the first to frustrate board members and CMMC leaders at DOD. Tension also rose earlier this year between the board and the DOD over negotiations on a new contractual relationship. As talks dragged on, some board members lost confidence in Schieber. Board members splintered over the direction their volunteer organization was taking, with some threatening to quit at times. As early as July, a board member tried to file a motion for Schieber’s ouster.
Schieber and Katie Arrington, the DOD’s lead official on CMMC, had a close relationship. The two had worked together previously and Schieber donated to Arrington’s failed bid to win a seat in Congress in 2018. (Both routinely denied any impropriety in the donation or that it had any effect on Schieber’s position on the AB.)
Berman had little experience in the defense industry before joining the board. After working in the leadership of several IT startups, he jumped on the board as an opportunity to serve and promote national security, he had previously said. He led the board’s communications and occasionally spoke on panels about the program. His tenure on the AB was marked by occasional unforced errors, such as the inadvertent posting of draft materials to the AB’s website.
Neither Schieber nor Berman responded to multiple requests for comment before publication.