A Guide to Cyber AB
Let’s jump in and learn:
What Is the Cyber AB?
The Cyber AB, formally known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, is an independent, non-profit organization and the exclusive official partner of the Department of Defense (DoD) that manages the CMMC program. Established in 2020, its primary role is to standardize and oversee the certification process for DoD vendors, also referred to as the Defense Industrial Base or DIB contractors and suppliers in the US defense supply chain.
This involves accrediting Certified Third-Party Assessment Organizations (C3PAOs) and training assessors. The Cyber AB also maintains a marketplace where accredited C3PAOs are listed for DIB vendors seeking certification of their CMMC compliance. By validating that DIB contractors and suppliers comply with mandated cybersecurity standards and best practices, the Cyber AB plays a critical role in safeguarding sensitive DoD data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Roles and Responsibilities of the Cyber AB Personnel
The Cyber AB is staffed by full-time professionals, and its operation is overseen by a Board of Directors who serve in a voluntary, uncompensated capacity. The Cyber AB personnel are responsible for a collection of functions across the CMMC ecosystem, including the following.
- Leadership team
- Sets the strategic direction for the Cyber AB
- Makes decisions about policy, procedures, and the overall management of the CMMC program
- Works with the Department of Defense and other stakeholders to ensure that the program aligns with DoD and national security objectives
- Accreditation personnel
- Oversees accreditation of C3PAOs and individual assessors
- Ensures that these entities meet stringent requirements and can conduct unbiased, rigorous assessments of DIB contractors’ and suppliers’ cybersecurity practices
- Training and certification staff
- Develops and delivers training programs for C3PAOs and assessors
- Creates educational materials and certification exams to ensure that assessors are well-equipped to accurately evaluate compliance with CMMC standards Quality assurance team
- Monitors the consistency and quality of assessments conducted by C3PAOs
- Handles complaints and disputes
- Ensures that the assessment process is fair, transparent, and adheres to established guidelines
- Outreach and Communication Staff
- Manage communications with external stakeholders, including defense contractors, government agencies, and the public
- Provide updates on CMMC policy changes, guidelines, and other relevant information, ensuring clarity and understanding of the program
- IT and security staff
- Manage the IT infrastructure of the Cyber AB, including the development and maintenance of the Cyber AB Marketplace
- Ensure the security and integrity of the data handled by the Cyber AB
- Administrative support staff
- Provide essential support services, including managing records, scheduling, and coordinating meetings and events
- Ensures the smooth operation of the Cyber AB’s day-to-day activities
The Framework and Scope of the Cyber AB
The following summary of the CMMC ecosystem provides context for the Cyber AB framework.
| U.S. Department of Defense (DoD) | Oversees the CMMC framework and implementation and enforcement of regulations as a cybersecurity requirement for its contractors and suppliers |
| Cyber AB | Manages the training, accreditation, and certification of CMMC assessors and organizations seeking CMMC certification |
| CMMC Certified Assessors | Qualified individuals or organizations are authorized by the Cyber AB to evaluate and assess organizations against the CMMC framework. They conduct on-site or remote assessments to determine if an organization meets the required cybersecurity practices and processes for certification. |
| Certified Third-Party Assessment Organizations (C3PAOs) | Authorized by the Cyber AB to assess and issue CMMC certifications. They employ CMMC Certified Assessors. |
| Defense Industrial Base (DIB) Contractors and Suppliers | Must implement CMMC controls, practices, and processes to achieve certification and maintain compliance |
| CMMC Practitioners | Individuals with CMMC and cybersecurity expertise and experience |
| Training Providers | Provide CMMC and cybersecurity training and education programs for individuals and organizations. |
| Industry Associations and Forums | Provide networking and education opportunities for the community. |
| Research and Development Institutions | Conduct research, develop solutions, and help improve the CMMC framework. |
The scope of the Cyber AB encompasses a wide range of activities that collectively work towards enhancing the cybersecurity posture of the DIB contractors and suppliers by supporting and enforcing CMMC compliance. The key responsibilities of the Cyber AB are the following.
Continuous learning and development activities
Provide a range of educational resources, including guidelines, best practices, and updates on the CMMC model to help organizations and professionals stay abreast of evolving cybersecurity trends and threats and adapt their strategies accordingly. Also, develop and provide training for assessors and other professionals involved in the CMMC process, including creating curriculum, certification exams, and continuous educational programs.
CMMC framework implementation
Implement and manage the CMMC framework.
Development and maintenance of the certification standards for the CMMC framework
Define the cybersecurity practices that organizations must adhere to in order to achieve different levels of CMMC certification.
Maintenance of the integrity of the CMMC ecosystem
Enforce the rules and regulations, resolve disputes, and handle any failures to follow the guidelines set by the CMMC framework.
Management of the Cyber AB Marketplace
Ensure that all accredited C3PAOs are listed accurately and that the marketplace operates smoothly to facilitate connections between DIB contractors and suppliers and C3PAOs.
Oversight and accreditation of Certified Third-Party Assessment Organizations (C3PAOs)
Accredit C3PAOs and conduct meticulous evaluations of these organizations to ensure their compliance with the stringent requirements of the CMMC framework.
Policy development and guidance
Develop policies and guidance related to the CMMC program, including updating the CMMC framework as necessary to align with emerging cybersecurity threats and best practices.
Stakeholder engagement and communication
Oversee communication and outreach with various stakeholders, including defense contractors and suppliers, as well as other government entities, to keep them informed about CMMC requirements and updates.
The Cyber AB and C3PAOs
The Cyber AB is responsible for ensuring that a C3PAO can evaluate a company’s cybersecurity posture against the CMMC framework to ensure secure supply chains and protect sensitive DoD information. Accredited C3PAOs are listed on the Cyber AB website. A C3PAO has two primary roles.
1. Conduct CMMC assessments
C3PAOs evaluate a company’s cybersecurity practices, policies, procedures, and controls against the specific CMMC level required for their contracts with the DoD.
2. Issue CMMC certifications
Upon a successful assessment, C3PAOs grant the company a CMMC certificate, verifying their compliance with the designated level.
C3PAOs employ CMMC Certified Assessors. These people are qualified individuals or organizations authorized by the Cyber AB to evaluate and assess organizations against the CMMC framework. They carry out on-site or remote assessments to determine if an organization meets the cybersecurity practices and processes required for certification.
How the Cyber AB Authorizes C3PAOs
To become a C3PAO, organizations must be authorized by the Cyber AB. This multi-step accreditation process takes organizations from C3PAO candidacy to authorized status and listing in the Cyber AB C3PAO Marketplace. These steps include the following.
1. Submit application
Organization’s representative completes an application to become a C3PAO at cyberab.org.
2. Undergo screening
In partnership with Dunn and Bradstreet (D&B), the applicant is screened and given a risk score. If the score is moderate or better, the applicant passes to the next stage.
3. Review by the Cyber AB
The Cyber AB leadership reviews the application.
4. Review of Foreign Ownership, Control or Influence (FOCI)
FOCI is analyzed based on the organization’s application, completion of the SF-328 form, confirmation of US citizenship of company ownership, and interview with senior management. An enhanced FOCI analysis is performed if the applicant is an Employee Stock Ownership Plan (ESOP) organization, global partnership, or public company headquartered in the US.
5. Apply for C3PAO candidacy
Cyber AB confirms that the candidacy is ready for assessment by the Cybersecurity Assessment Center (DIBCAC) and obtains an assessment-ready date from the candidate for C3PAO. Cyber AB then forwards information to the DoD CMMC Project Management Office (PM). The PMO prioritizes the C3PAO based on the ready date and schedules the CMMC assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
6. DIBCAC authorizes C3PAO
Upon completing a successful assessment and meeting administrative requirements (e.g., proof of insurance), C3PAOs become authorized to conduct assessments.
7. Issue authorized C3PAO badge
An Authorized C3PAO badge is issued.
Bid and Win DoD Contracts with Cyber AB
Leveraging the wealth of services and resources provided by the Cyber AB helps DIB contractors and suppliers understand how to effectively implement and manage compliance with the CMMC framework. This not only enhances their overall security posture, but also ensures that they are eligible to bid on and maintain contracts with the DoD.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.
Last Updated: 29th April, 2024
