Submitted by on
Home> Guides> CMMC> A Guide to Cyber AB

Home > A Guide to Cyber AB

A Guide to Cyber AB

Share this Page

What Is the Cyber AB?

The Cyber AB, formally known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, is an independent, non-profit organization and the exclusive official partner of the Department of Defense (DoD) that manages the CMMC program. Established in 2020, its primary role is to standardize and oversee the certification process for DoD vendors, also referred to as the Defense Industrial Base or DIB contractors, sub-contractors, and suppliers in the US defense supply chain.

Leveraging the resources provided by the Cyber AB helps DIB contractors and suppliers understand
how to implement and manage compliance with CMMC.

This involves accrediting Certified Third-Party Assessor Organizations (C3PAOs) and training assessors. The Cyber AB also maintains a marketplace where accredited C3PAOs are listed for DIB vendors seeking certification of their CMMC compliance. By validating  that DIB contractors and suppliers comply with mandated cybersecurity standards and best practices, the Cyber AB plays a critical role in safeguarding sensitive DoD data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

Roles and Responsibilities of the Cyber AB Personnel

The Cyber AB is staffed by full-time professionals, and its operation is overseen by a Board of Directors who serve in a voluntary, uncompensated capacity. The Cyber AB personnel are responsible for a collection of functions across the CMMC ecosystem, including the following.

Leadership team:

  • Sets the strategic direction for the Cyber AB
  • Makes decisions about policy, procedures, and the overall management of the CMMC program
  • Works with the Department of Defense and other stakeholders to ensure that the program aligns with DoD and national security objectives
  • Accreditation personnel:
    • Oversee accreditation of C3PAOs and individual assessors
  • Ensure that those entities meet stringent requirements and can conduct unbiased, rigorous assessments of DIB contractors’ and suppliers’ cybersecurity practices
  • Training and certification staff:
    • Develop and deliver training programs for C3PAOs and assessors
  • Create educational materials and certification exams to ensure that assessors are well-equipped to accurately evaluate compliance with CMMC’s standards 
  • Quality assurance team:
    • Monitors the consistency and quality of assessments conducted by C3PAOs
    • Handles complaints and disputes
    • Ensures that the assessment process is fair, transparent, and adheres to established guidelines
  • Outreach and Communication Staff:
    • Manage communications with external stakeholders, including defense contractors, government agencies, and the public
    • Provide updates on CMMC policy changes, guidelines, and other relevant information, ensuring clarity and understanding of the program
  • IT and security staff:
    • Manage the IT infrastructure of the Cyber AB, including the development and maintenance of the Cyber AB Marketplace
    • Ensure the security and integrity of the data handled by the Cyber AB
  • Administrative support staff:
    • Provide essential support services, including managing records, scheduling, and coordinating meetings and events
    • Ensures the smooth operation of the Cyber AB’s day-to-day activities

The Framework and Scope of the Cyber AB

The following summary of the CMMC ecosystem provides context for the Cyber AB framework.

U.S. Department of Defense (DoD)Oversees the CMMC framework and implementation and enforcement of regulations as a cybersecurity requirement for its contractors and suppliers
Cyber ABManages the training, accreditation, and certification of CMMC assessors and organizations seeking CMMC certification
CMMC Certified AssessorsQualified individuals or organizations are authorized by the Cyber AB to evaluate and assess organizations against the CMMC framework. They conduct on-site or remote assessments to determine if an organization meets the required cybersecurity practices and processes for certification.
Certified Third-Party Assessment Organizations (C3PAOs)Authorized by the Cyber AB to assess and issue CMMC certifications. They employ CMMC Certified Assessors.
Defense Industrial Base (DIB) Contractors and SuppliersMust implement CMMC’s controls, practices, and processes to achieve certification and maintain compliance
CMMC PractitionersIndividuals with CMMC and cybersecurity expertise and experience
Training ProvidersProvide CMMC and cybersecurity training and education programs for individuals and organizations.
Industry Associations and ForumsProvide networking and education opportunities for the CMMC community.
Research and Development InstitutionsConduct research, develop solutions, and help improve the CMMC framework.

The scope of the Cyber AB encompasses a wide range of activities that collectively work to enhance  the cybersecurity posture of DIB contractors and suppliers by supporting and enforcing CMMC compliance. The key responsibilities of the Cyber AB are the following. 

Continuous learning and development activities
The Cyber AB provides a range of educational resources, including guidelines, best practices, and updates on the CMMC model to help organizations and professionals stay abreast of evolving cybersecurity threats and adapt their strategies accordingly. Also, it develops and provides training for assessors and other professionals involved in the CMMC process, including creating curriculum, certification exams, and continuous educational programs.

CMMC framework implementation
The Cyber AB implements and manages the CMMC framework.  

Development and maintenance of certification standards for the CMMC framework
The Cyber AB defines the cybersecurity practices that organizations must adhere to in order to achieve different levels of CMMC certification.

Maintenance of the integrity of the CMMC ecosystem
The Cyber AB enforces the rules and regulations, resolves disputes, and addresses failures to follow the guidelines that have been set by the CMMC framework.

Management of the Cyber AB Marketplace
The Cyber AB ensures that all accredited C3PAOs are listed accurately and that the marketplace operates smoothly to facilitate connections between DIB contractors and suppliers and C3PAOs.

Oversight and accreditation of Certified Third-Party Assessment Organizations (C3PAOs)
The Cyber AB accredits C3PAOs and conducts meticulous evaluations of those organizations to ensure their compliance with the stringent requirements of the CMMC framework.

Policy development and guidance
The Cyber AB develops policies and guidance related to the CMMC program, including updating the CMMC framework to align with emerging cybersecurity threats and best practices.

Stakeholder engagement and communication
The Cyber AB oversees communication and outreach with various stakeholders, including defense contractors and suppliers, as well as other government entities, to keep them informed about CMMC requirements and updates.

The Cyber AB and C3PAOs

The Cyber AB is responsible for ensuring that a C3PAO can evaluate a company’s cybersecurity posture against the CMMC framework to facilitate secure supply chains and protect sensitive DoD information. Accredited C3PAOs are listed on the Cyber AB website.  C3PAOs have two primary roles. 

C3PAOs: 

1. Conduct CMMC assessments
C3PAOs evaluate a company’s cybersecurity practices, policies, procedures, and controls against the specific CMMC level that’s required for the type of data that the organization manages for  the DoD.

2. Issue CMMC certifications
Upon a successful assessment, C3PAOs grant the company a CMMC certification, verifying their compliance with the designated level.

C3PAOs employ CMMC Certified Assessors. These people are qualified individuals or organizations authorized by the Cyber AB to evaluate and assess organizations against the CMMC framework. They carry out on-site and/or remote assessments to determine if an organization meets the cybersecurity practices and processes required for certification.

How the Cyber AB Authorizes C3PAOs

To become a C3PAO, organizations must be authorized by the Cyber AB. This multi-step accreditation process takes organizations from C3PAO candidacy to authorized status and listing in the Cyber AB C3PAO Marketplace. These steps include the following.

1. Submit application
Organization’s representative completes an application to become a C3PAO at cyberab.org.

2. Undergo screening
In partnership with Dunn & Bradstreet (D&B), the applicant is screened and given a risk score. If the score is moderate or better, the applicant passes to the next stage.

3. Review by the Cyber AB
Cyber AB leadership reviews the application.

4. Review of Foreign Ownership, Control or Influence (FOCI)
FOCI is analyzed based on the organization’s application, completion of the SF-328 form, confirmation of US citizenship of company ownership, and interview(s) with senior management. An enhanced FOCI analysis is performed if the applicant is an Employee Stock Ownership Plan (ESOP) organization, global partnership, or public company headquartered in the U.S.

5. Apply for C3PAO candidacy
Cyber AB confirms that the candidacy is ready for assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and obtains an assessment-ready date from the candidate for C3PAO. Cyber AB then forwards information to the DoD CMMC Project Management Office (PM). The PMO prioritizes the C3PAO based on its ready date and schedules the CMMC assessment by the DIBCAC.  

6. DIBCAC authorizes C3PAO
Upon completing a successful assessment and meeting administrative requirements (e.g., proof of insurance), C3PAOs become authorized to conduct assessments.

7. Issue authorized C3PAO badge
An Authorized C3PAO badge is issued.

Bid and Win DoD Contracts with Cyber AB

Leveraging the wealth of services and resources provided by the Cyber AB helps DIB contractors and suppliers understand how to effectively implement and manage compliance with the CMMC framework. This enhances the organizations’ overall security preparedness and ensures that they are eligible to bid on, maintain and win DoD contracts.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.

Last Updated: 22nd November, 2024

Share this Page