Inside Cybersecurity

May 17, 2022

Daily News

Code of conduct for certified CMMC assessors outlines confidentiality measures, IP protections

By Sara Friedman / December 1, 2020

The accreditation body behind the Pentagon’s cyber certification program is requiring assessors and consultants to sign a “Code of Professional Conduct,” which goes into detail on confidentiality protections and the “proper use” of information collected from contractors.

“The Code of Professional Conduct (CoPC) sets expectations for those CMMC-AB credentialed individuals and accredited entities that are authorized to deliver CMMC services under license from the CMMC Accreditation Body (CMMC-AB),” the document produced by the CMMC AB says.

The Cybersecurity Maturity Model Certification program document says, “It also sets expectations for those Registered Practitioners (RPs) and Registered Provider Organizations (RPOs) that deliver unlicensed non-certified services that choose to register with the CMMC-AB, and other individuals and entities with a relationship to the CMMC-AB. The Code is also binding on those persons and entities applying to be Credentialed, Registered, or Accredited.”

The 14-page document obtained by Inside Cybersecurity has five sections: an introduction, “guiding principles”, practices, implementation and an appendix.

The CoPC applies to all individuals who wish to become a certified assessor, instructor or “quality auditor.” Certified third party assessment organizations must also sign the document as well as certified registered practitioners and registered provider organizations.

Licensed partner publishers, licensed training providers and CMMC AB working group members are required to sign the CoPC.

When it comes to confidentiality, the CoPC says, “As a working group member, credentialed, registered, or accredited professional or organization, you will maintain the confidentiality of customer and government data. You may be made aware of certain confidential information that is acquired in the performance of professional services, including data, trade secrets, business strategies, security postures, and personal information that may be contained within the systems you are exposed to. Treat confidential information with the utmost care, and under no circumstances reveal information learned during the delivery of CMMC services to anyone who is not expressly authorized to view it.”

Going into more depth, the CMMC AB writes that individuals and organizations have an obligation to “protect identifiable and confidential customer data from unauthorized disclosure, unless permitted in writing by the CMMC-AB or from a legal obligation to disclose the information.” They must also “exercise due care to ensure that confidential or privileged information gathered during assessments or consulting remains so, even after a work engagement has ended.”

The CoPC has a section on “Respect for Intellectual Property” requiring individuals and companies to “not violate any customer or third-party intellectual property rights during the delivery of CMMC services.”

“Do not use CMMC-AB logos, trademarks, or copy written material without explicit and written permission from the CMMC-AB, and do not misrepresent yourself as holding a CMMC Credential, Registration, or Accreditation,” the document says.

The CMMC AB has started a “marketplace” dedicated to providing contact information for certified practitioners and consultant companies authorized to conduct business for the CMMC program. Individuals who have completed the CMMC AB’s training and passed an exam are getting badges for personal use.

In terms of “Lawful and Ethical Practices,” the CoPC says, “Behave in a manner that is lawful and that upholds accepted ethical standards of professional practice and conduct in all activities that relate to carrying out your role in the CMMC ecosystem.”

For violations, the document lays out actions to take when reporting problems, submitting violation reports, investigations, “corrective action,” and an appeals process.

The CMMC AB has a separate code of conduct for its board members. The body has published web pages on their “Board Ethics,” “Board Non-Disclosure Agreement Summary,” and “Board Conflict of Interest Summary.”

The Defense Department recently signed a new contract with the CMMC AB establishing the roles and responsibilities of each party for the next stage of the cyber certification program. -- Sara Friedman (