As we create the Cybersecurity Maturity Model Certification (CMMC) program we need to consider the ethics behind our goals. Otherwise the program will wither on a vine rather than break from the Chrysalis and spread its wings.
History of Ethics in Compliance
In 1907 at the 20th Anniversary of the American Association of Public Accountants Conference developed their first ethical standards in their bylaws. Over time these evolved into five principles”independence, integrity, and objectivity; competence and technical standards; responsibilities to clients; responsibilities to colleagues; an other responsibilities and practices.
The Cybersecurity Maturity Model Certification builds off of this long traditions and also the ethical standards many manufactures use as part of their International Organization of Standards Organizations (ISO) Certifications. ISO/IEC 38500 Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This standards lay out six frameworks of ethics
- Human behavior
CMMC-AB Code of Professional Conduct (CoPC)
The CMMC-AB incorporated the ideals of what is now the International Federation of Accountants and ISO/IEC 38500 into the CMMC-AB Code of Professional Conduct.
This CoPC covers all members of the CMMC ecosystem and like other ethic policies has core principles:
- Proper use of Methods
- Information Integrity
The AB defines the principle of professionalism as:
Always maintain a professional business posture. Never represent yourself or your company in a way that is not aligned with your certification, NDA, or authorization by the AB.
In terms of the ecosystem this means never providing services you do not have the credential. Do not, and this is common, suggest your company provides a service you know you don’t to land the sales call thinking you can backfill the need with a 1099 employee. Only sell what you do and do what you sell.
The AB defines the principle of objectivity as:
Avoid the appearance of, or actual, conflicts of interest where possible, and full compliance with Conflict of Interest policies that may be signed as part of license agreements. In the case where a perceived or management conflict may be present, document and describe the conflict to all affected parties and secure agreement to
A C3PAO may not, for example, to do an assessment if their Aunts and cousin own a machine shop. This could harm objectivity.
The AB defines the principle of confidentiality as:
As a working group member, credentialed, registered, or organization, you will maintain the confidentiality of customer and government data. You may be made aware of certain confidential information that is acquired in the performance of professional services, including data, trade secrets, business strategies, security postures, and personal information that may be contained within the systems you are exposed to. Treat confidential information with the utmost care, and under no circumstances reveal information learned during the delivery of CMMC services to anyone who is not expressly authorized to view it.
You need to protect data, protect identifiable information, not share information outside of the assessments, or talk about on social media. As as assessor for example you may usually take notes by drafting an email to yourself and not sending information. This violates confidentiality as you have utilized an external system (drafts don’t save locally) to store assessment data.
You may also want to go on a weekly Happy Hour and complain about the abysmal state of security in a company you assess. Don’t. Even if you anonymize the data by not mentioning names people can cross reference social media posts to determine which company you discuss.
Proper use of methods
The AB defines the proper use of methods as:
Demonstrate integrity in the use of materials and methods as they are described by the CMMC AB in policies, methodologies, and training materials, and act in a manner consistent with the intent of the materials to preserve the integrity of CMMC service delivery.
This means you need to know your stuff. If you paid for a Registered Practitioner badge and find yourself new to the land of compliance. Find a ton of NIST guides. Read them
You also need to not coach folks when completing an assessment. Sounds easy, but it is not. People can be very persuasive when their company and livelihood of their employees at stake. Do not unduly influence someone when observing them perform a test
The AB defines information integrity as:
Report results from the delivery of CMMC services completely and with integrity as required by your license or certification agreement.
Meaning don’t cheat, and report results accurately. This does not require nefarious intent. You may come across a policy or procedure where the OSC did not fill in the document. You can’t just fill in the blank for them.
From these principles the AB derives a series of best practices conflicts of interest, respect for intellectual property, lawful and ethical practices, and contracts and non-disclosure agreements
Conflicts of interest
A major part of objectivity revolves around Conflicts of Interest. In terms of business, perception can do more damage than rare nefarious activity. The CMMC-AB will create a Conflict of Interest Matrix for all the different roles.
Under the CoPC you must report any potential conflict of interest. This can include familial relationships, prior employment, or a personal company in conflict with a W2 employer. A common situation arises with C3PAOs not offering remediation advice pointing to specific vendors. Folks also need to consider their channel sale relationships.
Take a scenario where a C3PAO conducts an assessment. That person owns another LLC that works as a channel sales partner for Super Secure GRC tools. The C3PAO thinks their product would solve the non-conformity of the OSC. They cannot recommend to the OSC that if they buy Super Secure GRC tools this will help them pass. Even if they took no money for the sale. In fact the C3PAO can recommend no tool to pass.
Respect for intellectual property
Writing and developing compliance guides takes time. Too many people may use the intellectual property IP without rights. One of the biggest issues involves the CMMC-AB logo. No one who signs the CoPC should use the CMMC-AB logo without permission. Ever. You can use yoru badge image in marketing.
As a signer of the CoPC you have a responsibility to report stolen IP, like the AB logo, when you see it. You may for example see someone use popular scoping guides or images on how to scope. The original guides got published with a Creative Commons license (like this blog) that allows you to share the information as long as you cite the source and give any derivative the same license (if it is Share alike), not sell it (if it is commercial). Many people mistake Creative Commons as free and in the public domain. It might be free but using it without attribution is theft of intellectual property,
Lawful and ethical practices
You also must consider all legal implications and not engage in commonly toxic behaviors that consist of harassment and discrimination. Moreso you should try to build an inclusive environment. If all social events involve alcohol and/or golf that does not represent ethical community building.
In terms of lawful you must consider all of the other legal implications. Take International Traffic in Arms Regulations (ITAR) for example. Many companies produce data that they must consider ITAR, CUI, and ITAR that is CUI. The legal rules for each are different.
Contracts and non-disclosure agreements
Almost all assessments will require an NDA process. Sign them and keep your mouth shut. Better yet rememebr wors is bond and only do business with those you trust.