At a recent Town Hall CEO of the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) CEO Matt Travis noted that the “trust and confidence in the CMMC Ecosystem” requires a shared responsibility between the AB and the members of the community.
In fact Travis’s Call to Action harkened back to the the testimony of Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy who noted in his testimpny to the Armed Service Committee cybersecurity subcommittee:
DoD must ensure there are clearly defined roles and responsibilities, standards of conduct, and audit mechanisms governing relationships with private sector entities within the external assessment system.
For CMMC to succeed ethics matter.
In terms of the Cybersecurity Maturity Model Certification the Professional Code of Conduct drives etical considerations. The document provides the standards to which all members hold themselves accountable.
The document unites around five principles:
- Proper Use of Methods
- Information Integrity
The document then lays out the practices and how the reporting features get implemented.
Conflict of Interest occur when a person has a duty or motivation to serve the interests of more than one party in the engagement of an activity. According to Matt Travis this can lead a variety of consequences:
- Compromises Judgement
- Threatens Objective Decisions
- Undermines Impartiality
- Destroys Confidence in Fairness and Integrity
- Requires Disclosure
CMMC Conflict of Interest
We must remember a perception fo conflict can cause just as much damage when no conflict exists and conflicts of interest can exist without malicious intent our outcomes.
The CMMC-AB in fact must establish a firewall from the registration of consultants and the accreditation of training schools and the Assessment of Organizations Seeking Certification.
Section 3.1.8 of the Professional Code of Conduct requires everyone to avoid conflicts of interest to the greatest extent possible. We have a duty to avoid conflicts and report them when they occur
The professional code of conduct , in Section 3.1.10 also bans C3PAO from soliciting businesses from an organizaton they assess. So you can not fail an OSC and then offer services to help the pass the next assessment.
CMMC and Objectivity
The CMMC Professional Code of Conduct prohibits a credentialed assessor to join an assessment team if that individual helped the organiztion prepare for the assessment.
Many companies ecosystem have Registered Professional Organization (RPO) credentials and Certified Third Party Assessment (C3PAO) credentials. A business can not provide RPO services and then join a C3PAO Assessment Team or host an Assessment Team themselves. Furthermore if you signed the CPCOC you have an obligation to report this activity if you see it.
CMMC-AB and Ethics
In order to first understand how the AB must adhere to the ethics we must first understand their role in the ecosystem. The AB
- Authorize CMMC C3PAOs to conduct assessment
- Accredit C3PAOs in accordance with ISO 17020
- Authorize the CAICO to certify CMMC Instructors and Assessors
- Establish, maintain, and Manage the CMMC Marketplace
- Oversee the CMMC Professional Code of Conduct
Due to these roles the CMMC-AB has a variety of tools to limit Conflict and Interest
- CMMC-AB Code of Ethics
- CMMC-AB Conflict of Interest Policy
- CMMC-AB Directors Agreement
- CMMC Code of Professional Conduct
- Contract with Department of Defense
- CMMC-AB Audit, Ethics, and Compliance Committee
- Security and Compliance Officer
- ISO 170ii General Requirements for Accreditation Bodies Assessing and Accrediting Conformity Assessment Bodies
These elements work together to ensure the CMMC ecosystem maintains a high ethical standard/
Duty to Disclose
The CMMC-AB will release a disclosure matrix that lists all of the players in the ecosystem and then a list of possible affiliations. These include elements of potential conflict such as ownership, financial interest, teaming agreements, family members, personal relationships, employer and more. The AB will decide if based on the role of the ecosystem if that is a type of relationship that is okay, to be avoided, and risky enought to require mitigation.
This document will explain your responsibilities to report conflict of interest.
Red Lines for the CMMC-AB
Based on the policies governing the AB they must not fail to disclose conflicts, have an interest in an C3PAO, use their status on the AB to generate business or leads, endorse any commercial produce implicitly or explicitly, accept any gifts, and all AB members must not operate in a credentialed company within the ecosystem for one year from leaving the board.
As a member of the ecosystem you face a barrage of emails. Many of these provide snake oil services or over promise. As a small business owners rely on word of mouth not drip campaigns from marketing teams. Avoid anyone who promises quick assessments or turn key services.
Take your time. You do not need a Level Three certification overnight. 2026 a bit off. Until then just grow the SSP and shrink the POA&M.