Complaint Process

1. Purpose

This document provides, for any interested party, the process by which The Cyber AB receives, validates, investigates, and adjudicates formal complaints lodged against: 1) The Cyber AB directly; 2) the Cybersecurity Assessor and Instructor Certification Organization (CAICO); 3) a conformity assessment body authorized or accredited by The Cyber AB; 4) any member of the CMMC Ecosystem for alleged violations of the CMMC Code of Professional Conduct (CoPC). This process applies only to formally submitted complaints; Cyber AB authorization and accreditation decision appeals are handled in accordance with The Cyber AB Appeals Process, as are appeals by Organizations Seeking Certification (OSC) against CMMC Third-Party Assessment Organizations, while challenges to accreditation assessment nonconformances are handled by The Cyber AB Nonconformance Challenge Process.

2. Definitions

Appeal: request by a conformity assessment body (3.4) for reconsideration of any adverse accreditation decision (3.13) related to its desired accreditation (3.1) status. (ISO/IEC 17011, 3.21)

Complaint: expression of dissatisfaction, other than appeal (3.21), by any person or organization, to an accreditation body (3.2), relating to the activities of that accreditation body or of an accredited conformity assessment body (3.4), where a response is expected. (ISO/IEC 17011, 3.20)

Conformity Assessment Body (CAB): body that performs conformity assessment activities and that can be the object of accreditation (3.1) (ISO/IEC 17011, 3.4). For CMMC purposes, a Third-Party Assessment Organization is a CAB.

Formal Complaint: A complaint submitted using the submission process described in this document. A submission of the complaint in writing, signifies to The Cyber AB that a response is expected. Verbal complaints are considered informal and do not require a response.

3. Submission Process

1. If the complaint is being levied against a Cyber AB authorized or accredited CAB, the complainant must first make a reasonable attempt to resolve the issue directly with the CAB.
   1. Once the complainant has exhausted that channel without satisfactory resolution, then a complaint may be submitted to The Cyber AB.
   2. In some circumstances, such as when credible evidence indicates to The Cyber AB that an accredited CAB has engaged in fraudulent or illegal conduct within the scope of authorization or accreditation, The Cyber AB may, in its sole discretion, accept a complaint that has not been submitted first to The Cyber AB authorized or accredited CAB.
2. Navigate to the "Contact Us" page of The Cyber AB website www.cyberab.org and click the "Submit a Complaint" button; or send an email to complaints@cyberab.org and make sure to include the word "Compliant" in the subject line.
3. The complaint submission must include the following information:
   1. Name, email address, phone number, and organization (if applicable) of the complainant;
   2. Whether the complainant wishes to keep their name and contact information confidential from the relevant CAB (Note: requests for anonymity will be honored, but may impact the ability of The Cyber AB to conduct the investigation);
   3. Description of the party against which the complaint is being submitted;
   4. A statement of the complaint;
   5. Any evidence to support or validate the complaint;
   6. If submitted against a Cyber AB authorized or accredited CAB, documentation showing the complainant has made a reasonable attempt to resolve the issue directly with the CAB and rationale as to why that interaction is not sufficient to resolve the complaint.
4. All complaints must be initiated as described in the Submission Process described in Section 3. This ensures that all complaints are formally logged within the Cyber AB ticketing system and can be tracked, monitored, and reported on as necessary.
   1. For any complaints conveyed to The Cyber AB through any other means, The Cyber AB staff will direct the complainant to resubmit the request in accordance with this section.
   2. Only complaints received within this method are treated as formal complaints.

4. Acknowledgment and Triage

1. Upon receipt of a formal complaint, the system will notify The Cyber AB Compliance Officer.
2. The assigned Cyber AB will acknowledge receipt of the complaint to the complainant.
3. The assigned Cyber AB Compliance Officer will review the submitted information to determine if it meets the criteria of a valid complaint:
   1. The submission meets the definition of a "complaint" as defined in this document; and
   2. All required information has been received as described in section 3.3 above; and
   3. When concerning a Cyber AB authorized or accredited CAB, the complaint has first been submitted to the authorized or accredited CAB and they have had reasonable opportunity to resolve the complaint.
4. If any of the information or conditions in 4.3 a-c are missing, The Cyber AB staff will request the outstanding information from the complainant.
5. If the complainant does not submit the additional information within the prescribed timeframe, or if the initial triage does not provide enough information to establish the validity of the complaint, the complaint will be closed and the complainant notified.
   1. The complainant may resubmit the complaint if the additional information becomes available.
6. If the complaint does appear to warrant further review, a formal investigation is conducted.
7. The Cyber AB will conduct a conflict-of-interest (COI) review of its Compliance Officer to all parties to the complaint. In the event a COI exists that cannot be mitigated, The Cyber AB will substitute another Cyber AB executive to conduct the investigation in lieu of the Compliance Officer.
8. The Cyber AB will inform the Department of Defense in writing of any new investigations of alleged violations of the CMMC Code of Professional Conduct within 72 hours.

5. Investigation

1. A formal complaint that has been validated will be fully investigated by The Cyber AB Compliance Officer.
2. The Cyber AB Compliance Officer will review the information provided and contact the complainant for additional information or clarification.
   1. If a Cyber AB staff is mentioned in the complaint, they shall be prohibited from accessing any information about the investigation.
   2. In the case of a complaint against a Cyber AB staff member, or in the case of an accusation of a Cyber AB authorized or accredited CAB involving unethical or fraudulent activities, the Cyber AB CEO is notified.
3. In conducting the investigation, the Compliance Officer may seek assistance from other Cyber AB employees, assessors, experts, committee members, or other interested parties, as appropriate and necessary.
4. The Cyber AB investigation may include one or more of the following:
   1. Request for additional information from the accused in the form of interviews and/or additional documentation, records or artifacts.
   2. If it is against a Cyber AB authorized or accredited CAB, a request for their own internal investigation and the resulting information.
   3. A "for cause" assessment to focus specifically on the complaint and the circumstances surrounding it.
5. The Cyber AB will provide periodic updates on the stats of the investigation, to the complainant.
6. Upon the conclusion of the investigation, the investigator shall document a recommendation on whether the complaint has merit, in part or in full, and where applicable, a recommended corrective action.
7. For general complaints, the recommendation is forwarded to the CEO for review and final recommendations.
8. For complaints involving accusations of unethical, fraudulent, or illegal activity are forwarded to the Cyber AB Ethics & Compliance Committee for review and disposition.

6. Adjudication

1. The appropriate reviewing party reviews the complete complaint package containing all the information discovered during the investigation and makes their recommendation (e.g. concur with, modify or reject with qualification and alternate recommendation).
2. The Compliance Officer is notified of the final decision.

7. Closeout and Notification

1. The Compliance Officer provides the final determination to the complainant and the accused.
2. The Compliance Officer will report to DoD in writing of the outcome of completed investigations involving alleged violations of the CoPC within 15 business days.
3. If the final determination requires corrective action from a Cyber AB CAB, they are notified at this time and provided:
   1. Specific corrective actions that must be implemented;
   2. The timeframe upon which the corrective actions must be implemented;
   3. Details on how the CAB will show corrective actions have been completed; and
   4. Ramifications for not implementing corrective actions within the specified time frame.
4. Any corrective actions required of Cyber AB staff are handled through company HR policies and procedures.

8. Follow-up and Monitoring

1. The Compliance Officer shall follow up on the complaint to ensure that any corrective actions have been completed.
2. Complaints are considered closed when all conditions for closure are met or when the prescribed ramification actions are taken by The Cyber AB to address the conditions that have not been met.
3. All complaints are reviewed annually as a part of the Cyber AB’s management review process.

9. Appeals

1. Individuals and organizations subject to decisions by the Ethics and Compliance Committee will have 21 days from the date of the decision to file and appeal. Appeals will be received, considered, and adjudicated in accordance with The Cyber AB’s Appeals Process.
2. All appeals rendered by The Cyber AB’s Ethics and Compliance Committee are final.