Anorganization seeking helpto address security gaps—such asphysical access control deficiencies—needs acertified professional who can provide implementation supportwithoutbeing involved in the actual CMMC assessment.
A Registered Practitioner (RP)is a CMMC-certified individualwho provides consulting and implementation supportto organizations butdoes not perform assessments.
RPs work independently from C3PAOsand canassist in fixing gapsin security controlsbeforeorafteran assessment.
Since RPs are not assessors, they can provide direct remediation supportwithout any conflict of interest.
The OSC needs assistance in implementing security controls(not assessment).
An RP is trained and authorized to provide remediation and advisory services.
Conflict of interest rules prevent the assessing C3PAO from providing implementation support.
A. CCA of the C3PAO performing the assessment (Incorrect)
ACertified CMMC Assessor (CCA)is responsible for conducting the assessmentonly.
TheC3PAO performing the assessment cannot also provide remediationdue to aconflict of interest.
C. Practitioner of the Organization Performing the Assessment LTP (Incorrect)
The assessmentLead Technical Practitioner (LTP)cannot provide remediation support for an OSC they are assessing.
D. DoD Contract Official of the Organization Performing the Assessment (Incorrect)
DoD Contract Officialsoversee contract compliance butdo not provide cybersecurity implementation support.
The correct answer isB. RP of an organization not part of the assessment, asonly independent RPs can assist with remediation and implementation support.
[References:, CMMC 2.0 Registered Practitioner (RP) Program, CMMC Code of Professional Conduct (CoPC) Conflict of Interest Policy, CMMC 2.0 Assessment Process (CAP) Guide, , , , ]
