Appeals Process

1. Purpose

An appeal is a request by an entity or an individual for reconsideration of any adverse decision related to its desired authorization, accreditation, certification, or registration status. These decisions include granting, issuing, maintaining, extending, reducing, suspending, revoking, and denying authorization, accreditation, certification, or registration.

This document establishes The Cyber AB Appeals Process by which it will receive, consider, evaluate, and administrate appeals, and facilitate the adjudication and communication of appeal decisions.

2. Scope

This Process applies to appeals of the following types of decisions under the governance and/or authority of The Cyber AB:

1. Authorization: decisions of The Cyber AB pertaining to the Authorization of Cybersecurity Maturity Model Certification (CMMC) Third-Party Assessment Organizations (C3PAOs) and personnel certification bodies within the U.S. Department of Defense (DoD) CMMC Program.
2. Accreditation: decisions of The Cyber AB pertaining to the Accreditation of any inspection bodies, conformity assessment bodies (CABs), or personnel certification bodies of programs under the accreditation authority of The Cyber AB.
3. Certification: a) decisions on elevated appeals pertaining to CMMC Level 2 certification assessments of Organizations Seeking Certification (OSCs) within the DoD CMMC Program; and b) decisions of The Cyber AB or the Cybersecurity Assessor and Instructor Certification Organization (CAICO) pertaining to certified individuals found responsible for violations of the CMMC Code of Professional Conduct (CoPC) within the DoD CMMC Program.
4. Registration: decisions of The Cyber AB pertaining to registered individuals and organizations found responsible for violations of the CoPC within the Registered Practitioner program.

Note 1: CMMC Level 2 assessments of C3PAOs conducted by DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) as required under 32 CFR §170.9(b)(6) are not within the Scope of this Appeals Process. Any appeal of a Cyber AB authorization or accreditation decision based on objections involving the DIBCAC assessment will be considered invalid and SOP1002 Appeals Process Page 2 of 5 not accepted.

Note 2: Professional certification and designation decisions under the authority of the CAICO, as codified under 32 CFR §170.10, and not directly pertaining to violations of the CoPC are not within the Scope of this Appeals Process. Any appeal of a CAICO certification or designation decision not directly related to the CoPC will be considered invalid and not accepted.

3. Responsibilities

The Cyber AB is solely responsible for its Appeals Process and the appeals decisions it produces. The Cyber AB is responsible for all decisions at all levels of the handling process for appeals it processes.

4. Authority

For the DoD CMMC Program, The Cyber AB is the designated accreditation body pursuant to DoD contract #HQ003420H0003. As such, The Cyber AB is authorized to process appeals and render appeals decisions in accordance with the Code of Federal Regulations, Title 32, Sections 170.8(b)(16) and 170.9(b)(19).

5. Submission of Appeal

An entity or individual appealing any of the decisions under the Scope of this Process as described in Section 1.2 must submit the appeal within 21 days of receipt of written notification of the decision being appealed. The appellant must submit a formal request for appeal and include the following elements in the written submission:

• First and last name of the appellant;
• Full legal name of the appellant organization (if applicable);
• Email address and telephone number;
• Statement describing the basis of the appeal, including the grievance in question and any claims of improper procedures or erroneous interpretation of policy or doctrine that may have informed the decision being appealed;
• Description of any steps taken to resolve the matter prior to submitting the appeal;
• Copy of the written notification of the decision that is being appealed; and
• Attachment of any relevant documents or other materials that directly support the position of the appellant.

The appellant must submit the above information with applicable attachments to the email address: Appeals@cyberab.org

6. Receipt of Appeal

Upon receipt of an appeal, The Cyber AB shall review the information submitted by the appellant to confirm that it meets the definition of appeal in Section 1 and is within the Scope of the Appeals Process as established in Section 2. The Cyber AB shall also review the appeal to determine if it contains all the required information in accordance with Section 5. If all requirements are satisfied, the appellant will be notified in a timely manner that the appeal has been accepted, and a formal appeals case will be opened by the Compliance Officer.

If all the requirements are not satisfied, the appellant will be notified in a timely manner that the appeal has not been accepted, along with accompanying justification for the rejection.

The appealed authorization, accreditation, certification, or registration decision shall remain in effect pending the conclusion of the appeals process.

7. Formation of Appeals Board

The Cyber AB shall compose an independent Appeals Board to investigate, hear, and adjudicate the appeal. The Appeals Board members shall be selected based on independence from the matter being appealed, a record and reputation of integrity and impartiality, and availability. Appeals Board members may also be selected based on relevant subject-matter experience and expertise. General areas of experience and expertise will be prioritized based on the nature of the specific appeal, and may likely include, but not necessarily limited to, cybersecurity, conformity assessment, CMMC assessment standards and methods, ISO/IEC standards, technology, the Defense Industrial Base, compliance, law, and ethics.

An Appeals Board shall be composed of no fewer than three (3) members, one of whom will be designated as Chair. An Appeals Board investigating, hearing, and adjudicating an accreditation decision shall be composed of no fewer than five (5) members, one of whom will be designated as Chair.

The Governance Committee of The Cyber AB shall approve the composition of each Appeals Board prior to its convening.

8. Impartiality

The Cyber AB shall ensure that all members of the composed Appeals Board have been properly vetted for impartiality and conflicts of interest. No Appeals Board members shall have had any involvement in the decision or activities in question relating to the appeal.

For appeals of decisions by The Cyber AB relating to authorization, accreditation, or violations of the CoPC, no members of the Appeals Board shall be employees or Directors of The Cyber AB or the CAICO, nor have any conflicts of interest with either organization.

9. Appeals Processing

The Appeals Board shall convene and investigate the appeal in a timely manner. Investigation of the appeal and related fact-finding shall not result in any discriminatory actions by The Cyber AB against any individuals or organizations responding to requests for information by the Appeals Board or cooperating with the Appeals Board in any manner.

All appeals shall include a scheduled hearing unless the appellant waives the right to the hearing. Appeal hearings will be held virtually via the Zoom for Government (Zoom Gov) online conference platform with cameras enabled for all participants.

Appeal hearings shall be conducted in English and will be recorded.

The appellant shall notify the Appeals Board at least ten (10) days in advance of the scheduled hearing if the appellant intends to have legal counsel present at the hearing.

10. Deliberation and Decision

The Appeals Board will deliberate in private following completion of the investigation and the hearing. The Appeals Board shall conduct a vote on the appeal and a simple majority of its members will determine the Appeals Board decision.

1. If the Appeals Board upholds the appeal on decisions of authorization, finding in favor of the appellant, The Cyber AB will be bound by the Board’s decision provided the decision does not violate any provisions of 32 CFR part 170.
2. If the Appeals Board upholds the appeal on decisions of accreditation, finding in favor of the appellant, the accreditation decision will be remanded to The Cyber AB for further consideration.
3. If the Appeals Board upholds the elevated appeal by an OSC or C3PAO on decisions pertaining to a CMMC Level 2 certification assessment, the appeal decision will be rendered to both parties by The Cyber AB and considered final pursuant to 32 CFR §170.8(b)(16) and 32 CFR §170.9(b)(19).
4. If the Appeals Board upholds the appeal on decisions pertaining to the professional certification of individuals found responsible for violating the CoPC, finding in favor of the appellant, The Cyber AB and/or the CAICO will be bound by the Board’s decision provided the decision does not violate any provisions of 32 CFR part 170.
5. If the Appeals Board upholds the appeal on decisions pertaining to registered individuals and organizations found responsible for violations of the CoPC within the Registered Practitioner program, finding in favor of the appellant, The Cyber AB will be bound by the Board’s decision.

If the Board does not uphold the appeal, finding the appeal without merit, the original accreditation, authorization, certification, or registration decision stands. When an appeal is not upheld, The Cyber AB will not accept a future appeal on the same authorization, accreditation, certification, or registration decision.

All decisions of the Appeals Board will be communicated in writing to the interested parties in a timely manner.

11. Withdrawal

An appeal can be withdrawn by the appellant at any time until the Appeals Board renders a decision. A request for an appeal withdrawal must be made in writing to the Appeals Board. When an appeal is withdrawn, The Cyber AB will not accept a future appeal on the same authorization, accreditation, certification, or registration decision.