Free CMMC-CCA Practice Test Questions 2026

Explanation:
Hosting a public-facing web server in the same network segment as internal systems processing CUI creates unacceptable risk. A DMZ (demilitarized zone) provides a separate, isolated network layer where the web server resides. This allows external users to access the website while preventing direct access to the internal LAN, following network segmentation best practices for CMMC.

Correct Option:

B — Configure a DMZ for an additional layer of security to the OSC’s LAN to host the publicly accessible server
A DMZ is the standard architectural pattern for publicly accessible servers. It uses firewalls to control traffic: external → DMZ (allowed), DMZ → internal (restricted), internal → DMZ (as needed). This protects CUI assets from a compromised web server and aligns with CMMC AC.L2-3.1.12 (monitor/control remote access) and SC.L2-3.13.13 (separate subnetworks).

Incorrect Options:

A — Relocate the server to a different office location to protect the OSC’s LAN
Incorrect. Physical relocation alone does not provide network segmentation. The server would still need network access and could be connected via VPN or WAN, creating similar risks. A different office without DMZ architecture still exposes the internal network if connected.

C — Configure a firewall rule to only allow internal traffic to communicate with the server
Incorrect. This does the opposite of what is needed. The web server must accept external (customer) traffic, not just internal traffic. Restricting to internal traffic only would make the website inaccessible to online customers. This rule misinterprets the requirement.

D — Configure the server to protect against object reuse and residual information via shared system resources
Incorrect. Object reuse protection (NIST 800-171 3.8.6) addresses memory/data remnants between processes/users. While a valid security control, it does nothing to protect the LAN from a publicly accessible server. This addresses an unrelated practice and ignores network architecture requirements.

Reference:
NIST SP 800-171 Rev 2, Requirement 3.13.13 (Separate subnetworks). CMMC Level 2 Practice SC.L2-3.13.13. See also CMMC Scoping Guidance – DMZ architecture for publicly accessible systems.

Explanation:
CUI assets are defined as assets that process, store, or transmit CUI. In this scenario, CUI is stored at HQ and used by staff at HQ and Site A. Site B does not store, process, or transmit CUI—it only has VPN connectivity to HQ, which alone does not make it a CUI asset unless CUI actually flows to or through it.

Correct Option:

A — and Site A contain CUI assets and Site B is out of scope.
HQ contains the CUI storage (CUI asset). Site A staff actively use CUI, so Site A likely has CUI assets (workstations, perhaps local storage or transmission). Site B has no CUI activity described; VPN connectivity alone does not bring CUI assets into scope. Therefore, Site B can be scoped out if properly isolated.

Incorrect Options:

B — and Site A and Site B contain CUI assets since all have access to CUI.
Incorrect. VPN connectivity to HQ does not automatically mean Site B has or accesses CUI. The scenario states CUI is used at HQ and Site A only. Unless CUI is transmitted to or stored at Site B, Site B assets are not CUI assets. "Access" via VPN would need to be demonstrated.

C — contain CUI assets and Site A and Site B contain only Certification in Risk Management Assurance.
Incorrect. "Certification in Risk Management Assurance" is not a CMMC asset category. This appears to be a distractor term. The correct categories are CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Out-of-Scope Assets.

D — and Site A contain CUI assets and Site B contains only Certification in Risk Assurance.
Incorrect. Same issue as option C—"Certification in Risk Assurance" is not a valid CMMC asset classification. Site B, if it truly has no CUI flow, would be an Out-of-Scope Asset or possibly Contractor Risk Managed Asset, not a fictional certification category.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Asset Categories (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Out-of-Scope Assets). See also CMMC Assessment Guide, Determining Assessment Scope Based on CUI Flow.

Explanation:
A replay attack occurs when an adversary captures and retransmits valid authentication data (e.g., a password hash). Replay-resistant mechanisms ensure that captured authentication exchanges cannot be reused. Transport Layer Security (TLS) provides replay resistance through sequence numbers, timestamps, and unique session keys, preventing an attacker from replaying captured TLS handshake or application data.

Correct Option:

C — Requiring Transport Layer Security (TLS)
TLS includes anti-replay features: each TLS record contains a sequence number, and replay attempts are detected and rejected. TLS also uses unique session keys per connection. While TLS alone is not full authentication, it protects authentication exchanges in transit, making it a valid replay-resistant mechanism for network-based authentication.

Incorrect Options:

A — Encrypted messages
Incorrect. Encryption alone does not prevent replay. An attacker can capture an encrypted authentication message (e.g., an encrypted password) and replay it exactly as captured. Without timestamps, nonces, or sequence numbers, the receiving system cannot distinguish a replay from a legitimate message.

B — Biometric techniques
Incorrect. Biometrics (fingerprints, retina scans) authenticate identity but are not inherently replay-resistant. A captured biometric template or authentication response can be replayed if the system does not implement additional anti-replay measures (e.g., liveness detection, challenge-response). Biometrics alone do not guarantee replay resistance.

D — MFA devices to protect access for local users
Incorrect. Multi-factor authentication (MFA) devices improve authentication strength but are not automatically replay-resistant. A one-time password (OTP) from a hardware token is replay-resistant because it changes per use. However, "MFA devices" broadly (e.g., smart cards, biometric USB keys) may still be vulnerable to replay without proper protocol design (e.g., challenge-response).

Reference:
CMMC Level 2 Practice IA.L2-3.5.3 (Replay-resistant authentication mechanisms). NIST SP 800-171 Rev 2, Requirement 3.5.3. See also NIST SP 800-63B (Authentication and Lifecycle Management), TLS 1.3 RFC 8446 (Anti-replay features).

Explanation:
To validate whether systems containing CUI are separated from other departments' systems on the local network, the CCA must assess mechanisms that logically segment a single physical network. VLANs are the standard technology for creating isolated broadcast domains within a local network, allowing CUI systems to be separated from non-CUI systems without requiring separate physical switches.

Correct Option:

C — Virtual Local Area Network (VLAN)
VLANs partition a single physical LAN into multiple logical networks. The CCA would assess VLAN configurations (e.g., port assignments, trunking, access control lists between VLANs) to confirm that CUI systems are isolated from other departments' systems. VLANs directly address the "local network" separation requirement.

Incorrect Options:

A — Area Network (WAN)
Incorrect. A Wide Area Network connects geographically dispersed locations (e.g., HQ to remote office). It is not a local network separation mechanism. Assessing WAN would evaluate cross-site connectivity, not separation of CUI systems from other departments within the same facility.

B — Virtual Private Network (VPN)
Incorrect. VPNs provide encrypted tunnels over untrusted networks (e.g., internet) for remote access or site-to-site connectivity. VPNs are not used to separate systems within the same local network. VPN assessment would address remote access security, not internal departmental separation.

D — Network Address Translation (NAT)
Incorrect. NAT translates IP addresses between private and public networks, primarily for internet routing and conservation of IPv4 addresses. NAT does not provide logical separation of systems within a local network. It does not prevent direct communication between departments on the same subnet.

Reference:
CMMC Level 2 Practice SC.L2-3.13.13 (Separate subnetworks for publicly accessible systems). NIST SP 800-171 Rev 2, Requirement 3.13.13. See also CMMC Assessment Guide, System and Communications Protection domain – VLANs for internal network segmentation.

Explanation:
CMMC assessors are prohibited from accessing or verifying whether physically separated assets (e.g., assets in locked cages, separate buildings, or isolated networks) contain CUI if doing so would violate legal, privacy, or security boundaries or exceed assessment scope. Assessors rely on OSC declarations and scoping documentation rather than physically inspecting every separated asset.

Correct Option:

B — Determining if physically separated assets contain CUI
The CCA cannot independently determine or verify the presence of CUI on physically separated assets without proper authorization or if those assets are legitimately out-of-scope. CUI identification is the OSC’s responsibility via self-declaration and asset inventory. Assessors do not perform invasive searches of physically separated areas without explicit written consent and scope definition.

Incorrect Options:

A — Verifying key internal system boundaries
Incorrect. CCAs are required to verify internal system boundaries (e.g., between CUI and non-CUI networks) as part of scoping and practice assessment. This includes reviewing firewalls, VLANs, DMZs, and access control lists. Verification is permitted and necessary.

C — Ensuring the external system boundary is fully defined
Incorrect. Ensuring the external boundary (e.g., internet gateway, perimeter firewalls, remote access points) is fully defined is a standard and required assessment activity. The CCA reviews documentation, diagrams, and configurations to confirm boundary completeness.

D — Examining whether communications are monitored at the external system boundary
Incorrect. Examining monitoring at the external boundary (e.g., intrusion detection, log collection, traffic analysis) is a permitted and expected assessment method for practices like SI.L2-3.14.6 (Monitor security alerts) and AU.L2-3.3.1 (Audit log creation). This is a standard examine activity.

Reference:
CMMC CCA Code of Professional Conduct – Section on Scope Limitations and Prohibited Activities. CMMC Assessment Guide – Assessor Roles and Responsibilities. See also CMMC Scoping Guidance – OSC Declaration of CUI Locations.

Explanation:
When sensitive/proprietary CUI is involved during virtual data collection, both parties share responsibility. The assessor must document risks/mitigations as part of professional conduct and assessment planning, while the client must also document their expectations and protections. Collaboration ensures mutual understanding of handling, storage, transmission, and destruction requirements for collected CUI evidence.

Correct Option:

D — The client and assessor should record the risks and mitigations to protect the CUI categories handled.
Both parties must jointly agree on and document how CUI will be protected during virtual data collection (e.g., encrypted transmission, secure storage, access controls, data retention/deletion). This shared documentation becomes part of the assessment plan and protects both parties legally and operationally.

Incorrect Options:

A — The Client is responsible for safeguarding the data during collection, not the assessor.
Incorrect. Once CUI is transmitted to the assessor (e.g., via secure portal, email, or shared drive), the assessor assumes responsibility for safeguarding it per CMMC CCA Code of Conduct, federal contracts, and possibly NDAs. Responsibility is shared, not solely the client's.

B — The assessor is responsible for safeguarding the data during collection, not the client.
Incorrect. The client retains responsibility for CUI within their environment even during collection. The assessor cannot unilaterally assume all responsibility. Both parties have obligations—client for secure transmission and access provisioning, assessor for secure handling post-receipt.

C — The assessor should record the risks and mitigations to protect the CUI categories handled.
Incomplete. While the assessor documents risks/mitigations, excluding the client from this process is insufficient. The client must participate in identifying risks specific to their CUI and agree to mitigations. One-sided documentation lacks mutual accountability and may miss client-specific concerns.

Reference:
CMMC CCA Code of Professional Conduct – Section on Data Protection and Confidentiality. CMMC Assessment Guide – Planning Phase, Virtual Assessment Considerations. See also DFARS 252.204-7012 (Safeguarding CUI) and NIST SP 800-171.

Explanation:
The Lead Assessor's role during readiness verification is to confirm that the OSC is prepared for the assessment—not to advise on whether the OSC can achieve a different CMMC Level. Determining if the OSC can "better meet" another level (e.g., Level 3 instead of Level 2) is outside assessment scope and constitutes consulting, which is prohibited for CCAs.

Correct Option:

C — Whether the OSC can better meet the targeted CMMC Level
Assessors must not provide consulting, gap analysis, or recommendations on changing target levels. The OSC self-selects the target level. The Lead Assessor verifies readiness for that selected level only. Advising on "better meeting" another level violates CMMC separation of duties and assessor ethics.

Incorrect Options:

A — That risks have been identified
Incorrect. Confirming that the OSC has identified risks (e.g., via risk assessment documentation) is required for readiness. Without risk identification, the OSC cannot demonstrate many CMMC practices. The Lead Assessor verifies existence, not quality, during readiness.

B — That necessary logistics have been arranged
Incorrect. Logistics (e.g., scheduling, facility access, interview availability, evidence sharing mechanisms) must be confirmed before the assessment begins. Failure to arrange logistics delays or invalidates the assessment. This is a standard pre-assessment confirmation task.

D — That evidence is available and accessible for the targeted CMMC Level
Incorrect. The Lead Assessor must confirm that the OSC has prepared and can provide the required evidence (policies, procedures, logs, configurations) for the targeted level. Without accessible evidence, the assessment cannot proceed. This is a core readiness verification step.

Reference:
CMMC CCA Code of Professional Conduct – Prohibition on Consulting. CMMC Assessment Guide – Pre-Assessment Readiness Verification. See also CMMC Ecosystem – Separation of Assessor and Consultant Roles.

Explanation:
Contractor Risk Managed Assets (CRMA) are assets that do not process, store, or transmit CUI but can adversely affect CUI assets. The OSC must demonstrate they are managed using the organization’s own risk-based security policies and procedures, not vendor or generic industry practices. This ensures accountability and alignment with the OSC's documented security posture.

Correct Option:

C — Document in asset inventory; show management using the organization’s risk-based security policies and procedures; include in network diagram.
This is correct because CRMA status requires demonstration that the OSC applies its own risk management framework (e.g., configuration standards, patching, access controls) to these assets. Organizational policies provide auditable, repeatable control. Network diagrams and inventory documentation enable scoping and boundary verification.

Incorrect Options:

A — Document in asset inventory and include in network diagram only.
Incomplete. Simply documenting and diagramming CRMA is insufficient. The OSC must also demonstrate how these assets are managed using risk-based practices. Without showing management methods, the assessor cannot verify that risks from these assets are controlled.

B — Show management using vendor-recommended risk-based security practices.
Incorrect. Vendor recommendations are not authoritative for CMMC CRMA compliance. The OSC must apply its own organizational policies and procedures. Vendor guidance may inform but cannot replace OSC-defined, documented, and implemented risk management practices.

D — Show management using industry risk-based security best practices + include in network diagram.
Incorrect. Industry best practices (e.g., CIS benchmarks) are useful but do not substitute for the OSC’s organizational policies and procedures. CMMC requires the OSC to govern CRMA through its own documented risk management processes, not generic external standards alone.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Contractor Risk Managed Assets (CRMA). CMMC Assessment Guide – Asset Categorization and CRMA Requirements.

Explanation:
Documents with very recent approval dates raise a question of whether they are actually implemented or merely "paper compliance." To validate sufficiency, the assessor must determine if personnel are following the new procedures. Interviewing OSC team members who should be using the procedure provides direct evidence of implementation, not just document existence.

Correct Option:

C — Interview OSC team members who should be using the procedure.
Interviews with operational staff reveal whether they are aware of the new procedure, have been trained, and are following it in practice. This distinguishes between recently approved documentation and actual behavioral change. It also identifies gaps between documented policy and real-world execution.

Incorrect Options:

A — Examine the documents to determine if they are complete.
Insufficient. Document completeness (format, sections, approval signatures) does not prove implementation. A complete, recently approved document may still not be followed. Examination alone cannot validate sufficiency of evidence where recency suggests possible last-minute creation.

B — Examine if the procedure in question replaced another document.
Insufficient. Knowing that a document replaced a prior version provides historical context but does not validate whether the new procedure is actually being used. This is a document management check, not an implementation validation step.

D — Interview people who hold leadership roles named in the documents.
Incorrect. Leadership interviews confirm intent and approval but not day-to-day implementation. Non-leadership personnel (system administrators, incident responders, users) are the ones who must follow procedures. Leaders may be unaware of actual compliance gaps on the ground.

Reference:
CMMC Assessment Guide (CAG) – Evidence Sufficiency and Validation. CMMC CCA Handbook – Combining Examine and Interview Methods. See also NIST SP 800-171A (Assessment Procedures) – Objective 1 vs. Objective 2 evidence.

Explanation:
For an asset to be considered out-of-scope in a CMMC assessment, it must neither process, store, nor transmit CUI and must not provide security protections to CUI assets. If an asset provides security protections (e.g., firewall, IDS, authentication server), it becomes a Security Protection Asset (SPA) and is in-scope regardless of CUI handling.

Correct Option:

B — Do not provide security protections for CUI assets.
Out-of-scope assets must meet two conditions: (1) they do not process, store, or transmit CUI, and (2) they do not provide security protections to CUI assets. If an asset performs security functions (logging, access control, monitoring), it is a Security Protection Asset and remains in-scope even without direct CUI handling.

Incorrect Options:

A — Provide security protections to CUI assets.
Incorrect. Assets that provide security protections to CUI assets are Security Protection Assets (SPAs) and are explicitly in-scope for assessment. This describes the opposite of an out-of-scope asset. SPAs must be assessed against relevant practices.

C — Can, but are not intended to, process, store, or transmit CUI.
Incorrect. Assets that can process CUI but are not intended to (i.e., no CUI flows to them) may still be Contractor Risk Managed Assets (CRMA) or potentially out-of-scope if properly isolated. However, the key differentiator for out-of-scope is also not providing security protections. This option omits that critical condition.

D — Are not required to be physically or logically separated from CUI assets.
Incorrect. Out-of-scope assets must be physically or logically separated from CUI assets. If an asset can reach or be reached by CUI assets without controls, it cannot be out-of-scope. Lack of separation would make it a CRMA or SPA, not out-of-scope.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Out-of-Scope Assets definition. CMMC Assessment Guide – Asset Categorization Criteria (CUI Assets, SPAs, CRMAs, Out-of-Scope).

Explanation:
Visitor access controls (PE.L2-3.10.3 and PE.L2-3.10.4) involve physical security processes such as visitor check-in, badge issuance, escorting, logging, and return of badges. The front-desk receptionist typically performs or directly oversees these daily visitor management functions and can best describe actual implementation, exceptions, and any deviations from policy.

Correct Option:

B — Front-desk Receptionist
The receptionist is usually the first point of contact for visitors and directly executes visitor access procedures (e.g., logging entry/exit, issuing badges, notifying escorts, collecting badges). This role provides firsthand operational knowledge of how visitor controls function in practice, making them the most appropriate interview subject.

Incorrect Options:

A — System Administrator
Incorrect. System administrators focus on logical access (accounts, passwords, permissions), not physical visitor controls. While they may manage physical access systems (e.g., badge databases), they rarely execute daily visitor processes. Their knowledge is technical/systemic rather than procedural/operational.

C — Administrative Assistant
Incorrect. Administrative assistants may handle some visitor coordination but typically not primary visitor access control execution unless specifically assigned. The front-desk receptionist is the dedicated role for this function. The assistant's knowledge may be inconsistent or secondary.

D — Senior Architecture Partner
Incorrect. Senior leadership (partners) typically do not perform visitor access control duties. They set policy direction but cannot speak to day-to-day implementation, exceptions, or staff adherence. Interviewing senior leadership for operational physical security questions is inefficient and unlikely to yield accurate evidence.

Reference:
CMMC Level 2 Practice PE.L2-3.10.3 (Escort visitors) and PE.L2-3.10.4 (Visitor access logs). CMMC Assessment Guide – Selecting Interview Subjects Based on Control Ownership.

Explanation:
For remote third-party maintenance personnel, CMMC requires that remote access sessions be terminated automatically based on defined criteria (e.g., after task completion, after inactivity timeout, at scheduled times). This aligns with MA.L2-3.7.5, which requires non-local maintenance sessions to be terminated when no longer needed. Automated termination ensures no lingering access.

Correct Option:

D — Remote access to systems used by the third party for maintenance functions is terminated automatically based on a defined set of criteria.
This directly addresses MA.L2-3.7.5 requirement. Defined criteria (e.g., session timeout, task completion, end of workday) must be documented and enforced automatically. Manual termination is insufficient. This prevents unauthorized extended access after maintenance is complete.

Incorrect Options:

A — Only third-party personnel can perform system maintenance functions.
Incorrect. The organization's own personnel can also perform maintenance. CMMC does not restrict maintenance exclusively to third parties. This option is overly restrictive and irrelevant to the requirement for remote third-party maintenance controls.

B — Third-party personnel need to be identified and monitored while performing maintenance.
Incorrect. While identification and monitoring are good practices, they are not the primary assurance required for remote third-party maintenance. The specific CMMC requirement (MA.L2-3.7.5) focuses on terminating remote sessions, not just monitoring or identifying personnel.

C — The number of third-party personnel who can access the organization’s systems concurrently is limited.
Incorrect. Concurrent access limits are not explicitly required by CMMC for third-party maintenance. While capacity planning may impose limits, this is not a control requirement. The core requirement remains termination of remote sessions after maintenance.

Reference:
CMMC Level 2 Practice MA.L2-3.7.5 (Non-local maintenance session termination). NIST SP 800-171 Rev 2, Requirement 3.7.5. See also CMMC Assessment Guide, Maintenance domain – Remote maintenance controls.