The nonprofit hired by the Department of Defense to train and license third-party assessors for its Cybersecurity Maturity Model Certification (CMMC) program is undergoing a rebrand.
The CMMC Accreditation Body is changing its name, logo and website. It will now be doing business under the Cyber Accreditation Body, or Cyber AB, while the new website will be cyberab.org. The organization also plans to eventually spin off its professional certification training side into a separate entity.
Click here for all the coverage coming out of RSAC.
The changes will officially go live Tuesday following a town hall with defense contractors and members of the CMMC community. In an interview with SC Media, CEO Matthew Travis said the group’s mission largely remains the same but the moves give the organization an opportunity to fix some early branding mistakes.
He cited two primary reasons behind the changes. First: to remove the impression that the organization — a 501c3 nonprofit working under an exclusive contract with the Pentagon to train and license assessors and trainers for the CMMC program — was an official organ of the federal government. It’s a concern that several defense contractors and compliance experts have expressed to SC Media as the program suffered from a number of miscommunications and re-starts after initially rolling out in 2019.
“It doesn’t take a CMMC enthusiast to just look at our current logo, you look at the federal mark, and it causes confusion,” Travis said. “Because in the early days, standing up the creation body, we essentially took that DoD logo and very slightly modified it, so there was an imperative to separate identities.
While the AB is charged with training and accrediting assessors who will evaluate and certify defense contractor cybersecurity, the broader CMMC is still a federal program run and managed by DoD officials.
Travis said he knew from the first day on the job that he wanted to rebrand the organization. Fresh off a stint from the Cybersecurity and Infrastructure Security Agency (where he resigned in 2020 shortly after the Trump administration fired his superior Chris Krebs for not endorsing false claims of election fraud), he understood immediately why it rubbed people the wrong way.
The change would have come earlier, he said, but “other imperatives” delayed their plans. The day after Travis was hired, the Pentagon under the newly elected Biden administration put CMMC on pause to review the program, eventually giving it a significant overhaul.
Second, the fact that the organization initially mimicked a government logo meant it couldn’t prevent others from doing the same to theirs. Ironically, this has led to several years of the organization essentially “policing the unauthorized use of our own logo” by other parties, a huge problem for a nascent organization with just seven employees that is trying to build up credibility for its own seal of approval.
"We don’t want people thinking we’re a government entity, as a [nonprofit], and then more practically, since that’s not a protected government mark, we couldn’t protect our mark,” he said.
The CMMC program is just one response that military officials have made to persistent campaigns of digital theft and espionage over the past decade from countries like China and Russia. While state-sponsored hackers from those countries have directly hacked U.S. federal systems, they’ve also been extremely successful targeting the defense industrial base — or the companies and startups that supply DoD with software, hardware and technology services.
As of today, the program is still squarely in the planning phase, as the military and the AB must first work through the laborious federal regulatory process before training a small army of assessors who can scrutinize the cybersecurity controls put in place by contractors who hold what is known as Controlled Unclassified Information, data that falls below the level of being classified but which can still reveal technological or design secrets about different DoD technologies, vehicles, boats or airplanes. Pentagon officials have said they plan to issue an interim rule for the program next year.
Because supply chains have historically been set up for convenience, cost and speed rather than security, many defense contractors have historically given little scrutiny to the security dynamics or geographic location of the companies they subcontract with.
The rebrand could also give the AB more flexibility to grow or live beyond the CMMC program. Travis said the AB has had meetings and discussions “with other countries who are interested in a [similar] third-party cybersecurity conformance regime” for their own infrastructure and government bodies. Those discussions are still in the very early stages and have been done at the request of officials from those nations, he said.
“We want to be able to build for future growth and providing third-party certification for third-party standards, and we might be involved with something down the line that doesn’t call itself CMMC so we didn’t want to box ourselves in [with the name],” he said.