Monday, April 13, 2020

IDEAFest2020 - a conference worth questioning

The CMMC as it's been rolled out has hinged on the industry coming together to help the DoD realize it's vision. A key part of that is the creation of the Accreditation Body (CMMC-AB).  This organization made up of industry personnel and some experts is charged with creating a full volume of standards for 3rd party auditors to become themself accredited.

It didn't take long to realize there's a significant amount of money to be made both from auditing, capitalizing on the misunderstandings of the CMMC standard itself and the general awareness needed that this new standard will impact hundreds of thousands of DoD contractors.  Given that, I've watched closely as this AB was formed and rolled out.  Here is one more example of how those involved are walking the fine ethical line of a conflict of interest, if not crossing over it.

Welcome to IDEAFest2020

The first virtual conference to make it's way onto the COVID induced WFH stage is this brainchild of CMMC Director Jeff Dalton and his business partner Mark Weber.  

While I applaud Jeff, if this is even him, for putting together a $99 per person conference, touting CMMC participation to include the CMMC Chair, Ty Schreiber, and fellow Director John Weiler, I have to question the authenticity of this.  

I've spent years attending conferences and shows as a CISO.  I feel I'm qualified at this point to differentiate the good from the bad, and a lot of that starts with the marketing.  

I've seen better crafted phishing emails and landing web pages come out of Lagos Lagos Nigeria than this.

Built with Wix header

This header is kept in on the free version of Wix's website builder.  You have to ask yourself the professional level of a paid-for conference that is this cheap up front.


You have to wonder what's going on here when most of the sponsors are companies you yourself own or run.  This is clear sign on the professional capabilities of a conference in the ability to attract sponsors.

The first sponsor that jumps out does so on a few levels.  How can a cyber security company ask for registration on an unsecured website? This seems like day 1 stuff.

Second finding on this "company" sponsor is really interesting.  A CMMC AB Director is managing and running a company that provides CMMC consulting, readiness, and even a proprietary tool to gain compliance.  The conflicts of interest here seem obvious, but so far are unchecked.


Look, I'm not looking for perfection, but I do want to know a few things before I commit any money to a conference, virtual or otherwise.  As security professionals, we're constantly hit with these "cons" to attend and most are of little value other that to the sales reps that corner us for a conversation or get our email off the registration list. Second concern, and bigger, is the obvious financial gains that a supposedly independent director on a non-profit group is making from using his position to charge for access to a highly valued group of DoD associated personnel with information that everyone is eager to learn about.


Brian Haugli