Smithers CMMC Assessment Checklist
Think you are ready for your CMMC final assessment? Download this resource to help you test your readiness at no charge.
.jpg?ext=.jpg)
Why a CMMC Assessor Cannot Offer Consultation Services to the Same Company
Key Take-aways:
- Define the CMMC Code of Professional Conduct
- Define roles of CMMC Assessor and CMMC Consultant
- Explain why an organization cannot offer both assessor and advisory services to the same company
In the world of Cybersecurity Maturity Model Certification (CMMC), the path to compliance tends to raise many questions. When you look for a partner to help you prepare for your CMMC Assessment, it is natural to want to place the entire process into the hands of a single organization. You may want an organization that can help you navigate the preparatory steps, the assessment, and any necessary remediation. The CMMC Code of Professional Conduct states that this is a conflict of interest and must not be done.
Why is this the case? The CMMC Code of Professional Conduct
At the heart of this restriction is the CMMC Code of Professional Conduct (CoPC). This document serves as the ethical guideline for all certified professionals and organizations within the ecosystem. It is built on a foundation of objectivity, integrity, and the rigorous avoidance of conflicts of interest (COI).
The CoPC is explicit: an assessor must remain impartial. If a C3PAO were to assess a company they consulted for, they would essentially be "grading their own homework." This creates an inherent bias that undermines the validity of the assessment.
The Separation of Roles: Consulting vs. Assessing
To understand why this boundary is so rigid, consider the definitions of both consultant and assessor.
- Consultant: A consultant helps organizations prepare for the final assessment. They identify gaps, help implement controls, assist in writing your System Security Plan (SSP), and offer tailored advice to ensure the environment meets the 32 CFR Part 170 requirements. Their success is measured by the organization passing its final assessment.
- Assessor: An assessor’s job is to verify, with high confidence, that those controls are actually functioning as described. They ensure the documentation is complete and that everyone understands their role in protecting Controlled Unclassified Information (CUI).
If the same company performs both roles for your organization, the assessor may overlook flaws. The CoPC mandates a Separation of Roles to ensure that the person verifying the security of controlled unclassified information (CUI) has no financial or reputational stake in the implementation's success.
Identifying and Avoiding Conflicts of Interest
The Department of Defense (DoD) and the Cyber AB (The CMMC Accreditation Body) strictly enforces policies regarding Conflicts of Interest. A COI occurs when a C3PAO has a relationship, whether financial, professional, or personal, that could impair their ability to render an impartial judgment.
Common scenarios that the CoPC prohibits include:
- Direct Consulting: A C3PAO provides remediation services to a client and then performs its Level 2 certification assessment.
- Internal Oversight: Using the same staff members for both the preparation phase and the formal assessment phase.
- Affiliate Relationships: Using a "sister company" to consult while the parent company assesses without a verifiable and legal "firewall" between the two entities.
Why This Protects the Defense Contractor
If an assessment is biased or performed by a firm with a conflict of interest, the certification could be challenged or revoked. For a defense contractor, this is not a minor issue. A revocation of a CMMC certificate can mean the loss of important contractual work from the Department of Defense.
By maintaining a clear line between the professionals who consult and the professionals who assess, the CMMC program ensures all certifications are valid and secure.
Final Thoughts on the CMMC Code of Conduct
The CMMC Code of Professional Conduct ensures all organizations seeking certification (OSCs) receive equal assessments held to the same standards. Respecting the boundary between consulting and assessing is the only way to ensure that the CMMC ecosystem remains resilient, objective, and effective at protecting our national security. You can download and review the CMMC Code of Conduct at any time.
Do you have questions about CMMC or the assessment process? Contact Smithers today to learn more.