|

Who and What Is Cyber AB?

ByBrenda Bissell, Senior Accreditation Manager
Square around digital lock showing Cybersecurity Maturity Model Certification accreditation body (CMMC-AB) importance.

The Cyber AB will implement the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).

CMMC was published by the DoD in January 2020, while the CMMC-AB was formed in January 2020. In 2022, CMMC-AB rebranded as the Cyber AB. Cyber AB will provide certifications for certified third-party assessment organizations (C3PAOs) that hire Cyber AB certified assessors. These assessors, in turn, are trained by Cyber AB certified Instructors. 

Responsibilities of Cyber AB for CMMC

Cyber AB is an independent accreditation body. It is responsible for establishing, managing, controlling, and administering the CMMC assessment, certification, training, and accreditation processes for the Department of Defense (DoD) supply chain. These activities are conducted in accordance with a memorandum of understanding (MOU) signed with the DoD in March 2020. The DoD is working on a statement of work that will supersede the MOU that authorizes Cyber AB to work on DoD’s behalf.

During the summer of 2020, Cyber AB selected 101 qualified applicants to be provisional assessors. They will be authorized to conduct assessments during the provisional period. 

CMMC Provisional Assessors

These provisional assessors were selected from two pools, using a combination of random selection (83%) and best qualified analysis (17%). Analysis of “best qualified” was based on prerequisites, domain expertise, AB contribution, and industry experience. Requirements also included 10-plus years of experience conducting evidence-based assessments in cybersecurity or other information technology fields. The other IT fields include, for example, ISO, FedRAMP, CMMI, RMM CERT, and DIBCAC. Alternatively, assessors can have proven experience as a consultant or leader in cybersecurity for at least 20 years and qualifying for DOD 8570 IAM Level III certification.

Cyber AB board members conducted training for provisional assessors in fall 2020. These provisional assessors can now participate on C3PAO teams to conduct mock CMMC Pilots and Pathfinders. The provisional program will provide level 1 assessments initially. In the future, the program may expand up to level 3.

Requirements for C3PAOs

The requirements for certification for C3PAOs are defined on the Cyber AB website. Currently, all C3PAOs must be 100% U.S. citizen-owned businesses. The website also lists ISO/IEC 17020 certification as a requirement, awaiting more details.

Cyber AB is also developing the process for CMMC C3PAO ML-3 certification. These requirements are very fluid, so check the Cyber AB website regularly for updates.

In 2024, Cyber AB contracted ANAB to assist on the accreditation assessments and surveillance visits of C3PAOs. ANAB is offering a self-paced training course, What CMMC C3PAOs Need to Know, to help these organizations to better understand the requirements and expectations of CMMC and ISO/IEC 17020.

Similar Posts

Employees in a medium enterprise celebrating world accreditation day 2025.

World Accreditation Day 2025: Small and Medium Enterprises

ByAlexandra Schirn

This year’s World Accreditation Day theme, “Accreditation: Empowering Small and Medium Enterprises (SMEs),” focuses on how SMEs are essential to the global economy, driving innovation,…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.