Adapted from Crest-approved

Purpose

A Code of Ethics is a set of principles designed to influence the judgement of individuals to ensure that they conduct business with honesty and integrity in any given situation.  It describes the core values that should guide independent decision-making and provides ethical standards to be followed by CMMC-COE working group members.  Ethical guidance does not grant exemption from professional standards of due skill and care.

Scope

The Code of Ethics is intended for CMMC-COE working group members who enable cyber security services to any sector of the business community including Regulators in the U.S. and overseas. It does not differentiate between the various types of services provided by CMMC-COE alliance partners in the execution of the information security services provided to the DIB, nor the different specialisms involved. The Code of Ethics forms a codicil to the CMMC-COE Code of Conduct for working group members. It should be read in conjunction with these Codes of Conduct.

Affirmation

All working group members agree to abide by the Code of Ethics. Members reaffirm their commitment to the Code of Ethics through the renewal of their membership, be it corporate membership or individual qualification.

Sanctions

A breach of the Code may not always involve misconduct and lead to sanctions being applied.  However, a proven failure to comply with the Code of Ethics may result in expulsion from CMMC-COE. The CMMC-COE Executive has the right to investigate and to make judgements on formal complaints received about a CMMC-COE member’s conduct.  In such instances, the CMMC-COE Complaints and Resolution Measures process will be initiated.

Code of Ethics

The Code of Ethics aims to support the working group members to conduct themselves in an ethical manner and balance often conflicting interests and demands.  They are designed to guide members to meet the highest standards of professional conduct.  In order to distinguish members from other actors in the cyber security sector, all CMMC-COE working group members agree to abide by the ten principles of business ethics below as a condition of membership.

Honesty

To be committed to the highest standards of ethical conduct in all that they do, working group members must comply with all applicable legal and regulatory requirements governing business relationships. They must subscribe to honesty and integrity engendering trust and conduct their business in accordance with all applicable laws and regulations.

Prohibition of bribery, corruption and extortion

The workgroup members must not offer, promise, give, demand or accept bribes or other unethical inducements, including extortion, in order to obtain, retain or give business or other advantage and take all reasonable measures within its power to ensure that its staff, including any sub-contractors, follow the same practice.

Integrity in business behavior

The working group members are expected to act with integrity at all times and not to act in any way as to cause detriment to the DIB community.

Professionalism

The working group members will continuously strive to acquire the professional knowledge and skills required to perform their function, recognizing that new tools and techniques are evolving rapidly.

Personal Example

The working group members will encourage the display of selflessness, honesty and integrity at all times.  They will promote respect amongst the staff and support an environment of leadership and openness in their dealings with the DIB clients. Members will always assist fellow members when they need help or advice and will accept responsibility for their own work and the work of those under their supervision. Members will respect intellectual property and give credit or other’s work.  They will never steal or misuse copyrighted, patented material, trade secrets or any other intangible assets.

Application and Compliance

The working group members will show respect for the personal and professional dignity of employees, colleagues and other people and entities with whom they come into contact. They must respectfully apply laws, regulations, technical rules and accepted professional standards and must not accept instruction in any form that is incompatible with these. The working group members are expected to bring any suspected or actual breach of the CMMC-COE Code of Conduct promptly to the attention of CMMC-COE.  Any Member making such information known to CMMC-COE through the appropriate channels will not face any adverse or unfavorable treatment for such disclosure.

Credibility

The working group members will seek to present the highest standards of objectivity in their assessments, advice and conduct and will, at all times, will use accredited, systematic and verifiable processes and act in ways that are at all times accountable, legal and ethical.  They will strive continuously to deliver timely, relevant and accurate intelligence and testing and analysis services.

Integrity

The working group members must subscribe to honesty and integrity engendering trust and conduct their business in accordance with all applicable laws and regulations and ensure that their staff, including any sub-contractors, also comply with such laws. The working group members will ensure that any form of payment for information is performed with professional individuals and due diligence is carried out to ensure no funding of criminal activity occurs.

Responsibility and Respect

The working group members will work using initiative and diligence, applying common sense within the scope of their authority and will always take responsibility for their actions.  They will never promise more than they can deliver and will be honest about the limits of their professional capability.  They will always qualify the veracity of their intelligence and testing with absolute integrity.  They will maintain independence of thought, product and organization and declare immediately any potential conflict of interest to clients.

Sense of Mission

The working group members will uphold and improve on the professionalism and standards of the industry by sharing experiences, opportunities, techniques and tools with the CMMC-COE network that they consider of merit or which may represent a potential risk to the industry. They also undertake to promote and advance public awareness and understanding of cyber security and its benefits, and will rebut false or misleading statements concerning the industry or profession and its practices.