Honest question about mock assessments
Is anyone else at least a little bothered that the same C3PAO can do a “mock” CMMC L2 assessment and then turn around and do the official assessment?
The Cyber AB’s Code of Professional Conduct says it’s fine as long as the mock is “non-certification,” strictly follows the assessment procedures, and the C3PAO gives zero remediation advice. The moment they help you fix anything, it becomes “consulting,” and they’re supposed to be banned from certifying you for 3 years.
And wouldn’t it be awkward to pass the mock and then be failed by the same C3PAO (awkward for the C3PAO and for the OSC)?
u/ResilientTechAdvisor — 4 days ago