CMMC and Ethics
At a recent Town Hall, the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) CEO Matt Travis noted that “trust and confidence in the CMMC Ecosystem” is the shared responsibility of both the AB and the members of the community.
In fact, Travis’s call to action harkened back to the the testimony of Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar, who noted in his testimony to the Armed Service Committee cybersecurity subcommittee:
DoD must ensure there are clearly defined roles and responsibilities, standards of conduct, and audit mechanisms governing relationships with private sector entities within the external assessment system.
In order for CMMC to succeed, ethics must matter.
In the realm of Cybersecurity Maturity Model Certification, the Professional Code of Conduct drives ethical considerations. This document provides the standards to which all members hold themselves accountable.
The document unites around five principles:
- Proper Use of Methods
- Information Integrity
The document then lays out the practices inherent to each principle, in addition to how reporting features are implemented.
Conflict of Interests occur when a person has a duty or motivation to serve the interests of more than one party in the engagement of an activity. According to Matt Travis, this can lead to a variety of consequences, including:
- Compromised Judgement
- Threatened Objective Decisions
- Undermined Impartiality
- Destroyed Confidence in Fairness and Integrity
- Required Disclosure
CMMC Conflict of Interest
We must remember that a mere perception of conflict can cause serious damage, even when no such conflict exists. Conflicts of interest can also exist without malicious intent or outcomes.
The CMMC-AB, in fact, must establish a firewall between the registration of consultants, the accreditation of training schools, and the Assessment of Organizations Seeking Certification (OSC).
Section 3.1.8 of the CMMC Professional Code of Conduct (CPCOC) requires everyone to avoid conflicts of interest to the greatest extent possible. We have a duty to avoid conflicts and report them when they occur.
The professional code of conduct in Section 3.1.10 also prohibits Certified Third Party Assesment Organizations (C3PAOs) from soliciting business from the organizations they assess. In other words, you can not fail an OSC and then offer services to help them pass the next assessment.
CMMC and Objectivity
The CPCOC prohibits a credentialed assessor from joining an assessment team if that individual helped the organization prepare for the assessment.
The ecosystems of many companies have Registered Professional Organization (RPO) credentials and C3PAO credentials. A business can not provide RPO services and then join a C3PAO Assessment Team, or host an Assessment Team themselves. Furthermore, if you have signed the CPCOC, you have an obligation to report this activity if you see it.
CMMC-AB and Ethics
In order to understand how the Accreditation Board (AB) must adhere to the ethics of the CPCOC, we must first understand their role in the ecosystem. The AB is required to:
- Authorize CMMC C3PAOs to conduct assessments
- Accredit C3PAOs in accordance with ISO 17020
- Authorize the CAICO (CMMC Assessors and Instructors Certification Organization) to certify CMMC Instructors and Assessors
- Establish, maintain, and Manage the CMMC Marketplace
- Oversee the CMMC Professional Code of Conduct
Due to these roles the CMMC-AB has a variety of tools to limit Conflict of Interest
- CMMC-AB Code of Ethics
- CMMC-AB Conflict of Interest Policy
- CMMC-AB Directors Agreement
- CMMC Code of Professional Conduct
- Contract with Department of Defense
- CMMC-AB Audit, Ethics, and Compliance Committee
- Security and Compliance Officer
- ISO 170ii General Requirements for Accreditation Bodies Assessing and Accrediting Conformity Assessment Bodies
These elements work together to ensure the CMMC ecosystem maintains a high ethical standard.
Duty to Disclose
The CMMC-AB will release a disclosure matrix that lists all of the players in the ecosystem, and then a list of possible affiliations. These include elements of potential conflict such as ownership, financial interest, teaming agreements, family members, personal relationships, employment affiliations, and more. The AB will decide if, based on its role in the ecosystem, if that is a type of relationship that is okay, to be avoided, or risky enought to require mitigation.
This document will explain your responsibilities to report conflict of interest.
Red Lines for the CMMC-AB
Based on the policies governing the AB, its members must not fail to disclose conflicts, have a vested interest in an C3PAO, use their status on the AB to generate business or leads, endorse any commercial product implicitly or explicitly, accept any gifts, or operate in a credentialed company within the ecosystem for the duration of one year after leaving the board.
As a member of the ecosystem, you face a barrage of emails. Many of these provide snake oil services or over-promise. As a small business, owners rely on word of mouth, not drip campaigns from marketing teams. Avoid anyone who promises quick assessments or turn key services.
Take your time. You do not need a Level Three Certification overnight. 2026 is still a bit far off. Until then, just grow the SSP and shrink the POA&M.