CMMC-AB code of professional conduct: What you need to know
In January 2020, the U.S. Department of Defense (DoD) released details of their new Cybersecurity Maturity Model Certification (CMMC), introducing new cybersecurity standards and guidelines that businesses supplying services to the DoD had to meet.
Through an independent assessment conducted by a CMMC Assessor (CA) and a Certified Third Party Assessor Organization (C3PAO), each supplier would be evaluated on how well and to what maturity level they meet specifically identified standards. The results would then be sent to the CMMC Accreditation Board (CMMC-AB) for final certification.
This new certification process transfers responsibility for attesting the required cybersecurity standards away from the supplier and CA. Therefore, this transfer of attestation puts a lot of responsibility and trust in each CA to perform to a certain standard.
That’s why, in addition to their maturity level-specific CA course, Certified Assessors, as well as all of the other professionals that assist them, agree to the CMMC Code of Professional Conduct.
This article lays out the code of professional conduct and how it applies in practice.
The CMMC Code of Professional Conduct
The CMMC Code of Professional Conduct (CoPC) was released with the initial CMMC security standards and explicitly set the behavioral expectations for those with a CMMC-AB credential. In addition to CAs, the CoPC also applies to Registered Practitioners (RPs), C3PAOs, and the Registered Provider Organizations (RPOs) that deliver unlicensed but related services.
The CMMC CoPC guiding principles
The CoPC is structured around five guiding principles. These include, as defined by the CMMC-AB:
- Professionalism: always maintain a professional business posture. Never represent yourself or your company in a way that is not aligned with your certification, non-disclosure agreement (NDA), or authorization by the [CMMC-]AB.
- Objectivity: avoid the appearance of, or actual, conflicts of interest where possible, and [maintain] full compliance with conflict of interest policies that may be signed as part of license agreements. Suppose a perceived or management conflict may be present, document and describe the conflict to all affected parties and secure agreement to continue.
- Confidentiality: as a working group member, credentialed, registered or organization, you will maintain the confidentiality of customer and government data. You may be made aware of certain confidential information acquired in the performance of professional services, including data, trade secrets, business strategies, security postures and personal information that may be contained within the systems you are exposed to. Treat confidential information with the utmost care and under no circumstances reveal information learned during the delivery of CMMC services to anyone who is not expressly authorized to view it.
- Proper use of methods: demonstrate integrity in the use of materials and methods as the CMMC-AB describes them in policies, methodologies and training materials, and act in a manner consistent with the intent of the materials to preserve the integrity of CMMC service delivery.
- Information integrity: Report results from the delivery of CMMC services completely and with integrity as required by your license or certification agreement.
The CoPC practices
These CoPC takes these guiding principles and translates them into practices, which are described as “mandatory expectations” for all CMMC-associated professionals and organizations.
The practices are organized into the following six groups and are used to demonstrate key behaviors expected of CMMC-credential professionals:
- Adherence to materials and methods
- Information =integrity
- Respect for intellectual property
- Lawful and ethical practices
The CoPC in practice
Together, the CoPC principles and practices help CMMC professionals navigate complex business and technical situations, especially those where the values that make up the CMMC or their integrity may be challenged.
Failing to live up to these principles and practices can result in disciplinary action “up to and including denial or revocation of a credential, registration or accreditation and loss of eligibility to hold a credential, registration or accreditation.”
The CMMC board code of ethics
The entire CMMC, and its CoPC, are overseen by a board of professionals entrusted with maintaining the integrity and relevance of the process and standards. Because of the responsibility of this task, the CMMC board also has its own board code of ethics.
Each board member has signed the code of ethics to “preserve the integrity and independence of the CMMC accreditation body.” The board code of ethics can be found here.
The scope of the CMMC code of professional conduct
The CMMC ecosystem has a wide range of professionals and organizations that work together to implement the standards, including the organizations that provide training, materials and security certification on behalf of the CMMC-AB.
Therefore, the CoPC applies to:
- CMMC-AB Certified Professional (CP)
- CMMC-AB Certified Assessor (CA)
- CMMC-AB Certified Instructor (CI)
- CMMC-AB Certified Master Instructor
- CMMC-AB Certified Quality Auditor (CQA)
- CMMC-AB Certified Third Party Assessment Organization (C3PAO)
- CMMC-AB Registered Practitioner (RP)
- CMMC-AB Registered Provider Organization (RPO)
- CMMC-AB Licensed Partner Publisher (LPP)
- CMMC-AB Licensed Training Providers (LTP)
- Other CMMC-AB licensed providers
- CMMC-AB Industry Working Group Members
Actions outside of the CMMC code of professional conduct
In addition to holding oneself to the CMMC CoPC, CMMC professionals are required to help hold others accountable on behalf of the CMMC-AB.
For example, if a CMMC professional sees a fellow CMMC professional behaving in an action that violates the CoPC, they should:
- Privately notify the professional of the issue and attempt to “request clarification or offer help to rectify the violation.”
- If clarification or help is not effective in resolving the issue, the CMMC professional is expected to report the violation to the CMMC-AB.
Following the report, the CMMC-AB may initiate an investigation and respond to each reported incident following “a thorough investigation.” The information can include recommendations for corrective action or even denial or termination of CMMC credentials, registration or accreditation.”
Why the CMMC is so important
The CMMC was developed to help the DoD protect every phase of its procurement cycle from all forms of cyber threat. Therefore, the professionals and organizations that make up the CMMC ecosystem play an incredibly vital role in ensuring that suppliers meet the necessary security standards to protect the sensitive data and systems they work with.
While they will have their professional experience and the CMMC-accredited training, the CoPC helps CMMC professionals and the organizations that they work with be as prepared as possible for the challenges ahead of them.