Every year that goes by shows an improvement in technology, often by leaps and bounds over previous technology. What used to be the realm of far-off science fiction so unbelievably exotic that it defined genres is now a commonplace reality.

With new technology comes new threats. We’ve seen a dramatic increase in digital threats, from the SolarWinds supply line attack, to the compromised Outlook services, to the currently-ongoing Salt Typhoon attack on telecom companies. In 2024 alone, there were at least 65 significant cyberattacks around the world, and that is just the worst of the worst; smaller-scale attacks are constantly occurring in the background.

It’s clear to see that cybersecurity needs to be emphasized for any nation-level technological infrastructure to function properly. When countries can leverage their power to attack your infrastructure, you need country-level security to defend yourself.

CMMC is one part of the United States Government’s answer to this reality.

A Brief History of CMMC

CMMC is the Cybersecurity Maturity Model Certification. The framework that would eventually become CMMC was first established all the way back in 2010, with Executive Order 13556 – Controlled Unclassified Information, signed by President Obama. The goal was to establish a framework for cybersecurity to control and protect sensitive but not classified information (classified information having its own security procedures above and beyond what CMMC offers) and to establish an authority and regulatory body to enforce those standards as necessary.

CMMC itself wasn’t developed until 2019. At the time, self-attestation was the name of the game for security, but this proved to be spotty and difficult to analyze. CMMC was developed as a way to have a centralized set of rules, a central authority to enforce those rules, and a system of third-party assessment organizations and auditors who could verify compliance.

CMMC shares a lot of DNA with other extant cybersecurity frameworks, most notably FedRAMP, the Federal Risk and Authorization Management Program. You can read more about how the two compared here.

The initial version of CMMC rolled out as an interim rule in 2020. Almost immediately, work began to streamline it, address problems that were discovered during implementation, and make it clearer what expectations were. CMMC 2.0 was announced in late 2021, the rulemaking process was iterated on, and the Final Rule was published in October of 2024. The full CMMC 2.0 implementation began rolling out in December of 2024.

What Is the CMMC-AB?

In the rundown of what CMMC is, we mentioned having a centralized body that would oversee and enforce the security standards and the framework throughout the CMMC ecosystem. This centralized body was formerly known as the CMMC-AB, and is now the Cyber AB.

AB, in this case, simply stands for Accreditation Body. The original CMMC Accreditation Body, Inc., was founded in January of 2020 to administrate the DoD’s implementation of CMMC throughout the Defense Industrial Base. The AB is a nonprofit, 501(c)(3) tax-exempt organization. It’s based in Maryland, as these things often are.

As for the name change, the CMMC-AB rebranded as the Cyber AB in June of 2022. The official name is still the CMMC Accreditation Body Inc., but the public name is the Cyber AB. The rebrand was meant to make them more generalized and publicly accessible, and to be more genericized for use as a centralized body for similar spin-off frameworks in the future, though as of yet no such frameworks are forthcoming.

The goal of the Cyber AB is to be a trusted and validated third party that can provide assessment and auditing validation through a network of accredited third-party assessment organizations, which in turn can provide auditing for the cybersecurity implementation of individual businesses, government departments, and other entities.

Currently, the Cyber AB is supported entirely on the fees paid to apply and participate in audits and renew accreditation. Despite working directly with the Department of Defense, no funding comes from the DoD or any taxpayer source. They strive to be as independent as possible, so there can be no funding-based influence from foreign or other sources that could sway their integrity.

The Cyber AB exists due to an exclusive contract with the Department of Defense, charging them with their role as the sole provider of C3PAO accreditation and CMMC operations. Without that contract, the Cyber AB loses most of its purpose for existing. With recent uncertainty in the government cybersecurity space, there’s some question of whether or not this contract will be maintained, but until such action takes place, the Cyber AB is the authority for CMMC.

The Cyber AB and ISO/IEC Standards

When discussing cybersecurity standards, comparisons to ISO 27001 inevitably arise. Does the Cyber AB have anything to do with ISO cybersecurity?

The answer here is no. ISO 27001 and other ISO security standards have their own sets of governing bodies and certification standards. The Cyber AB currently only handles CMMC and SCF. More on SCF later.

That said, the Cyber AB is not completely divorced from ISO/IEC standards. Specifically, they are working towards certification across three ISO standards:

• ISO 17011: Requirements for the Competence, Consistent Operation, and Impartiality of Accreditation Bodies Assessing and Accrediting Conformity Assessment Bodies.
• ISO 17020: Requirements for the Competence of Bodies Performing Inspection and for the Impartiality and Consistency of their Inspection Activities
• ISO 17024: Principles and Requirements for a Body Certifying Persons against Specific Requirements, and the Development and Maintenance of a Certification Scheme for Persons

These three ISO standards are the current global gold standard system for accreditation bodies of all sorts, not just in cybersecurity. The Cyber AB is pursuing these ISO certifications. Once they have achieved that certification, the standards they pass down to C3PAOs will increase to valid ISO certifications as well.

Who Makes Up the CMMC-AB?

The Cyber AB is managed by a board of directors, maintains a set of professional staff, and is assisted by volunteers.

As of this writing, the board of directors is:

• Chairman Paul Michaels, president and founder of Monoc Securities LLC.
• Vice Chairman Mathew Newfield, senior VP and Chief Security and Infrastructure Officer of Unisys, and former Director of Global Managed Security Services for IBM.
• Secretary Debbie Taylor Moore, Senior Partner and VP of Global Cybersecurity with IBM Consulting, and CEO/Founder of Cyber Zephyr LLC and Energy Cyber Partners Inc.
• Ethics Committee Chair Wayne Boline, Director of Strategic Partnerships at Raytheon and former Air Force officer.
• Nominations Committee Chair Clifton Poole, Director of Security for Unison Software, former Chief Information Security Officer at Raytheon, and senior US Army officer.
• Chairman Emeritus Jeff Dalton, president and CEO of Broadsword, chief evangelist with AgileCxO, and former Chairman of CMMI.
• Audit and Risk Committee Chair Anthony Johnson, managing partner at Delve Risk and former Managing Director and Chief Information Security Officer for JP Morgan Chase.
• Director Gene Chao, Operating Executive for Rockbridge Growth Equity, and previous senior manager for Unisys, IBM, HP, and Accenture.
• Governance Committee Chair Katherine Gronberg, head of Government Services for NightDragon and former GP of Government Affairs for Forescout Technologies.
• Director and CEO Matthew Travis, formerly deputy director of CISA.

The Cyber AB’s professional staff list includes:

• CEO Matthew Travis
• EVP and Chief Financial Officer Raymon Karrenbauer
• Director of Operations and Chief Information Security Officer Jonathan Hanny
• Operations Specialist Tracy Valerio

These people guide and maintain operations for the Cyber AB and help ensure that it provides the best possible services across their areas of influence.

What Does the Cyber AB Do?

The Cyber AB has many responsibilities relating to CMMC and other security frameworks.

Developing and Iterating the CMMC Framework

First, the Cyber AB develops CMMC itself. They outline the requirements for achieving cybersecurity compliance based on regulations from sources like NIST SP 800-171, DFARS Clause 252.204-7012, and other resources. They developed the original five-level CMMC framework and the newer, more streamlined three-level framework.

It’s likely that, in a few years when the roll-out of CMMC 2.0 has neared completion, that there will be numerous pain points, points of failure, and points of friction that will need to be smoothed out. Additionally, emerging technologies like AI may influence the needs of cybersecurity. There’s a good chance that in a few years, the Cyber AB will begin working on CMMC 2.1 or even CMMC 3.0. For now, that’s still some ways out.

Providing Assessment and Accreditation for C3PAOs

Second, and perhaps most actively important, the Cyber AB is the sole source of accreditation for third-party assessment organizations. If a business wants to achieve CMMC certification, it needs to pass an audit by a C3PAO; the only way an auditor can become a C3PAO is to pass the accreditation process with the Cyber AB. This is a fairly intensive process, which we’ve outlined in our guide here.

This helps to ensure that all of the C3PAOs and auditors in the CMMC ecosystem are operating on the same standards and thresholds, with the same body of knowledge, and with verifiable accreditation. This way, there aren’t “easier” C3PAOs to work with, or lower-standard auditors, or shortcuts in the process that could open up security risks down the line.

Maintaining a Database of Accredited Organizations

Third is the marketplace. The Cyber AB maintains a centralized marketplace database, which can be found here.

This marketplace includes a full list of the agencies that have received certification by the Cyber AB to be operational in one of the many relevant roles, including:

• Registered Practitioners and Registered Practitioner Organizations
• Certified CMMC Professionals and Certified CMMC Assessors
• Certified Third-Party Assessment Organizations
• Licensed Training Providers and Certified CMMC Instructors
• Licensed Publishing Partners

All of these roles in the CMMC Ecosystem are part of the process for accrediting C3PAOs and providing guidance for businesses in the Defense Industrial Base to help them achieve CMMC certification.

Working With and Improving the SCF

Fourth is something we mentioned above and which doesn’t come up as often: SCF.

SCF is the Secure Controls Framework program. It’s a “comprehensive meta-framework that unifies and streamlines compliance efforts across various laws, regulations, and industry standards”, according to the Cyber AB page.

SCF is meant to be the broadest and most overarching, most comprehensive repository of security controls and compliance available. The idea is that, no matter what security framework or frameworks you need for your business – CMMC, FedRAMP, general NIST controls, ISO 27001, GDPR, HIPAA, or anything else – SCF includes it.

So, by using SCF as a framework, mapping out the controls you need from their catalog of over 850 individual controls throughout 32 security and privacy domains, you can implement them and be compliant with all of the frameworks within SCF.

What does the Cyber AB do with SCF? The Cyber AB is one of the SCF stakeholders. The SCF and the Cyber AB work closely together; the SCF helps define the standards the Cyber AB enforces and implements, and the Cyber AB provides the SCF Council with feedback and information to help maintain its standards.

Additionally, the Cyber AB is the designated accreditation body for the SCF, the same way they are for CMMC. Auditors and 3PAOs that want to provide services for SCF are accredited through the Cyber AB. In some ways, this can be considered the next stage of evolution for a comprehensive security and privacy framework unified across all industries and technologies.

How Ignyte Can Help

Here at Ignyte, we’re as close to experts in CMMC as you can be without being part of the Cyber AB ourselves. When we designed the Ignyte Assurance Platform, we did so in conjunction with the US Air Force to provide a centralized, collaborative platform aimed at aggregating all of the data you need to pass your compliance audits with flying colors.

That means we’re uniquely positioned to help you if you’re trying to achieve CMMC compliance. Our platform can provide a streamlined and smooth environment in which to work towards compliance, and our staff are knowledgeable and can help answer any questions you may have. Our blog is full of excellent resources, and our podcast provides detailed information and interviews with industry figures with unique insights. So, no matter what you need, all you have to do is reach out to us and get started.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/cmmc/cmmc-ab-accreditation-body/