Free CMMC-CCA Practice Test Questions 2026

During a CMMC Level 2 assessment, an OSC receives a Conditional Certification with several practices placed on a Plan of Action and Milestones (POA&M). After implementing corrective actions, the OSC requests the Assessment Team to conduct a POA&M Close- Out Assessment. Which of the following is the correct action for the Team’s Lead Assessor during the POA&M Close-Out Assessment?

A. Recommend the organization for CMMC Level 2 Final Certification if all POA&M items arefully implemented and do not limit the effectiveness of other practices scored as 'MET' during the initial assessment.

B. Recommend the organization for CMMC Level 2 Final Certification if all POA&M items have been fully implemented and meet the required criteria.

C. Recommend the organization for CMMC Level 2 Final Certification regardless of the POA&M items’ impact on other practices.

D. Recommend the organization reapply for CMMC Level 2 Certification, even if all POA&M items are fully implemented.

John, a CCA, has been assigned by his C3PAO to conduct a CMMC assessment for an OSC. During the assessment, John notices that the OSC’s security practices leave much to be desired. After speaking with the OSC’s IT staff, John offers to connect them with a vendor he knows who sells a vulnerability management tool that could address some of their weaknesses. According to the CMMC CoPC, which of the following best describes John’s actions?

A. John acted appropriately by trying to help the OSC improve its security posture.

B. John did not show respect for intellectual property.

C. John’s actions were deemed acceptable since he did not directly profit from connecting the OSC with the vendor.

D. John violated the principles of professionalism and objectivity by soliciting business for a third-party vendor while serving on the Assessment Team.

You are the Lead Assessor for a CMMC Assessment engagement with an OSC for CMMC Level 2. The OSC has provided you with their proposed CMMC Assessment Scope, which includes a network schematic diagram, their SSP, relevant policies, and organizational charts. During your review of the documentation, you notice they have excluded a subsidiary company’s network and assets from the proposed CMMC Assessment Scope despite the subsidiary being involved in handling CUI related to federal contracts. During the review of the OSC’s proposed CMMC Assessment Scope, you notice that the OSC has included assets and networks that are not involved in handling CUI or related to federal contracts. What should be your course of action?

A. Accept the proposed scope as is, since the OSC has the initial responsibility to establish the CMMC Assessment Scope.

B. Terminate the Assessment engagement due to the OSC’s failure to establish an accurate CMMC Assessment Scope.

C. Request the OSC to remove the irrelevant assets and networks from the proposed scope.

You are a Lead Assessor working with your C3PAO to conduct a CMMC Assessment for an OSC. During the preparation and planning phase, you meet with the OSC’s Assessment Official to identify the resources and schedule for the upcoming assessment. Together, you review the OSC’s pre-assessment information to estimate the level of effort required. You then collaborate to determine the specific resources needed, including the Assessment Team members, facilities, and any support personnel from the OSC. You also discuss scheduling factors like duration, key activities, and potential constraints. Based on these discussions, you develop a Rough Order of Magnitude (ROM) cost estimate and a proposed daily schedule for the assessment activities. Which of the following is not a requirement when identifying resources and schedules?

A. Documenting the names and roles of all assessment participants.

B. Recording the facilities to be used and their configurations.

C. Negotiating the pricing structure of the contract with the OSC.

D. Identifying potential triggers for replanning or updating the assessment plan.

You are part of the Assessment Team assessing a small defense contractor. You learn that the contractor (ABC Manufacturing) outsources parts of its IT infrastructure and cybersecurity services to a reputable Managed Services Provider (MSP). During a CMMC assessment, the contractor’s Assessment Official claims that several CMMC practices related to system security and monitoring are inherited from the MSP. Which of the following actions should the Lead Assessor take?

A. Automatically accept the contractor’s claim and score the inherited practices as ‘MET’ without further evaluation.

B. Recommend that the OSC implement the inherited practices internally, as inheriting from external providers is not allowed.

C. Score the inherited practices as ‘NOT MET’ and require ABC Manufacturing to implement them internally.

D. Request evidence from the MSP to verify that their services meet the assessment objectives for the inherited practices and are applicable to ABC Manufacturing’s in-scope assets.

You are the Lead Assessor of the Assessment Team conducting a CMMC Level 2 assessment for an OSC. You have completed the first phase of the assessment process, which included the assessment kickoff meeting. Now, you are moving into the second phase, which involves collecting and examining evidence to determine the OSC’s compliance with the CMMC practices. During the evidence collection phase, you need to examine the OSC’s policies and procedures related to the CMMC practice AC.L2-3.1.5 – Least Privilege. Which of the following would be an appropriatesource of evidence for this practice?

A. Testing the OSC’s Role-Based Access Control (RBAC) and Privilege Access Management (PAM) tools.

B. Observing the system administrators as they configure the systems.

C. Examining the organization’s system configuration documentation.

D. Interviewing the system administrators about their daily activities.

A CCA is conducting a CMMC assessment and notices that the OSC’s evidence includes a policy document that is outdated by two years. The OSC insists that the policy is still in effect, but staff interviews indicate that newer, undocumented procedures are being followed. How should the CCA handle this situation?

A. Accept the outdated policy as evidence since the OSC claims it is still in effect.

B. Document the discrepancy between the policy and actual procedures and assess based on all available evidence.

C. Reject the policy document outright and score the practice as "NOT MET."

D. Request the OSC to update the policy document before proceeding with the assessment.

During an assessment, you learn that a cybersecurity firm helped the OSC prepare for the assessment. In an attempt to learn more about this firm, the OSC POC gives you their name. Performing a quick search, you learn they aren’t listed in the Cyber AB marketplace. What should you do as the Lead Assessor?

A. Ignore it and continue with the assessment.

B. Confront the RPO about this unethical behavior.

C. Discontinue the assessment.

D. Inform the OSC that the RPO isn’t registered and report this to Cyber AB through your C3PAO.

You are a CCA working for a C3PAO that has entered into a contractual agreement to provide CMMC assessment services for an OSC. After validating the evidence, the C3PAO feels that thetask is beyond its capabilities and informs the OSC that it cannot continue with the assessment. The C3PAO cites “insufficient workforce” as the reason. What principle of the CMMC CoPC has the C3PAO broken?

A. Adherence to Materials and Methods

B. Information Integrity

C. Professionalism

D. Respect for Intellectual Property

The Daily Checkpoint meeting is a required component of the CMMC assessment process. It is conducted at the end of every day and includes the Assessment Team, Lead Assessor, OSC PoC, OSC Assessment Official, and other key personnel. This meeting helps ensure all the following, EXCEPT?

A. Data collection needs are being met.

B. Issues impacting the completion of the assessment are identified, mitigated, and resolved.

C. The C3PAO Assessment Team is comfortable.

D. The assessment is proceeding as planned.

You are the Lead Assessor for a CMMC Level 2 Assessment of an OSC. During Phase 1 planning, the OSC’s Assessment Official informs you that several key personnel who manage the in-scope IT systems will be unavailable during the scheduled assessment dates due to a company-wide training event. The Assessment Official asks if the assessment can proceed with substitute personnel who are less familiar with the systems. What should you do?

A. Proceed with the assessment using the substitute personnel, as long as they can provide some information about the systems.

B. Agree to proceed but request that the OSC provide written documentation to compensate for the unavailable personnel.

C. Reschedule the assessment to a time when the key personnel are available, as their participation is critical for an accurate assessment.

D. Conduct the assessment virtually to accommodate the unavailable personnel.

Sarah, a Certified CMMC Assessor, is conducting an assessment for DataSecure, a cloud service provider that hosts various applications for the Defense Industrial Base (DIB). During the assessment, Sarah encounters a complex and highly specialized cloud architecture that leverages cutting-edge technologies such as containerization, serverless computing, and advanced security controls. As Sarah reviews the evidence provided by DataSecure for the relevant CMMC practices, she realizes that some of the evidence and implementations are unlike anything she has encountered in previous assessments. What is the most appropriate action for Sarah to take as a CCA in this scenario?

A. Request DataSecure to simplify their architecture and align with more traditional IT practices for easier evaluation.

B. Strictly adhere to a standardized assessment checklist, regardless of DataSecure’s unique architecture.

C. Defer the assessment until she can receive additional training on the specific technologies used by DataSecure.

D. Thoroughly research and understand DataSecure’s cloud architecture, seek clarification from subject matter experts, and evaluate the evidence within the context of their specialized environment.