Disclosure vs Recusal: When Each Is Required in CMMC Engagements

“I disclosed it” doesn’t end the conversation. It starts one.

There’s a comfortable belief moving through the CMMC ecosystem that disclosing a conflict of interest resolves it. Tell the client. Note it in the engagement file. Move on. The premise is wrong, and it’s wrong in a way that creates regulatory exposure for the firm and the practitioner who acted on it. Disclosure is necessary. It is rarely sufficient. For several categories of conflict, the answer after disclosure is the same answer that would have been required without disclosure. Step away.

This piece walks the line that separates conflicts you can manage with transparency from conflicts that require full withdrawal from the engagement. The line is drawn by regulation, not by judgment alone, and it has implications for how RPOs, C3PAOs, and individual assessors structure their book of business.

What Disclosure Actually Does

Disclosure puts a conflict on the record. It tells the affected party that a relationship exists. It creates the option for the affected party to object, to seek alternative arrangements, or to request additional safeguards. Done correctly, it shifts decision-making power back to the people most affected by the conflict, and it creates an audit trail that documents the firm’s good faith.

What disclosure does not do is dissolve the underlying conflict. The financial interest still exists. The prior consulting relationship still happened. The family connection is still real. Disclosure is a function of transparency, not a remedy for substance.

This matters because 32 CFR § 170.8(b)(17) requires the CMMC Accreditation Body to develop a Conflict of Interest policy that addresses actual, potential, and perceived conflicts, and § 170.9(b)(2) requires every C3PAO to comply with that policy. The rule doesn’t treat disclosure as the universal solvent. It treats disclosure as one tool in a set, where the appropriate response depends on the nature of the conflict being addressed. The Cyber AB CoPC v2.0, effective 16 December 2024, operationalizes the policy in Article II § 2.2 (Impartiality) and Article III (Conflicts of Interest).

Conflicts That Disclosure Can Resolve

Some conflicts genuinely fall within the territory where transparency restores integrity. The relationships are too distant or the interests too small to compromise judgment, but a reasonable observer might still want to know. Disclosure handles these.

• General professional relationships in a small ecosystem. The CMMC space is finite. Practitioners know each other across firms. Attending the same conferences, sitting on the same panels, sharing connections through professional associations. These relationships are worth naming. They rarely warrant withdrawal.
• Past consulting work that sits clearly outside the regulated relevant period. For assessment work, the boundary is three years (36 months) under 32 CFR § 170.8(b)(17)(ii)(G), codified in CoPC § 2.2(d). Engagements that predate that window are disclosable, not disqualifying.
• Family connections to people at the OSC who hold no decision-making authority over the work being assessed. A spouse working in a different department, a sibling employed in an unrelated function. These belong on the record and stop there.
• Indirect financial interest below materiality thresholds. Index funds, retirement accounts with diversified holdings, broad-market exposure that incidentally touches the OSC. The firm’s COI policy should define materiality and document the threshold.

The common thread is that none of these compromises the practitioner’s ability to render an honest opinion. Disclosure invites scrutiny. Substance survives it.

Conflicts That Require Recusal

Other conflicts sit in different territory. The relationship is direct enough, recent enough, or financially material enough that no amount of transparency restores impartiality. For these, the CoPC and the underlying regulation point in one direction.

Recusal applies when the conflict is structural rather than incidental. The categories include direct financial interest in the OSC being assessed, such as stock ownership or a stake in the company’s outcome. Recent consulting work for the same OSC falls inside this territory under the three-year rule in § 170.8(b)(17)(ii)(G) and CoPC § 2.2(d). Family members occupying decision-making roles at the OSC also belong here. And any actual conflict that a reasonable observer would say cannot be cured by transparency alone.

The framework isn’t a checklist. It’s a question. Does the conflict touch the practitioner’s ability to render an independent professional judgment? If the answer is yes or even unclear, the regulation pushes toward recusal. The firm doesn’t have to wait for someone to challenge the work. The COI policy required by § 170.8(b)(17) exists so the firm can identify these conflicts itself and act before they become someone else’s discovery.

The Three-Year Wall

The most operationally significant line in the COI rule is the three-year prohibition on consulting-to-assessment transitions. The rule text, 32 CFR § 170.8(b)(17)(ii)(G), reads: “Prohibit CMMC Ecosystem members from participating in the Level 2 certification assessment process for an assessment in which they previously served as a consultant to prepare the organization for any CMMC assessment within 3 years.” CoPC v2.0 § 2.2(d) carries the same prohibition.

Three operational details matter. First, the prohibition reaches any CMMC consulting work, not just consulting for Level 2 specifically. The CoPC’s own example, in Article III § 3.3, makes the point explicitly: a consultant who prepared an OSC for a Level 1 self-assessment is precluded from a Level 2 certification assessment team for that same OSC until the three-year window closes.

Second, the wall extends to the firm. CoPC § 3.3 states that the prohibition “applies to the C3PAO as an organization as well as to all of its Assessment Team members.” A firm that consulted on Year One cannot route the assessment to a different staff member on Year Two and claim the conflict has been managed. The organizational reading is the right one. Individual recusal is not a substitute for firm-level recusal when the firm itself held the consulting relationship.

Third, the wall runs one direction by design. The rule prevents consulting work from flowing into assessment work. It does not prevent assessment work from flowing later into consulting work, though other principles (Confidentiality, Impartiality) constrain how that transition can happen.

Combined consulting and assessment practices are common in the CMMC market. Firms holding both RPO authorization (for advisory work) and C3PAO authorization (for certification assessments) are operationally familiar. The three-year wall means a firm holding both authorizations cannot route an OSC engagement from consulting into a Level 2 certification assessment inside the three-year window, regardless of which practitioners are staffed. The CFR has already made the call. The firm’s job is to comply, not to litigate the boundary.

What to Do When in Doubt

The honest answer to most COI questions is that the firm should treat ambiguity as a signal toward conservatism, not toward minimization. A practical procedure looks like this.

Document the conflict in writing as soon as it’s identified, including the nature of the relationship, the dates involved, the parties affected, and the practitioner’s initial assessment. Consult the firm’s COI policy and check whether the situation maps to a defined category. Escalate to firm leadership when the situation is novel or sits near the line between disclosure and recusal. And where the firm itself has any financial interest in the outcome, default toward recusal. The cost of recusing from an engagement that would have been defensible is low. The cost of completing an engagement that turns out to have been compromised is high, and the cost lands on both the firm and the practitioner.

The COI rule isn’t a procedural inconvenience. It’s the regulatory foundation under which assessment work is trusted to mean something. Practitioners who treat disclosure as a universal solvent erode that foundation one engagement at a time. Practitioners who hold the line between disclosure and recusal keep it intact.

A few cross-references for the surrounding work. Our COPC five principles decision tree for the broader ethical framework, CMMC ecosystem roles explained for how the actors fit together, RPO vs MSP vs C3PAO for the boundary lines between service categories, and proof or posturing for what evidence quality actually looks like under assessor review.

Conflicts of interest are not a paperwork problem. They are a question about whether the work means what it says. The CFR drew the line because the answer matters. Knowing which side of the line a given conflict sits on is the practitioner’s job, every time.