1.1. The purpose of this policy is to implement the Cybersecurity Maturity Model Certification (CMMC) Level 2 Certification Appeals requirements and related process for Peak InfoSec.

2.1. This policy applies to all Peak InfoSec staff who are involved in formal CMMC Level 2 Certification Assessments.

• 32 CFR PART 170—Cybersecurity Maturity Model Certification (CMMC) Program
• 32 CFR Part 2002 – Controlled Unclassified Information (CUI)
• International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 17020:2012(E), Conformity assessment — Requirements for the operation of various types of bodies performing inspection
• 48 CFR §52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting”
• National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST SP 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information
• NIST SP 800-171A Revision 3, Assessing Security Requirements for Controlled Unclassified Information
• Cybersecurity Maturity Model Certification (CMMC) Model
• CyberAB CMMC Assessment Process (CAP)¹
• Cyber AB Code of Professional Conduct (CoPC)²

[1] C.f., https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf?ver=fEk1pUK1Fg26fVtopxv_DA%3d%3d
[2] C.f., https://cyberab.org/Portals/0/CMMC%20Code%20of%20Professional%20Conduct%20v2.0.pdf?ver=krReGtXNbAyo2Q0LySqazg%3d%3d

5.1. Key Definitions:
5.1.1. APPEAL: A request by the provider of the item of inspection to the inspection body for reconsideration by that body of a decision it has made relating to that item.
5.1.2. ASSESSMENT PERIOD: The time from when the OSC provides their final set of artifacts at the start of Phase II or Phase IV of an assessment for the C3PAO’s examination until the C3PAO completes all necessary Headquarters and secondary site surveys. The assessment period does not include the Security Requirement re-evaluation window specified in §170.17(c)(2).
5.1.3. CERTIFICATION ASSESSMENT: Formal terminology for the inspection of a OSC’s compliance to applicable guidance.
5.1.4. COMPLAINT: An expression of dissatisfaction, other than appeal, by any person or organization to an inspection body, relating to the activities of that body, where a response is expected
5.1.5. ERROR: A mistake committed by an Assessor or Lead Assessor such as improperly interpreting the assessment guides or incorrectly recording or interpreting evidence provided by the OSC.
5.1.6. UNPROFESSIONAL CONDUCT: Actions and behavior that violate the standards the Cyber AB’s Code of Professional Conduct Guiding Principles.³
5.2. Complaints
5.2.1. Complaints for errors and unprofessional conduct are handled via Peak InfoSec’s Compliant Policy.
5.2.2. All appeals must be submitted as a complaint first, and where they cannot be resolved, the complaint will be addressed per this policy as an appeal.
5.3. Appeals Resolution Administrative Requirements
5.3.1. A copy of this policy shall be made available to all OSCs at the kickoff meeting and to any interested party upon request.
5.3.2. Peak InfoSec’s CMMC Conformity Assessments Team site and related CMMC Conformity Assessment Appeals SharePoint list are the only authorized repositories for tracking and recording appeals, including actions undertaken to resolve appeals until applicable appeal data is entered into CMMC Enterprise Mission Assurance Support Service (eMASS).
5.3.3. All appeals submitted by an OSC to Peak InfoSec shall be reviewed and approved by the ECP.
5.3.4. Reassessments and decisions on submitted appeals shall not result in any discriminatory actions against any individual or OSC filing the appeal.
5.3.5. Determination of whether the OSC submits within a 21-calendar day window shall be calculated from the date/time the out brief concluded to the date/time Peak InfoSec received the email per the SMTP header information.
5.4. CEO Organizational Conflict of Interest (OCI)
5.4.1. When the CEO of Peak InfoSec serves as the Lead Assessor on an assessment, it is an OCI for the CEO to also adjudicate appeals from that assessment.
5.4.2. Should an appeal occur where the CEO of Peak InfoSec was the Lead Assessor of that assessment, a Certified Assessor from an external C3PAO that is not subject to a Conflict of Interest shall serve as the QAR and adjudicator for the appeal. The cost of hiring the Certified Assessor to act as the QAR shall be paid by the party losing the appeal.
5.5. Applicability of Other Policies
5.5.1. This document is part of Peak InfoSec’s security policies. Other policies may apply to the topics covered in this document and, as such, the applicable policies should be reviewed as needed.

The following procedure shall be followed by the Conformity Assessment Team
6.1. At the Kick-off Meeting
6.1.1. The QAR shall use the PowerPoint slides in the CMMC Conformity Assessments Team site to inform the OSC about their rights, reasons for submission, and timelines associated with an appeal.
6.1.2. The QAR shall ensure the OSC knows to submit to the CMMC Appeals shared mailbox ([email protected]) the following information:
6.1.2.1. CMMC Conformity Assessment Identification #
6.1.2.2. Reason for Appeal (Malfeasance, Unethical Behavior, or Error on behalf of the Authorized C3PAO or the assessors)
6.1.2.3. Summary of why the appeal is being submitted
6.1.2.4. Point of contact name, phone number and e-mail
6.1.3. The QAR shall validate the OSC has a copy of this policy.
6.2. Appeal Handling Procedure
6.2.1. Upon receipt of an appeal
6.2.1.1. Peak InfoSec shall respond to the OSC within 1 business day, where the response:
6.2.1.1.1. Acknowledges receipt of the appeal submission;
6.2.1.1.2. Validates that the submission occurred within the 21-calendar day window; and,
6.2.1.1.3. Where the submission has occurred within the twenty-one-calendar day window, identifies the QAR and their contact information.
6.2.1.2. The appeal and a copy of the original message shall be entered into the CMMC Conformity Assessments Team > CMMC Conformity Assessment Appeals SharePoint list for tracking.
6.2.1.3. A private channel for the appeal shall be created and restricted to the QAR and executive staff.
6.2.2. Handling of Appeals during the Assessment Period or Security Requirement Re-evaluation Window [1] 6.2.2.1. The LCCA and QAR shall present the Appeal to the ECP.
6.2.2.2. The ECP shall determine if the appeal warrants halting an active assessment.
6.2.2.3. If the ECP determines that an active assessment is to be halted, the CEO shall notify the OSC’s point of contact within one (1) business day via email and virtual meeting if possible.
6.2.3. Appeal Project Change Request
6.2.3.1. The QAR shall estimate the amount of time involved and other related costs (e.g., travel, legal fees, etc) to investigate and adjudicate the submission.
6.2.3.2. The QAR shall submit the estimate to the Chief Business Officer to initiate a Project Change Request (“PCR”) to the OSC’s Certification Assessment contract.
6.2.3.3. The OSC must provide payment all fees associated with the PCR before an appeal will be initiated by Peak InfoSec. The fees paid by the OSC shall be held in retainer by the C3PAO and applied as set forth in Section 6.5 of this Policy.
6.2.3.4. The Chief Business Officer will notify the QAR when the PCR is approved and the C3PAO has received the OSC’s retainer.
6.2.4. Appeal Investigation
6.2.4.1. The appeals investigation shall ONLY proceed upon the completion of 6.2.3.3.
6.2.4.2. Update CMMC eMASS to reflect an appeal has been submitted.
6.2.4.3. The lead investigator shall conduct a revaluation in coordination with the OSC.
6.2.4.3.1. The investigation may include a review of the OSC’s previously provided evidence which has been hashed by the OSC, and consultations with the original assessment team and OSC personnel as required.
6.2.4.3.2. All hashed artifacts, interview notes, and other collateral shall be maintained in the private Team channel
6.2.4.3.3. The lead investigator shall provide updates to the OSC and the executive team NLT close of business on Wednesdays and Fridays until the investigation completes.
6.2.4.4. Within 21-calendar days, the investigator shall complete their reevaluation and provide its adjudication decision to the OSC.
6.2.4.5. Simultaneously, the following information shall be uploaded to CMMC eMASS:
6.2.4.5.1. Any amendments to its original assessment report based upon the findings of its re-evaluation
6.2.4.5.2. Name of team lead conducting the re-evaluation in support of the appeal
6.2.4.5.3. The outcome of the appeal
6.2.4.5.4. The C3PAO approving authority for reevaluation and the outcome of the appeal
6.3. At the Final Out Brief
6.3.1. The QAR shall re-iterate the paragraphs 6.1.1 and 6.2.2 in the out brief.
6.3.2. Inform the OSC of their right to appeal the determination to The Cyber AB per The Cyber AB appeal procedure.
6.4. Appeals to The Cyber AB
6.4.1. An OSC may submit appeals to The Cyber AB by using The Cyber AB process at https://cyberab.org/Resources/Policies/Appeals-Process.
6.4.2. Appeals submitted to The Cyber AB prior to completing Peak InfoSec‘s Appeal Procedure shall initiate the Appeal Procedure upon notification by The Cyber AB.
6.5. Upon final determination of the Appeal:
6.5.1. The ECP shall notify the Chief Business Officer of the results. If the results are:
6.5.1.1. Substantiated: The Chief Business Officer shall return the fees held in retainer to the OSC.
6.5.1.2. Mutually Caused: The Chief Business Officer shall return the fees held in retainer to the OSC.
6.5.1.3. Unsubstantiated: The Chief Business Officer shall not return the retainer provided by the OSC.
6.6. Post-Appeal Reviews
6.6.1. Where the appeal results in a substantiated or mutually caused finding, the investigator shall:
6.6.1.1. Conduct an internal review of policies, procedures, practices
6.6.1.2. Identify potential corrective actions
6.6.1.3. Brief recommended finding and corrective actions to the ECP.
6.6.2. The ECP shall evaluate recommended corrective actions and implement as they deem appropriate.

[1] C.f., 32 CFR 170.17(c)(2) (https://www.ecfr.gov/current/title-32/part-170#p-170.17(c)(2) )

7.1. The ECP will verify Peak InfoSec’s compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

8.1. Only CEO is authorized to approve or deny all Exception to Policy requests for this policy.

9.1. An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
9.2. Contractors are subject to having access to all Peak InfoSec Information systems removed, and the contractor’s firm contacted for replacement.