Ethics and the Cybersecurity Maturity Model Certification Program

At a recent Town Hall CEO of the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) CEO Matt Travis noted that the “trust and confidence in the CMMC Ecosystem” requires a shared responsibility between the AB and the members of the community.

In fact Travis’s Call to Action harkened back to the the testimony of Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy who noted in his testimpny to the Armed Service Committee cybersecurity subcommittee:

DoD must ensure there are clearly defined roles and responsibilities, standards of conduct, and audit mechanisms governing relationships with private sector entities within the external assessment system.

For CMMC to succeed ethics matter.

In terms of the Cybersecurity Maturity Model Certification the Professional Code of Conduct drives etical considerations. The document provides the standards to which all members hold themselves accountable.

The document unites around five principles:

The document then lays out the practices and how the reporting features get implemented.

Conflict of Interest occur when a person has a duty or motivation to serve the interests of more than one party in the engagement of an activity. According to Matt Travis this can lead a variety of consequences:

CMMC Conflict of Interest

We must remember a perception fo conflict can cause just as much damage when no conflict exists and conflicts of interest can exist without malicious intent our outcomes.

The CMMC-AB in fact must establish a firewall from the registration of consultants and the accreditation of training schools and the Assessment of Organizations Seeking Certification.

Section 3.1.8 of the Professional Code of Conduct requires everyone to avoid conflicts of interest to the greatest extent possible. We have a duty to avoid conflicts and report them when they occur

The professional code of conduct , in Section 3.1.10 also bans C3PAO from soliciting businesses from an organizaton they assess. So you can not fail an OSC and then offer services to help the pass the next assessment.

CMMC and Objectivity

The CMMC Professional Code of Conduct prohibits a credentialed assessor to join an assessment team if that individual helped the organiztion prepare for the assessment.

Many companies ecosystem have Registered Professional Organization (RPO) credentials and Certified Third Party Assessment (C3PAO) credentials. A business can not provide RPO services and then join a C3PAO Assessment Team or host an Assessment Team themselves. Furthermore if you signed the CPCOC you have an obligation to report this activity if you see it.

CMMC-AB and Ethics

In order to first understand how the AB must adhere to the ethics we must first understand their role in the ecosystem. The AB

Due to these roles the CMMC-AB has a variety of tools to limit Conflict and Interest

These elements work together to ensure the CMMC ecosystem maintains a high ethical standard/

Duty to Disclose

The CMMC-AB will release a disclosure matrix that lists all of the players in the ecosystem and then a list of possible affiliations. These include elements of potential conflict such as ownership, financial interest, teaming agreements, family members, personal relationships, employer and more. The AB will decide if based on the role of the ecosystem if that is a type of relationship that is okay, to be avoided, and risky enought to require mitigation.

This document will explain your responsibilities to report conflict of interest.

Red Lines for the CMMC-AB

Based on the policies governing the AB they must not fail to disclose conflicts, have an interest in an C3PAO, use their status on the AB to generate business or leads, endorse any commercial produce implicitly or explicitly, accept any gifts, and all AB members must not operate in a credentialed company within the ecosystem for one year from leaving the board.

Shady Vendors

As a member of the ecosystem you face a barrage of emails. Many of these provide snake oil services or over promise. As a small business owners rely on word of mouth not drip campaigns from marketing teams. Avoid anyone who promises quick assessments or turn key services.

Take your time. You do not need a Level Three certification overnight. 2026 a bit off. Until then just grow the SSP and shrink the POA&M.

Leave a comment

Your email address will not be published. Required fields are marked *