All You Need to Know About the CMMC Accreditation Body (The Cyber AB)
In today’s digital age, cybersecurity has become a top priority for organizations across industries, especially those working with sensitive information. The Department of Defense (DoD) has taken significant steps to enhance its cybersecurity measures by creating the Cybersecurity Maturity Model Certification (CMMC).
The CMMC Accreditation Body (CMMC AB) plays a critical role in ensuring that organizations meet the necessary security standards for protecting controlled unclassified information (CUI) and federal contract information (FCI).
In April of 2022, the CMMC AB announced that it would undergo a complete rebranding, and stated it would assume a new logo, name, and public-facing website. On June 7, 2022, the CMMC AB formally revealed its public rebranding as “The Cyber AB” with the same organization and responsibilities. Legally, the organization still maintains the name of the Cybersecurity Maturity Model Certification Accreditation Body, Inc.
This article aims to help you understand the importance of The Cyber AB, and its role in authorizing CMMC Third Party Assessor Organizations.
What Is The Cyber AB?
The Cyber AB is the official accreditation body responsible for overseeing and implementing the CMMC model. This nonprofit organization was established in 2020 to ensure that organizations meet the required cybersecurity standards for handling sensitive information, primarily for participants in the Defense Industrial Base (DIB).
While there are other accreditation bodies for different industries and standards, The Cyber AB is specifically responsible for managing the CMMC requirements, which are unique to the DoD and its contractors. Its primary purpose is to safeguard the integrity of the CMMC process and maintain a high level of expertise among its certified professionals.
The Cyber AB Framework and Scope
The Cyber AB’s primary role is to authorize and accredit the CMMC Third Party Assessor Organizations (C3PAOs) that conduct CMMC assessments of organizations within the DIB. It also manages the professional certification and training aspects of the CMMC Ecosystem, working with our partners to develop the curricula and examination protocols for CMMC Assessors and CMMC Instructors.
The Cyber AB outlines the requirements and processes for achieving CMMC certification. It builds upon existing regulations, such as NIST SP 800-171, DFARS 252.204-7012, and others, to establish a comprehensive cybersecurity standard. The CMMC 2.0 model consists of three maturity levels: Level 1, Level 2, and Level 3.
To achieve a specific maturity level, organizations must meet the required practices and processes outlined for that level. The Cyber AB is responsible for ensuring that organizations meet these requirements through a rigorous assessment and certification process. Organizations handling CUI or working with the DoD must achieve the appropriate CMMC certification level to be eligible for contract awards.
The Cyber AB and CMMC Third Party Assessor Organizations (C3PAOs)
The Cyber AB serves as the authoritative source for CMMC assessment, accreditation, and certification activities. The Cyber AB is responsible for setting up and managing the CMMC ecosystem, which includes the training, certification, and quality control of Certified Assessors (CAs) and C3PAOs. The Cyber AB works closely with the DoD to ensure a successful implementation of the CMMC framework and enhanced cybersecurity posture for the DIB. It is responsible for establishing the guidelines, policies, and procedures for assessments, ensuring that each organization is accurately assessed according to their desired CMMC level.
C3PAOs serve a crucial role in the assessment process. These organizations are responsible for conducting the actual CMMC assessments on organizations seeking certification. They are highly trained and accredited by the The Cyber AB to perform CMMC assessments and issue certifications based on the evidence gathered during the assessment. C3PAOs must remain impartial and independent from the organization they are assessing to ensure a fair and unbiased evaluation. They perform assessments using a combination of standardized procedures, guidelines, and frameworks supplied by The Cyber AB.
The assessment conducted by C3PAOs is based on the organization’s desired maturity level. CMMC 2.0 maturity levels are:
CMMC 2.0 Level 1: Foundational
Foundational level requires an annual self-assessment with attestation from a corporate executive. This level encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21.
CMMC 2.0 Level 2: Advanced
Advanced level is aligned with the National Institute of Standards and Technology SP 800-171 (NIST SP 800-171). It requires triennial third-party assessments for DoD contractors that send, share, receive, and store critical national security information. These third-party assessments are conducted by C3PAOs. Select contractors that fall into Level 2 only require annual self-assessments with corporate attestation.
This level encompasses the security requirements for CUI specified in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012 [3, 4, 5].
CMMC 2.0 Level 3: Expert
Expert level is aligned with and will require triennial government-led assessments. Information on Level 3 will be released later and will contain a subset of the security requirements specified in NIST SP 800-172 [6].
Each of these levels has a set of practices and processes that organizations must prove they have implemented and are managing effectively. The C3PAOs assess and validate whether the organization meets these requirements, leading to the awarding of the appropriate CMMC certification.
One of the primary goals of the The Cyber AB and C3PAOs is to ensure the trustworthiness and integrity of the CMMC ecosystem.
How Does The Cyber AB Authorize C3PAOs?
The Cyber AB holds an essential role in the implementation and success of the CMMC framework. The Cyber AB is responsible for several critical tasks, including setting up and managing the training and certification programs for CMMC assessors, maintaining a registry of certified assessors, and overseeing the overall implementation of the CMMC framework.
One of the most crucial responsibilities of The Cyber AB is to ensure that all assessors comply with the highest standards of ethics and professionalism. The accreditation body does this by developing a code of ethics for assessors and establishing a system of checks and balances to ensure the impartiality and consistency of assessments.
An organization that wants to become a C3PAO is required to successfully navigate an authorization process prior to being certified as a C3PAO. Prospective C3PAOs will be required to pass a CMMC assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The C3PAO will be required to demonstrate their compliance with the CMMC standard at which they will conduct assessments.
The Cyber AB is also responsible for ensuring that the certification process is fair, transparent, and accessible to all companies seeking certification. This includes developing training programs for assessors, creating a set of assessment procedures and guidelines, and establishing a system for appeals and dispute resolution.
Overall, The Cyber AB plays a critical role in the successful implementation of the CMMC framework, and its responsibilities are crucial to ensure the highest standards of cybersecurity maturity across the DIB. With its commitment to transparency, professionalism, and ethical practices, The Cyber AB is a crucial partner in the ongoing effort to protect sensitive government information and enhance national security.
Roles and Responsibilities of The Cyber AB Personnel
The Cyber AB involves a variety of personnel, including board members, assessors, and C3PAOs. The board members are responsible for overseeing the organization’s strategy, governance, and operations. They also develop policies and procedures for the accreditation process and ensure the ongoing maintenance and improvement of the CMMC model.
Certified CMMC assessors are responsible for conducting audits and assessments of organizations seeking CMMC certification. They evaluate the organization’s cybersecurity practices and processes to determine their compliance with the CMMC requirements. The Cyber AB provides rigorous training and certification programs for its assessors to ensure their expertise and professionalism.
Importance of CMMC Compliance for Government Contractors
CMMC is a unified cybersecurity standard for DoD contractors, aiming to protect controlled unclassified information (CUI) within the supply chain. The CMMC was created by the DoD and is an essential component for organizations seeking to secure their position within the DIB.
By implementing the appropriate level of CMMC compliance, government contractors can demonstrate their commitment to protecting sensitive content and maintaining the trust of the DoD and other government agencies. The Cyber AB plays a vital role in ensuring that government contractors achieve the required level of compliance. As the accreditation body responsible for CMMC, The Cyber AB establishes the requirements for certifying organizations and individual assessors. The Cyber AB ensures that the certification process is consistent and rigorous, promoting a high level of security across the DIB. Contractors seeking CMMC certification must undergo assessments performed by C3PAOs.
CMMC compliance not only benefits national security but also provides competitive advantages for government contractors. Being CMMC compliant demonstrates a contractor’s commitment to cybersecurity, which is an essential selection factor for government agencies.
The Cyber AB and Cybersecurity Maturity Model Integration (CMMI)
The CMMI model is a process improvement framework that helps organizations enhance their processes and achieve higher levels of performance. It focuses on various domains, including cybersecurity. The Cyber AB leverages the CMMI model to establish a maturity model for cybersecurity practices and processes, providing a robust framework for organizations to improve their cybersecurity posture.
Both The Cyber AB and CMMI work together to ensure that organizations achieve the desired level of cybersecurity maturity, constantly seeking to improve their security posture over time.
Kiteworks Supports CMMC 2.0 Level 2 Compliance
Because Kiteworks is FedRAMP Authorized for Moderate Level Impact, it supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box. Kiteworks also makes it easier and faster for C3PAOs to certify DoD suppliers for CMMC compliance. Using content-defined zero trust, Kiteworks protects sensitive communications of CUI and FCI content and includes secure process management to support the workflow and review of activities and user authentication to safeguard against malicious actors.
Kiteworks provides the ability to automate many of the systems and processes associated with meeting the CMMC requirements with audit log reporting. This enables C3PAOs to complete their assessments of DoD suppliers, identifying any gaps that exist in CMMC practice controls.
DoD contractors and subcontractors seeking to compete for DoD business must achieve CMMC compliance. The phased implementation began in May 2023, so the time to start is now—and the Kiteworks Private Content Network is the perfect starting point.
Schedule a custom demo tailored to see how Kiteworks can accelerate your CMMC compliance journey today.