Conflicts of Interest Assessor Ethics Code of Professional Conduct C3PAO Rules // 7 MIN READ

CMMC Conflicts of Interest

What Assessors Cannot Do — and What Disqualifies an Assessment

Under the Cyber AB Code of Professional Conduct (CoPC), a conflict of interest exists when a CMMC ecosystem member's objectivity in conducting an assessment is compromised — or reasonably appears to be. The bright-line rule: no individual may participate on a Level 2 assessment team if they previously served as a consultant preparing that specific organization for the assessment. The C3PAO is responsible for identifying conflicts before the engagement begins and cannot proceed if the conflict cannot be sufficiently mitigated.

The separation between consulting and assessing is not a procedural preference — it is a structural requirement of the CMMC ecosystem enforced by the Cyber AB through the CoPC. Its foundation is the ISO/IEC 17020 impartiality principle: an assessor cannot evaluate their own work and remain objective. Every credentialed individual and every C3PAO operating in the ecosystem must sign the CoPC and is bound by it as a condition of maintaining credentials.

The certification-level consequence: a conflict of interest that is not identified and mitigated before Phase 1 can invalidate the entire assessment. The Cyber AB retains authority to revoke individual credentials and C3PAO authorization. An assessment conducted under an undisclosed or unmitigated conflict has no standing — and the OSC would need to start over with a new C3PAO.

The Consulting-to-Assessing Firewall

The CoPC draws a hard boundary between the advisory role and the evaluative role. These roles are not just separated by policy — they are structurally incompatible when performed by the same individual for the same organization. The question is not whether a consultant did good work. The question is whether anyone can objectively evaluate work they themselves designed and built.

Consultant / RP / CCP (Advisory)

Allowed — Before the Assessment

Everything required to prepare the OSC for certification
Re-architect the network and CUI enclave
Write, revise, and sign security policies
Implement governance structures and control ownership
Configure firewalls, VLANs, MFA, and SIEM
Perform gap analysis against all 110 controls
Run mock interviews with control owners
Build the evidence mapping file
Recommend specific tools and remediation approaches
🧱 Strict Separation — Same Person Cannot Cross
Assessor / C3PAO (Evaluative)

Allowed — During the Assessment

Evaluation only — no advice, no recommendations
Examine documents, configurations, and records
Interview control practice owners
Test live systems against documented controls
Record "Met," "Not Met," or "Not Applicable" for each objective
Note that evidence is missing or insufficient
Conduct daily checkpoints and disclose findings
Produce the assessment results package
Submit findings to eMASS via the CQAP
An individual cannot perform both roles for the same organization. The consultant who built your enclave cannot be on the team that certifies it. No exceptions without formal COI disclosure and OSC written agreement — and most lead assessors will decline even with written consent.

What Counts as a Conflict of Interest

The CoPC defines conflicts of interest broadly — the consulting prohibition is the most well-known, but conflicts can arise from financial relationships, employment history, and personal connections. The C3PAO's COI screening process must address all categories before the assessment is scheduled, not after it begins.

Type 01
Prior Consulting
An assessor or assessment team member who previously provided consulting, readiness preparation, or advisory services to the OSC — including gap analysis, policy writing, architecture design, or control implementation — within the prohibited lookback period. This is the most common and most clearly defined COI category.
Hard Stop
Type 02
Prior Employment
An assessor who previously worked for the OSC in any capacity — as an employee, contractor, or embedded consultant — within the lookback window. The employment relationship creates a presumption of familiarity and potential partiality that is functionally equivalent to the consulting prohibition.
Hard Stop
Type 03
Family / Personal
An assessor with a family relationship to an OSC principal, executive, or key control owner — including spouses, domestic partners, children, siblings, or other close personal relationships. Even without a professional history, the relationship compromises the appearance of objectivity that the CoPC requires.
Disclosure Required
Type 04
Financial Interest
An assessor with a financial stake in the OSC's certification outcome — equity in the company, a contingency arrangement tied to a favorable result, or a business relationship whose value depends on the OSC achieving certification. The CoPC prohibits any arrangement that creates a financial incentive to produce a particular finding.
Hard Stop
Type 05
Dual-Entity
A C3PAO that operates both a consulting division and an assessment division — even as separate business units — serving the same OSC. The Cyber AB requires these functions to operate as entirely separate legal entities. Even with separate entities, OSCs are typically advised to use different parent organizations for readiness consulting and assessment due to the appearance of collusion.
Mitigable

What Assessors Can and Cannot Do During an Assessment

The prohibition on consulting behavior does not end at the conflict-of-interest screening. It applies throughout the assessment engagement. An assessor who crosses into advisory territory during Phase 2 — regardless of whether they have a prior relationship with the OSC — is violating the CoPC in real time.

✓ Assessors May Do This
State that a specific piece of evidence is missing for a given objective
Note that a policy document lacks a required authorizing signature
Identify that a test produced a result inconsistent with documented configuration
Request supplemental evidence for an objective not yet resolved
Record a finding as Not Met and explain which objective was unaddressed
During the CARR: point out that a required document is absent
Conduct daily checkpoints and disclose current findings to the OSC POC
✗ Assessors Cannot Do This
Suggest how to fix a failing control or draft language to remediate a policy gap
Recommend specific software products or vendors to address a finding
Tell the OSC which antivirus scan to run or which log field to add to satisfy an objective
Accept new evidence created after the assessment scope closed
Review and approve policies rewritten mid-assessment by the OSC
Advise the OSC informally outside business hours on how to pass the next day's review
Allow a control owner to retroactively demonstrate a capability not evidenced on assessment day
The Bright Line

"You can be critical, that is fine — but you are not supposed to be consulting." An assessor who tells the OSC a policy is missing is doing their job. An assessor who tells the OSC what the policy should say, or who reviews the rewritten policy the next morning, has crossed from evaluation into preparation. The findings end on the day they are made. They cannot be reversed by overnight remediation.

Practical Scenarios: "Quick Fixes" and Why They Violate the CoPC

Because assessments are expensive and time-constrained, OSCs frequently pressure assessors to allow mid-assessment corrections. These requests — even when made in good faith — place assessors in an untenable position and are a common trigger for CoPC violations.

Scenario 01 — The Weekend FixThe Missing Policy Rewritten Overnight

An assessor identifies a missing access control policy on Friday afternoon. The OSC's compliance manager spends the weekend writing a policy and presents it Monday morning, asking the assessor to evaluate it as if it had always been there. The OSC's position: the policy reflects the actual practice that was always in place — it just was not documented yet.

The assessment is a snapshot of the environment as it existed on assessment day. A policy that did not exist on Friday does not satisfy an assessment objective that was evaluated on Friday. The Monday policy can support the next assessment. It cannot retroactively satisfy a finding from the prior week.

⛔ CoPC Violation — evidence cannot be manufactured mid-assessment to satisfy a prior-day finding.
Scenario 02 — The Pizza and Beer ScenarioAfter-Hours Informal Policy Review

After the assessment day closes, an assessment team member joins OSC staff for dinner. Over the meal, the team member reviews a failing policy draft, suggests specific language that would satisfy the assessment objective, and confirms the revised version will pass tomorrow's evaluation. The team member frames it as "just answering a general question."

This is one of the most explicitly taught CoPC violation scenarios in the CMMC ecosystem. The informal setting, the absence of formal documentation, and the framing as "a general question" do not change the nature of the act: the assessor provided consulting advice on a specific failing control during an active assessment. The conduct is a severe CoPC violation regardless of intent.

⛔ Severe CoPC Violation — informal advisory contact outside business hours does not reduce the severity of the ethical breach.
Scenario 03 — Leading the Witness at the CARRPrescriptive Guidance During Readiness Review

During the Phase 1 Certification Assessment Readiness Review, the lead assessor reviews the OSC's vulnerability management documentation and observes that scan results are missing. The assessor then tells the OSC: "You should run your Tenable scan against the CUI assets, export the results in CSV format, and add them to the AC folder in your evidence package." The OSC complies and the assessment proceeds.

Pointing out that evidence is absent is permitted. Prescribing the specific tool, output format, and filing location for the evidence the OSC should generate is consulting — even during Phase 1, and even without a prior relationship between the assessor and the OSC.

⛔ CoPC Violation — the CARR permits the assessor to identify gaps, not to specify how the OSC should fill them.

How to Structure Vendor Relationships to Prevent Conflicts

The cleanest conflict prevention strategy is structural: use entirely separate organizations for readiness consulting and formal assessment. This eliminates the possibility of the prior-work prohibition applying to any member of the assessment team.

  • Use a different C3PAO for assessment than you used for readiness consulting. If your MSP or a Registered Practitioner Organization helped build your compliance environment, hire an entirely separate C3PAO — with no organizational relationship to the consulting firm — for the formal Level 2 assessment. This is the single most effective conflict prevention measure available.
  • ⚠️If the same parent organization offers both consulting and assessment services, proceed with caution. The Cyber AB requires separate legal entities for the consulting and assessment functions even within the same parent organization. But many OSCs — and many lead assessors — decline the arrangement entirely because of the appearance of collusion, regardless of structural separation on paper.
  • Screen your C3PAO's assessment team against your past vendor list before signing the engagement agreement. Ask the lead assessor to confirm, in writing, that no team member has a prior consulting relationship with your organization. This disclosure request is your due diligence — and it surfaces potential conflicts before they become assessment-invalidating problems.
  • Document the absence of conflicts as an artifact. A written COI attestation from the C3PAO — signed by the lead assessor — confirming no prior relationships or financial interests is worth keeping in the assessment documentation. If a conflict allegation arises later, the attestation is your evidence that appropriate screening was conducted.
  • Do not allow your consulting firm's employees to join the assessment team as CCPs, even informally. A CCP who worked on your readiness preparation and then sits in on interviews as a "support resource" for the C3PAO has crossed into the assessment boundary. Their presence — even without formal authority — creates the appearance of a conflict that must be disclosed and mitigated.

When a Conflict Is Discovered: Disclosure, Mitigation, and When to Stop

Conflicts discovered before the assessment begins are manageable. Conflicts discovered during or after are significantly more damaging — to the assessment's standing, to the individuals involved, and to the C3PAO's authorization status with the Cyber AB.

COI Discovery — Required Response by the C3PAO
01
Identify the Conflict Before the Engagement Begins
The C3PAO's COI screening process must assess all team members against the OSC's history — prior consulting engagements, employment records, financial relationships, and personal connections — before the assessment is scheduled. The CoPC places this responsibility on the C3PAO, not on the OSC or the individual assessor.
02
Formally Document and Disclose the Conflict to the OSC
If a conflict is identified, the C3PAO must formally document the nature of the conflict and disclose it to the OSC in writing before the assessment proceeds. The disclosure must be specific — not a general "we may have had past interactions" statement, but a description of the nature, scope, and duration of the prior relationship.
03
Obtain OSC Written Agreement to Proceed (If Mitigation Is Possible)
For conflicts that are not absolute disqualifiers — personal relationships, minor past interactions that fall outside the lookback window — the OSC may provide written agreement to proceed after reviewing the disclosure. The written agreement is the mitigation record. Without it, the assessment cannot proceed.
Stop — If the Conflict Cannot Be Mitigated
A prior consulting relationship within the prohibited lookback period, a financial interest in the certification outcome, or a family relationship between a team member and an OSC principal are not mitigable through disclosure and written consent. The conflicted individual must be removed from the team — or the assessment must be conducted by a different C3PAO. The assessment cannot proceed with the conflict unresolved.

Reporting Violations: The Cyber AB Escalation Path

Every individual credentialed in the CMMC ecosystem has an affirmative obligation under the CoPC — not just to avoid violations themselves, but to report violations they witness. The obligation to act is built into the Code, and failing to report a known violation is itself a CoPC deficiency.

Violation Escalation Path — Required Steps Under the Cyber AB CoPC
Step 01Peer to Peer
Approach the individual directly and inform them that the behavior is a CoPC violation. Be specific about what you observed and why it is prohibited. Document the conversation — date, what was said, and the individual's response. Many violations stem from misunderstanding rather than intent, and direct peer engagement resolves them before escalation is necessary.
If the behavior stops: document the resolution and retain the record. If it continues: proceed to Step 02.
Step 02C3PAO Leadership
Escalate the issue to the C3PAO's lead assessor or executive leadership with your documentation from Step 01. C3PAO leadership has both the authority and the obligation to intervene — removing the individual from the assessment team, halting a compromised assessment, or self-reporting to the Cyber AB. Provide written communication so the escalation is itself documented.
If C3PAO leadership acts appropriately: document the outcome. If they fail to act, dismiss the concern, or if you fear retaliation: proceed to Step 03.
Step 03Cyber AB
File a formal complaint with the Cyber AB using the established complaint process (SOP1001). Complaints may be submitted confidentially. The Cyber AB is the final arbiter of CoPC investigations. Their authority includes issuing formal warnings, placing credentials on probation, and revoking the credentials of individuals or the authorization of C3PAOs. Retaliation against individuals who file complaints in good faith is itself a CoPC violation.
Cyber AB investigations can result in: warning, probation, suspension, or full revocation of individual credentials or C3PAO authorization. There is no informal resolution available once the Cyber AB opens an investigation.
The Retaliation Prohibition
The CoPC explicitly prohibits retaliation against any individual who reports a violation in good faith. An assessor, CCP, or RP who files a complaint with the Cyber AB is protected from adverse professional consequences by the same Code they invoked. If retaliation occurs — demotion, removal from projects, negative professional references, or any other adverse action — that retaliation is itself a reportable CoPC violation.

The Bottom Line

The conflict of interest rules exist because the CMMC ecosystem's value depends entirely on the credibility of its assessments. A certification issued by an assessor who helped build the environment being certified is not evidence of compliance — it is evidence of a compromised process. The CoPC and the Cyber AB's enforcement mechanisms exist to protect that credibility, which is why both the disclosure obligations and the reporting obligations are mandatory, not optional.

For OSCs, the practical implication is simple: use separate organizations for readiness preparation and formal assessment, screen the C3PAO's team before the engagement agreement is signed, and document the absence of conflicts as a formal artifact. For credentialed individuals, the CoPC obligation runs in both directions — avoid conflicts yourself, and report the ones you witness.

An assessor who cannot say "Met" or "Not Met" without first asking "how does this affect my client?" has a conflict — whether or not a prior consulting engagement exists on paper. The standard is not just the absence of a prohibited relationship. It is the presence of genuine independence. The Cyber AB's complaint process exists for the cases where that independence fails.

Related Articles

CMMC Readiness Review: What to Finish Before Hiring a C3PAOThe CMMC Assessment Process (CAP): Phases and OutputsCMMC and MSPs: Scope, Shared Responsibility, and EvidenceHow Assessors Evaluate Evidence: Examine, Interview, and TestCMMC POA&Ms: The 180-Day Closeout Rule and Conditional Status