Free CMMC-CCA Practice Test Questions 2026

In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256)to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Where can you find information about a cryptographic module’s current status with FIPS?

A. NIST CMVP

B. FedRAMP Marketplace

C. NIST CSRC

D. FIPS 140-2 documentation

During your assessment of CA.L2-3.12.3 – Security Control Monitoring, the contractor’s CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. Can the contractor place practice CA.L2-3.12.3 – Security Control Monitoring under a POA&M if unimplemented or not fully met?

A. No, the practice cannot be placed on a POA&M

B. Yes, for some aspects

C. More information is required to make determination

D. Yes, for all aspects

A defense contractor retains your services to assess their information systems for CMMC compliance, particularly configuration management. The contractor uses CFEngine 3 for automated configuration and maintenance of its computer systems and networks. While chatting with the network’s system admins, you realize they have deployed a modern compliance checking and monitoring tool. However, when examining their configuration management policy, you notice the contractor uses different security configurations than those recommended by product vendors. The system administrator informs you they do this to meet the minimum configuration baselines required to achieve compliance and align with organizational policy. Based on your understanding of the CMMC Assessment Process, how would you score CM.L2-3.4.2 – Security Configuration Enforcement if the contractor is tracking it in a POA&M?

A. Not Met

B. Need more information to score this practice

C. Met

D. Not Applicable

An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineeringcompany has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. Basing your answer on the scenario, how would you score the contractor’s implementation of CMMC practice MP.L2-3.8.1 – Media Protection?

A. Partially Met

B. Not Applicable

C. Not Met

D. Met

During your assessment of CA.L2-3.12.3 – Security Control Monitoring, the contractor’s CISO informs you that they have established a continuous monitoring program to assess the effectiveness of their implemented security controls. When examining their security planning policy, you determine they have a list of automated tools they use to track and report weekly changes in the security controls. The contractor has also established a feedback mechanism that helps them identify areas of improvement in their security controls. Chatting with employees, you understand the contractor regularly invites resource persons to train them on the secure handling of information and identifying gaps in security controls implemented. You would rely on all of the below evidence to assess the contractor’s implementation of CA.L2-3.12.3 – Security Control Monitoring, EXCEPT?

A. Records/logs of monitoring activities over time

B. Customer feedback on the contractor's security measures

C. Reports or dashboards from the monitoring activities

D. The contractor’s security monitoring policies and procedures

You have been sent to assess an OSC’s implementation of CMMC practices, one of which is AC.L2-3.1.11 – Session Termination. You expect to find the following items when examining the contractor’s list of conditions or trigger events requiring session termination, EXCEPT?

A. Time-of-day restrictions on system use

B. Organization-defined periods of user inactivity

C. Pre-approved user activity for specific functionalities

D. Targeted responses to certain types of incidents

Any user that accesses CUI on system media should be authorized and have a lawful business purpose. While assessing a contractor’s implementation of MP.L2-3.8.2 – Media Access, youexamine the CUI access logs and the role of employees. Something catches your eye where an ID of an employee listed as terminated regularly accesses CUI remotely. Walking into the contractor’s facilities, you observe the janitor cleaning an office where documents marked CUI are visible on the table. Interviewing the organization’s data custodian, they informed you that a media storage procedure is augmented by a physical protection and access control policy. Based on the scenario and the requirements of CMMC practice MP.L2-3.8.2 – Media Access, which of the following actions would be the highest priority recommendation for the contractor?

A. Conduct additional training for employees on handling CUI materials .

B. Develop and implement a process for timely disabling or revoking access to CUI upon employee termination

C. Implement a system for logging and monitoring all access attempts to CUI resources

D. Invest in more sophisticated access control technology for their systems

In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. How is Session Lock typically initiated?

A. Automatically, after a predefined period of inactivity

B. By the system administrator manually

C. Through user authentication processes

D. Only when manually triggered by the user before leaving their workstation

You are performing an on-site assessment for a defense contractor that develops and manufactures embedded control systems for military drones. During your documentation review, you discover they have a System Security Plan (SSP) outlining a configuration management process. The SSP mentions the creation of baseline configurations for their drone control systems, but details are limited. You interview the IT manager responsible for configuration management. They explain they use a commercial configuration management tool to capture hardware and software configurations for the drone systems. They confirm that the baseline configurations include initial software versions but do not track firmware or network configurations. Additionally, while they update software versions through the tool, they do not have a documented process for reviewing and updating baseline configurations in response to security vulnerabilities or system modifications. Which of the following actions would be the MOST appropriate recommendation for the contractor to improve their compliance with CM.L2-3.4.1 – System Baselining?

A. Developing and documenting a process for reviewing baseline configurations periodically and updating them to reflect changes in firmware versions, network topology, and security risks

B. Instruct IT personnel to update baseline configurations whenever a new software version is deployed

C. Replace their commercial configuration management tool with a different solution

D. Increase the frequency of software updates for the drone control systems

You are on-site with an Assessment Team at a medium-sized organization. When discussing how they protect their company's information from malware, spyware, etc., the administrator you are interviewing offers to show you the entire process from start to finish since she had that on her to-do list for the day. She opens the machine, turns it on, and installs what she says is anti-malware software. She also demonstrates how their deployed Next Generation Firewall (NGFW) works. You have never heard of this software, so you ask her where it was purchased. You later learn it is an open-source solution. Based on the scenario and the requirements of CMMC practice SI.L2-3.14.6 – Monitor Communications for Attacks, what is your likely determination?

A. Find the OSC's implementation as partially Met as they are achieving several objectives required of this practice

B. Fail the OSC's implementation of the practice

C. Find the OSC's implementation of the practice as Met

D. Request for more information

A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 – Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media. Which of the following is NOT an assessment method for MP.L2-3.8.5 – Media Accountability?

A. Testing mechanisms supporting or implementing media storage and media protection

B. Examining designated controlled areas

C. Interviewing organizational processes for storing media

D. Examining procedures addressing media storage and access control policy

You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory – a privileged function. How should execution of the debugging permission be handled to align with AC.L2-3.1.7 – Privileged Functions?

A. Require it to generate an email alert

B. Perform automatic termination of the action

C. Implement geo-IP blocking on the workstation

D. Ensure it is logged to the central SIEM system