The CMMC Code of Professional Conduct: A Practical Decision Tree

The moment a CoPC question lands in a real engagement, it almost never lands cleanly. A LinkedIn post about a client. A vendor lunch the day the kickoff was scheduled. An assessor in the next room coaching a tech through their own evidence. The principles don’t queue up one at a time and wait their turn. They arrive overlapping, mid-call, with a deadline pressing and someone watching to see what you do.

Recall isn’t the problem. Most practitioners who’ve passed a CCP or CCA exam can name the principles in the abstract. Application is the problem. In an engagement, principles touch each other. Confidentiality bumps into Information Integrity. Impartiality bumps into Proper Use of CMMC Methods. The right answer rarely sits inside a single principle, and the obvious answer often violates the one you didn’t think to check.

This piece is the filter to run in the moment. Not a refresher on what the principles say. A way to decide what to do when one of them, or more than one, comes knocking.

The Eight Guiding Principles

The Cyber AB CMMC Code of Professional Conduct (CoPC) binds every individual, entity, and group operating within the CMMC Ecosystem. Version 2.0, effective 16 December 2024 alongside the CMMC 2.0 program rule, names eight guiding principles in Article II:

1. Professionalism — conducting activities with honesty, fairness, and respect for others.
2. Impartiality — avoiding conflicts of interest and maintaining unbiased decision-making.
3. Confidentiality — protecting sensitive data and proprietary information.
4. Information Integrity — ensuring the accuracy and security of information.
5. Lawful and Ethical Behavior — complying with all applicable laws and regulations.
6. Equal Opportunity — promoting inclusivity and refraining from discriminatory behavior.
7. Proper Use of CMMC Methods — employing CMMC processes and procedures.
8. Proper Use of Technology and AI — incorporating technology into CMMC appropriately.

That’s the reference set. The names are stable. The hard part starts when you have to map a live situation onto them.

A note on Impartiality. The CoPC v2.0 uses Impartiality, drawn directly from ISO/IEC 17011:2017(E), the international benchmark the CMMC Accreditation Body is required to maintain compliance with under 32 CFR § 170.8(b)(17). The legacy CoPC issued under CMMC 1.0 (October 2020) used a shorter principles set with different naming conventions; the v2.0 list above is the version currently in force. Practitioners working from older training materials should re-verify against the current document before relying on the principle names.

The Eight-Question Filter

For any compliance scenario that gives you pause, walk these questions in order. Each one maps to a CoPC v2.0 principle. If the answer is yes, that principle is in play. Often more than one fires.

• Does this involve how you represent yourself, your firm, or the profession? Professionalism.
• Does it involve a real or perceived conflict of interest, or any pressure that could bias an outcome? Impartiality.
• Does it touch client information, government information, or anything the contractor wouldn’t post on their own website? Confidentiality.
• Does it involve reporting, documenting, or characterizing what happened during the engagement? Information Integrity.
• Does it involve any conduct that could violate applicable law or regulation, or your obligation to disclose criminal proceedings to The Cyber AB? Lawful and Ethical Behavior.
• Does it involve treatment of people that could be inequitable, exclusionary, or discriminatory? Equal Opportunity.
• Does it involve CMMC assessment methods, materials, scoring tools, or guidance being used for a purpose other than the one intended? Proper Use of CMMC Methods.
• Does it involve AI, automation, or other technology being used in CMMC activities in ways that affect data, decisions, or assessor authority? Proper Use of Technology and AI.

Running the filter takes about thirty seconds. It costs nothing. And it surfaces principles you’d otherwise skip past.

Five Scenarios

Here’s what the filter looks like applied. The scenarios are constructed from generic engagement patterns, not from any specific training material.

Scenario one, the LinkedIn post

A colleague at your firm posts on LinkedIn that “we helped one of our OSC clients achieve Level 2 certification this week.” No client name. No project number. Just the announcement.

Run the filter. Professionalism, maybe. Impartiality, no. Confidentiality, yes. The post discloses the existence of a client relationship and a certification outcome. In the federal acquisition context, that pairing is sensitive on its own. The fact that the client wasn’t named doesn’t repair the disclosure. Anyone with knowledge of the firm’s account list can narrow the field to a handful of organizations.

What the CoPC requires here is the harder thing, not the comfortable one. CoPC § 2.3 obligates ecosystem members to maintain the confidentiality of customer and government data, exercise due care so privileged information remains so even after the work ends, and forgo premature assertions about assessment outcomes. Default position is silence. The post comes down. If a celebration is warranted, the client has to publish it first.

Scenario two, the early-finish bonus

An OSC executive, halfway through the assessment, tells the lead CCA, “If you can wrap this by Friday instead of next Wednesday, we’ll cover an extra day’s fee as a thank-you.”

This one is fast. The filter lands on Impartiality. A financial incentive tied to a faster outcome is the textbook definition of a threat to impartiality. The offer doesn’t have to be accepted to create a problem. ISO/IEC 17011:2017(E), the standard the Accreditation Body is required to maintain compliance with, treats real and perceived conflicts as equivalent risks to the integrity of the conformity assessment.

The lead CCA declines, in writing, and reports the offer to the C3PAO leadership. The C3PAO, in turn, has its own impartiality obligations under ISO/IEC 17020:2012(E) Section 4.1 and documents the incident. The OSC is not punished for asking, but the boundary is restated. The schedule doesn’t change because of the offer. It might still finish Friday on its merits. It doesn’t finish Friday because of the money.

Scenario three, the side-coaching assessor

You’re conducting an interview track and walk past a small conference room where a fellow assessor is alone with an OSC engineer. Through the door, you hear the assessor saying, “When she asks you about your incident response procedure, you’ll want to mention the tabletop you did last quarter, the one that we discussed in the readiness session.”

Three principles fire. Information Integrity, because the assessor is shaping the evidence record rather than collecting it. Professionalism, because the conduct discredits the profession in front of the very client who’s watching it happen. And Proper Use of CMMC Methods, because the CMMC Assessment Process is built on uniform procedures executed faithfully; coaching a witness on the answers an assessor wants to hear breaks that uniformity directly.

This one isn’t a quiet decision. The CoPC contemplates a duty to investigate and resolve potential violations. You raise it with the lead assessor immediately. The interview gets paused. The incident is documented in writing and escalated to the C3PAO quality function. Whether the assessor’s intent was malicious or simply sloppy doesn’t change the response. The duty is triggered by the behavior, not by reading the mind behind it.

Scenario four, the stock holding

A CCA assigned to an upcoming engagement realizes, looking at the assessment package, that she owns common stock in the parent company of the OSC. Position size is modest. The OSC is a subsidiary of a publicly traded defense prime.

The filter lands on Impartiality, sharply. This is a financial interest in the outcome of a conformity assessment, which is exactly what ISO/IEC 17011:2017(E) names as an impartiality risk. The instinct of many practitioners is to disclose and proceed. That instinct is wrong here. Disclosure is necessary but not sufficient. The CCA recuses. The C3PAO replaces her on the engagement and documents the recusal in the project record.

We’ll go deeper on the disclose-versus-recuse distinction in a companion piece, because the right call isn’t always recusal and isn’t always disclosure-only, and the difference matters. For now, the rule on direct financial interest in the assessed organization is the strict one.

Scenario five, the prior consulting engagement

A C3PAO assigns you to a Level 2 certification assessment. Reading the OSC’s name, you remember that you ran a readiness engagement for them as an RPO consultant eight months ago. You’ve changed firms since. You haven’t talked to that client since the engagement ended.

The filter lands on Impartiality again, with the bright line written into the regulation. 32 CFR § 170.8(b)(17)(ii)(G), and CoPC § 2.2(d) which incorporates it, prohibits CMMC Ecosystem members from participating in the Level 2 certification assessment process for an OSC they previously served as a consultant within the past three years. The CoPC’s own example makes the scope plain: even a consultant who prepared an OSC for a Level 1 self-assessment is blocked from a Level 2 certification team for that OSC until the three-year window closes.

Eight months sits well inside the prohibition. Disclosure alone won’t resolve it. The right action is to inform the C3PAO immediately and decline the assignment. The fact that the conflict was caught at intake rather than mid-engagement is the system working, not a near miss to feel clever about.

The Other Principles in Brief

The five scenarios above cluster on the principles that fire most often in field engagements: Confidentiality, Impartiality, Information Integrity, Professionalism, and Proper Use of CMMC Methods. Three principles fire less often but carry the same weight when they do.

Lawful and Ethical Behavior binds every CMMC Ecosystem member to obey applicable law, refrain from fraud and similar offenses, and report indictments or convictions for those offenses to The Cyber AB within thirty days. The principle is rarely invoked in the day-to-day of an engagement, but the disclosure obligation runs continuously, and ignorance of it is the failure mode rather than the violation itself.

Equal Opportunity prohibits discrimination based on race, color, religion, ancestry or national origin, sex, age, marital status, sexual orientation, gender identity, disability, or political affiliation in CMMC-related interactions. The principle covers conduct between practitioners as much as conduct toward OSCs. A C3PAO that staffs assessment teams inequitably, or a firm whose hiring or partnership decisions produce a discriminatory pattern, has a CoPC exposure independent of any specific engagement.

Proper Use of Technology and AI addresses what is increasingly the most common in-engagement question. The CoPC prohibits AI or automation that renders subservient or diminishes the authority and autonomy of CCAs during a certification assessment, prohibits providing customer data to an internet-accessible AI application, and requires transparency about technology employment in CMMC activities. A practitioner running an AI assistant through a CUI-handling environment without a defensible data-flow analysis has crossed a line that the v2.0 CoPC drew specifically to keep open practices intact while AI tooling matures.

The Disclosure-Versus-Recusal Question

Three of the five scenarios end in some form of recusal or withdrawal. One ends in a written report. One ends with a post being taken down. None of them end with “disclose and move on,” even though disclosure is sometimes presented as a universal solvent for conflicts. It isn’t.

The CoPC distinguishes between disclosable matters, which a practitioner surfaces and continues with appropriate transparency, and disqualifying matters, which end the practitioner’s role on the engagement regardless of disclosure. The same situation can sit on either side of that line depending on directness of interest, materiality, and whether the conflict is real or perceived. That distinction deserves its own walk-through, and it gets one in the next piece.

The Discipline Underneath

Treat the CoPC as decision discipline, not exam content. The principles are eight. The filter takes thirty seconds. The hard work isn’t memorization. It’s running the filter when the situation is awkward, when somebody else is hoping you won’t, and when the cost of running it falls on you and not on the person handing you the scenario.

The reason the CoPC is structured this way is that the integrity of the entire assessment regime depends on practitioners who can say no, in the moment, without rehearsal. That capacity is what an OSC is buying when it hires a competent C3PAO. It’s what the DoD is relying on when it accepts the certification. And it’s what the ecosystem is signaling when it accredits the practitioner in the first place.