What Is The Cyber AB and The CMMC Ecosystem?

    The Cyber AB serves as the sole official partner of the Department of Defense for the registration, accreditation, and oversight of the CMMC Ecosystem. 

    By
    5 Minutes Read

    What Is The Cyber Accreditation Body (Cyber AB) and the CMMC Ecosystem?

    In April of 2022, the CMMC Accreditation Body (CMMC-AB) announced that it would undergo a complete re-branding, and stated it would assume a new logo, name, and public-facing website. On June 7th, 2022, the CMMC-AB formally revealed its public rebranding as “The Cyber AB” (pronounced with the “A” and the “B” enunciated separately). Same organization, same responsibilities. Legally, the organization still maintains the name of the Cybersecurity Maturity Model Certification Accreditation Body, INC.

    In this blog, we'll cover the following questions:

    • What is the Cyber AB?
    • How does the Cyber AB authorize C3PAOs?
    • What roles make up the CMMC ecosystem?
    • Who leads the Cyber AB?
    • How can my company prepare for CMMC assessments?

    Although the re-branding is designed to distinguish itself from the DoD’s branding of the CMMC program, the Cyber AB still serves as the sole official partner of the Department of Defense for the registration, accreditation, and oversight of the CMMC Ecosystem. 

    The release of the Cybersecurity Maturity Model Certification (CMMC) was designed to serve as the standard for universal cybersecurity implementation for the 300,000+ businesses that make up the Defense Industrial Base (DIB). In January 2020, after the release of CMMC 1.0, the Cybersecurity Maturity Model Certification Accreditation Body, Inc. (CMMC-AB), Inc, was formed. The CMMC-AB was formed to work with the Department of Defense (DoD) to manage accreditations and certifications for the CMMC program

    The full press release of the rebrand can be found here. 

    What is the Cyber AB? 

    The Cyber AB acts as the only non-governmental party of the DoD in the oversight and implementation of the CMMC standard, acting as an independent organization and in accordance with the DoD. The CMMC standard is applicable to organizations supporting the Department of Defense that handle or process the following types of data:

     You can read more about the most recent version of CMMC here.

    The primary mission of the Cyber AB is to authorize and accredit the following types of groups within the CMMC ecosystem:

    These providers and assessors help DIB organizations prepare for, and/or demonstrate their conformity with the CMMC standard. 

    In order to oversee the certification process and provide the necessary accreditations to the trained CMMC ecosystem, the Cyber AB is required to achieve compliance with the ISO/IEC 17011 Conformity Assessment. This assessment will be the certification that the Cyber AB provides consistent application of its accreditations. It will also apply impartial attestations of those certified using international consensus-based standards. One condition of the ISO 17011 certification is that it prevents the accrediting body from also controlling the accreditation training program designed. As a result, the Cyber AB intends to establish the CMMC Assessors and Instructors Certification Organization (CAICO).

    The CAICO will be the element in which the Cyber AB absorbs the training and certification of CMMC professionals in the ecosystem. The CAICO will also be responsible for facilitating the development of training materials through the development of Licensed Training Providers (LTPs) and the Licensed Publishing Partners (LPPs). In order to maintain this oversight of the training program, the CAICO must also obtain an ISO certification, ISO 17024, which establishes standards for training and certification bodies.  

    How does the Cyber AB authorize C3PAOs?  

    C3PAOs are the only entities eligible to execute CMMC 2.0 Level 2 assessments for Organizations Seeking Certification (OSC); OSCs can find authorized and accredited C3PAOs on the Cyber AB Marketplace. This website acts as a repository for all C3PAOs that have completed the comprehensive assessment to become authorized to perform CMMC assessments by the Cyber AB.

    An organization that wants to become a C3PAO is required to successfully navigate an authorization process prior to being awarded the C3PAO credentials. Prospective C3PAOS will be required to pass a CMMC assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The C3PAO will be required to demonstrate their compliance with the CMMC standard at which they will conduct assessments.

    Additionally, C3PAOs will be required to provide proof of cyber insurance (general liability, errors and omissions, and cybersecurity breach policies), an ISO 17021 certification, and assurance that any external cloud services used in conducting assessments baselined at FedRAMP High.

    Once all of these conditions have been met, the Cyber AB will authorize the C3PAO, and they will be listed on the Cyber AB marketplace.

    What roles make up the CMMC ecosystem? 

    Currently, the CMMC ecosystem is comprised of multiple roles to facilitate the development and implementation of the CMMC program. Below is a list of the roles existing in the CMMC ecosystem and governed by the Cyber AB.

    Registered Practitioners (RP) and Registered Practitioner Organizations (RPO) 

    RPs and RPOs are designed to assist OSCs in the comprehension of, and preparation for CMMC assessments. Individuals holding any level of an RP designation have been trained to provide CMMC implementation consulting services to better help OSCs identify gaps and prepare remediations strategies. RPs work for Registered Practitioner Organizations (RPO), but can also be contracted as individuals. 

     

    Role  

    Type  

    Purpose 

    Registered Practitioner (RP) 

    Individual  

    Trains individuals on specific domains to assist OSCs in preparing for a CMMC assessment  

    Registered Practitioner Advanced (RPA) 

    Individual 

    Advanced training RPs on 14 of the CMMC security control families

    Registered Practitioner Organization (RPO) 

    Group  

    Designed for organizations that could provide services within the defense supply chain as an advisory firm or MSP (Managed Service Provider)

     

    CMMC Assessors and Certified Professionals  

    Certified CMMC Professionals (CCPs), Certified CMMC Assessors (CCAs), and CMMC 3rd Party Assessment Organizations are the elements of the CMMC ecosystem which are intended to fulfill the Cyber AB’s responsibilities to assess the CMMC compliance of the OSCs.

     

    Role  

    Type  

    Purpose 

    Certified CMMC Professional (CCP) 

    Individual  

    A person seeking to become responsible for the assessment, examination, verification, and review of an organization for compliance to the respective level of CMMC 

    Certified CMMC Assessor (CCA) 

    Individual 

    Provided to individuals who demonstrate competencies at each of the CMMC Maturity levels. Certifications are awarded to CCAs based on training and examinations applicable to each Maturity level for which they wish to be certified

    CMMC Third-Party Assessment Organization (C3PAO) 

    Group  

    An organization that has successfully passed a rigorous series of requirements to become acknowledged by the Cyber AB, on behalf of the DoD, as being objective and competent to perform assessments of OSCs. Has the ability to conduct CMMC assessments for OSCs.

     

    Instructors and Training Providers 

    Training professionals play a vital part within the CMMC ecosystem. The information being created to train the ecosystem on the CMMC standard is developed by Licensed Publishing Partners (LPPs) and taught to potential professionals by Certified CMMC Instructors (CCIs) employed by Licensed Training Providers (LTPs). These materials and the instructors maintain the responsibility to train any members of the ecosystem who want to become assessment personnel.  

    Each of these roles required approval and authorization from the CAICO.  

     

    Role  

    Type  

    Purpose 

    CERTIFIED CMMC INSTRUCTOR (CCI) 

    Individual  

    Individuals responsible for teaching the CMMC framework to candidates seeking to be an assessor

    LICENSED TRAINING PROVIDER (LTP) 

    Group 

    An established training organization that has been vetted by the CAICO  

    LICENSED PUBLISHING PARTNER (LPP) 

     

    Group

    An LPP is responsible for creating quality CMMC training content that is utilized by Licensed Training Providers (LTPs) to train individuals who are pursuing assessor or assessor instructor certifications

     

    Who leads the Cyber AB? 

    Oversight of the Cyber AB is handled by a board made up of 9 cybersecurity and policy professionals, as well as a paid staff consisting of 7 members. The Cyber AB is an authorized 501(3)(C) non-profit agency, and because of this status, the board of directors is not compensated or given dividends. The professionals listed below are responsible for guiding the mission of the CMMC standard:

    Board Officers 

    • Jeff Dalton, Chairman 
    • Paul Michaels, Vice Chairman 
    • Sheryl Hanchar, Secretary 

    Board of Directors 

    • Akin Akinbosoye 
    • Wayne Boline 
    • Yong-Gon “YG” Chon 
    • Mathew Newfield 
    • Clifton Poole 
    • Matthew Travis 

    Professional Staff 

    • Matt Travis, Chief Executive Officer 
    • Raymond Karrenbauer, Chief Financial Officer and Executive Vice-President 
    • Melanie Kyle Gingrich, Vice-President, Training and Development 
    • Jonathan Hanny, Director of Operations and Chief Information Security Officer 
    • Mike Snyder, Curriculum Manager 
    • Kelly Atwood, Projects Coordinator 
    • Tracy Valerio, Operations Specialist  

    How do I prepare for CMMC assessments? 

    Based on projected timelines and the time it takes to prepare, DIB companies should start ensuring readiness and self-assessment planning based on the CMMC Assessment Guide for Controlled Unclassified Information; most aerospace and defense contractors in the DIB will require CMMC 2.0 Level 2. As more firms are designated as authorized and accredited C3PAOs, DIB companies can begin to coordinate and schedule their CMMC Assessments. 

    Today, Summit 7 is a Registered Provider Organization (RPO) in the Cyber AB Marketplace and has served over 650 government contractors in helping them protect sensitive data in their IT environments. You can read more about Summit 7’s security and compliance solutions here. 

     

    Jason Sproesser

    Author