This is the main content of the page.


Our PoliciesPrivacy Policy

Legal Disclaimer


Policy Section

Last Updated: 12 April 2023

Policy Overview

The Cybersecurity Maturity Model Certification Accreditation Body, Inc. (“CMMC-AB,” “us,” or “we”) is committed to respecting and protecting your privacy. We want you to understand how we may collect information about you through our website, and how that information may be used, maintained, and in some cases shared. This privacy policy (“Privacy Policy”) sets forth the privacy practices and policies governing our data collection practices including relating to data collected via the websites that we operate and that link to this Privacy Policy (including,,, , and, and any mobile version, portal, interface, or application used in connection with such websites (referred to collectively, as the “Website”).

Who we are & how to contact us

CMMC-AB is a Maryland non-profit corporation doing business under the trade name, “Cyber-AB.” The CMMC-AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem and the sole authorized non-governmental partner of the United States Department of Defense (“DoD”) in implementing and overseeing the CMMC conformance regime. We exist to further the successful implementation of CMMC within the Defense Industrial Base in order to reduce digital risk to DoD's supply chains and contractor support infrastructure. The CMMC-AB’s support to CMMC is through a direct contract with the CMMC Program Management Officer (PMO) within the Department of Defense.

To contact us:

By Mail:
137 National Plaza, Suite 300
National Harbor, MD 20745-1153

By Email:
Contact Support

Information We Collect

The following describes the types of personal and other information we may collect about you, and how we use and maintain that information:

  • Information You Provide to Us
    CMMC-AB may gather and retain personally identifiable information about you, including name, email address, physical address, phone number, or other personal or background information (“Personal Information”), when you voluntarily submit it to us, including for the purpose of accessing certain features of the Website. We may use any information that you provide for our general purposes and may share it with third parties as described in this Privacy Policy.

    If you provide us with a telephone number, address or an email address, you expressly agree that we, or our authorized agents, can use that information to contact you about CMMC-AB and its associated activities.

    To the extent permitted by applicable law, we may keep any information that you provide to us indefinitely.

  • Site Use Information
    Our web servers may collect technical information, including IP address, browser type, domain names, access times and referring website addresses of visitors to our Website. We may use this information to measure the use of our Website, including number of visits, average time spent on the Website, pages viewed, etc., and to improve the content we offer.

  • Do-Not Track Signal
    We use technology that recognizes a “do-not-track” signal from your web browser, which allows us to exclude you from any analytics that collects information about your online activities over time and across third-party websites if your settings indicate that to be your preference.

  • Use of Cookies
    Like most websites, we employ “cookies” or similar technologies on certain pages of our Website. Cookies make the use of the Website easier by, among other things, saving your preferences. We may also use cookies to deliver content tailored to your interests. For more information about how we use cookies and similar technologies, please see our Cookie Notice.

  • Financial Transactions
    We use a third-party, Cybersource to process our online payments. Please visit their website,, to see their terms of service and privacy policy.

How We Use This Information

We may process your Personal Information for the following purposes in line with this Privacy Policy:

  • to fulfill your requests;
  • to create and maintain your certification or accreditation;
  • to manage the Website;
  • to communicate with you about certification, registrations, products, services, events and education;
  • to detect and prevent fraud or other financial crime;
  • to monitor and protect the security of our information, systems and network;
  • to notify you about changes to our Website or other services; and
  • to conduct research and analysis.

CMMC-AB does not sell, rent or lease Personal Information to third parties. CMMC-AB may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your Personal Information (e-mail, name, address, telephone number) is not transferred to the third party.

Opting Out of Communications

If you have subscribed to or are otherwise receiving CMMC-AB news or similar information from us by email and no longer want to receive such information in the future, you may opt-out of receiving certain types of emails by clicking the "unsubscribe" link at the bottom of those emails you receive or, if you have an online account, logging in to your account and making changes thereto your communication preferences. Please allow ample time for us to process your request. If you are having difficulty unsubscribing, please contact us directly at the email or phone number listed below under Contact.

Please note that even if you opt-out of receiving emails, you may still receive communications related to your interaction with CMMC-AB (such as confirmation of a registration or form submission) or otherwise as required by law. Also, note that we may need to keep information we have collected about you for record-keeping, research, legal and other purposes.

Disclosing Information to Third-Parties

We do not sell your Personal Information. We will not share your Personal Information that we collect through our Website, unless you request or authorize the release of the information, or in the following limited circumstances:

  • Third-Party Business Partners.
    We may share some of your Personal Information with business partners who provide us with technical services, such as website security, computing infrastructure and sales and marketing support. They will be granted access to only that information which is necessary for them to do their jobs. Any agents to whom we grant access to Personal Information are contractually barred from using or releasing that information outside of the specific task we have asked them to perform. We have various agreements, policies, safeguards and certifications to ensure that these agents do not sell, distribute or use Personal Information.

  • The United States Department of Defense.
    We share your Personal Information with the U.S. DoD in order to provide our services to you or as required by our contract with the U.S. DoD.

  • Required By Law.
    We may disclose Personal Information about you to comply with the law, applicable regulations, governmental and quasi-governmental requests, court orders or subpoenas, to enforce our Terms of Use or other agreements, or to protect our rights, property or safety or the rights, property or safety of our users or others. We reserve the right to release information that we collect to law enforcement or other government officials, as we, in our sole and absolute discretion, deem necessary or appropriate.

  • Corporate Transaction.
    We may disclose Personal Information about you as part of a merger, acquisition or other sale or transfer of the assets or business of CMMC-AB. We do not guarantee that any entity receiving such information in connection with one of these transactions will comply with all terms of this Privacy Policy.

  • Aggregated or Anonymous Information.
    We may also share aggregated or de-identified information with third parties. For example, we may disclose the number of visitors to our Website or the number of people who have downloaded a particular document, and we may disclose statistical information based on responses to online surveys and other data collection tools on our website.


Our Website is hosted by a third-party which is supported by a secure government-grade instance of Microsoft Azure. To find out more about Microsoft Azure security systems, click here .
You should keep in mind that the Website is run on software, hardware and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control.
While we take steps to protect your Personal Information and keep it secure, you also play a role in protecting your information. You must maintain the security of your online transactions by not sharing your account information and passwords with any unauthorized parties.
Please also be aware that despite our best intentions and the guidelines outlined in this Privacy Policy, no data transmission over the Internet or encryption method can be guaranteed to be 100% secure. CMMC-AB cannot guarantee the security of any information you transmit to us or from our Website.

EU/UK-Specific Notice

These terms apply to Personal Information collected by CMMC-AB if you are an EU or UK resident. “Personal Information” as used in this section means any information that enables us to identify you, either directly or indirectly. Where CMMC-AB processes Personal Information about you, such information is controlled by the Cybersecurity Maturity Model Certification Accreditation Body, Inc., which is headquartered in the United States at 137 National Plaza, Suite 300, National Harbor, MD 20745-1153. If you access our Website from outside the Unites States, your data is transferred to and processed in the United States. We may share and our third-party business partners may process your Personal Information as detailed above. Subject to certain exceptions and the jurisdiction in which you live, if you are located in the EU or UK, the General Data Protection Regulation (“GDPR”) and Data Protection Act of 2018 provide you with specific rights regarding your Personal Information.

Basis for Transferring Your Data
The United States has not sought or received a finding of “adequacy” from the under Article 45 of the GDPR. We rely on derogations for specific situations as set forth in Article 49 of the GDPR. Your Personal Information is transferred to us for the following reasons:

  • You consented to the transfer;

  • The transfer is necessary to perform a contract to which you are or will become a party;

  • The transfer is necessary for compliance with a legal obligation to which the data controller is subject;

  • The transfer is necessary in order to protect your vital interests or the vital interests of another natural person.

  • The transfer is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
  • The transfer is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party.

Your Rights
You have the following rights:

  • The right of access: You can access Personal Information we hold about you, know the origin of this Personal Information and obtain a copy in an understandable format. You do not have to justify your request to exercise your right to access.

  • The right to rectification: If your Personal Information is inaccurate, you have the right to have such data rectified. You may update your Personal Information in your dashboard.

  • The right to erasure: You may request the erasure or deletion of the Personal Information we hold on you. This is not an absolute right since we may have to keep your Personal Information for legal or legitimate reasons.

  • The right to object to the processing of your Personal Information: When we process your Personal Information based on our legitimate interest, you may at any time object to the processing of your Personal Information for reasons relating to your personal situation. We may nevertheless, on a case-by-case basis, reject such a request by pointing out the legitimate or legal reasons reasons justifying the processing of this data which may prevail over your request.

  • The right to restrict processing: In certain situations, you can limit how your Personal Information is processed, so that we cannot use it or process it in any other manner.

  • You may unsubscribe or object, at any time and without any justification, to the reception of direct marketing communications. Click on the link in the footer of the communications you receive from us AND send us an email at with the word unsubscribe in the subject field of the email.

  • The right to data portability: You may request the Personal Information you provided to us in a structured, commonly used and machine-readable format, for personal use or to share with a third party of your choice. This right only applies to Personal Information you provided us with which was processed through automated means, if this processing is based on your consent or the performance of a contract and does not affect the rights or freedoms of others.

  • The right to withdraw your consent to the processing of your Personal Information at any time: If you are unsatisfied with the way we process your Personal Information, subject to certain restrictions, you can withdraw your consent by emailing us at

  • The right to lodge a complaint with your Data Protection Authority: You may also lodge a formal complaint with your local Data Protection Authority. Click here to find your Data Protection Authority in the UK or here to find you Data Protection Authority in the EU.
Data Retention
We will retain your Personal Information for as long as the information is needed to respond to your query, provide our services to you, inform you of additional or future service opportunities and for any additional period necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Exercising Your Rights
You can exercise your rights by emailing us at In most cases we will respond within thirty (30) days to your request. This timeframe may be extended by two months depending on the complexity of the request or the number of requests received, in which case we will inform you within one month of receiving your request, specifying the reasons for extending the response timeframe. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

If we cannot fully address your request, we will let you know and explain the reason why your request was denied.

If Personal Information about you has been processed by us as a “processor” on behalf of another party and you wish to exercise your rights under this Policy, please inquire with party acting as “controller”. If you wish to make your request directly to us, please provide the name of our client on whose behalf we processed your Personal Information. We will refer your request to that client and will support them to the extent required by applicable law in responding to your request.

Child Privacy

This website is not intended for children. It is not our intention to collect Personal Information from anyone under 18 years of age, and we will not knowingly do so. If we are made aware that we have collected any Personal Information from children under the age of 18, and are asked to delete such information from our databases, we will promptly do so.


Our Website contains links to other websites. However, this Privacy Policy only addresses CMMC-AB’s use and disclosure of your information collected on our Website, if any. If you choose to visit an external website linked from our Website, you will leave our Website. We are not responsible for the privacy practices of any third parties or the content of linked websites. We encourage you to read the applicable privacy policies and terms and conditions of such parties or websites.

Social Media Pages

Our Website may contain social media links, including Facebook, YouTube, LinkedIn, Instagram, and Twitter (“Social Media “Companies”) to provide a place for people to learn more about CMMC-AB and to share comments. This Privacy Policy does not govern the collection of Personal Information by Social Media Companies. We encourage you to check the privacy policies of those companies.

Interactive Forums

We may host message boards, chat rooms, blogs, and other interactive forums or services (each, a “Forum”) on the Website. Forums are intended to serve as discussion centers. Forums are public spaces. Any personal information you communicate in Forums may be seen and used by others. IF YOU CHOOSE TO MAKE ANY OF YOUR PERSONALLY IDENTIFIABLE OR OTHER INFORMATION PUBLICLY AVAILABLE IN A FORUM OR OTHERWISE ON OR THROUGH THE WEBSITE, YOU DO SO AT YOUR OWN RISK.

Access from Outside the United States

If you access the Website from outside of the United States, information that we collect about you will be transferred to servers inside the United States, which may involve the transfer of information out of your country of origin. By allowing us to collect information about you, you consent to such transfer and processing of your data.

Governing Law

By choosing to visit our Website or provide information to us, you agree that any dispute over privacy or the terms contained in this Privacy Policy will be governed by the law of the State of Maryland. You also agree to abide by any limitation on damages contained in our Terms of Use, or other agreement that we have with you.

Changes to this Privacy Policy

We may occasionally amend this Privacy Policy to reflect CMMC-AB activities and user feedback, and we reserve the right to make changes to this Privacy Policy at any time. The use of your information is subject to the Privacy Policy and Terms of Use in effect at the time of use. The provisions contained in this Privacy Policy supersede all previous notices or policies regarding our privacy practices with respect to our Website. Please check the “Last Updated” legend at the top of this page to see when this Privacy Policy was last revised. We encourage you to check frequently to see the current Privacy Policy to be informed of how CMMC-AB is committed to protecting your information and providing you with improved content on our Website to enhance your experience.

Contact Us

Copyright © 2023 Cybersecurity Maturity Model Certification Accreditation Body, Inc.
Privacy Policy
Terms Of Use
Legal Notice
2021 Public Disclosure
Powered by Clarity Ecommerce