Free CMMC-CCA Practice Test Questions 2026

An OSC has documented HR and personnel security policies, which are well integrated. A key requirement is that credentials and systems are revoked upon a transfer or termination. Their personnel security policy includes procedures for transfer and termination, a list of system accounts tied to each employee, and management of revoked or terminated credentials and authenticators. Examining the procedures addressing personnel transfer and termination, you learn that besides revoking or terminating system access, authenticators, and credentials, the OSC recovers all company IT equipment, access/identification cards, and keys from the transferred or terminated employee. They also interview the employee to remind them of their CUI handling obligations even after transfer and require them to sign an NDA. After every termination, they also change the password and other access control mechanisms and notify all the stakeholders that the employee has been terminated or transferred. Based on the scenario, the OSC can cite the following as evidence of collaborating on their implementation of CMMC practice PS.L2- 3.9.2 – Personnel Actions, EXCEPT?

A. List of usernames and passwords of all the employees

B. Records of personnel transfer and termination actions

C. Records of exit interviews accompanied by a list of terminated employees' identifiers

D. Records of terminated or revoked authenticators and credentials

You are assessing Conedge Ltd, a contractor that develops cryptographic algorithms for classified government networks. In reviewing their network architecture documents, you see they have implemented role-based access controls on their workstations using Active Directory group policies. Software developers are assigned to the "Dev_Roles" group which grants access to compile and test code modules. The "Admin_Roles" group with elevated privileges for system administration activities is restricted to the IT staff. However, when you examine the event logs on a developer workstation, you find evidence that a developer was able to enable debugging permissions to access protected kernel memory – a privileged function. Which of the following controls could have prevented the developer from executing this privileged function?

A. Removing internet access

B. Prohibiting inheritance of privileged permissions

C. Enforcing dual authorization

D. Implementing time of day restrictions

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 – Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 – System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, how many points would you score theOSC's implementation of CMMC practice AU.L2-3.3.7 – Authoritative Time Source?

A. 5

B. -1

C. 1

D. -5

When examining a contractor's access control policy and SSP, you observe that system administrators routinely use accounts with elevated privileges for checking email and browsing internal websites. What CMMC practice does this violate?

A. AC.L2-3.1.7

B. AC.L2-3.1.6

C. AC.L2-3.1.4

D. AC.L2-3.1.2

A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 – Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 – Encrypt CUI on Mobile requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following is a reason why would you recommend container-based over full-device-based encryption?

A. Container-based encryption offers granular control over sensitive data, improves device performance by encrypting selectively, and enhances security in Bring-Your-Own-Device (BYOD) environments

B. Container-based encryption is more cost-effective

C. It is more user-friendly and easier to deploy on a large scale

D. Full-device encryption is not compatible with modern mobile operating systems

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2- 3.3.1 – System Auditing?

A. Examine procedures addressing audit record generation

B. Testing procedures addressing control of audit records

C. Testing the system configuration settings and associated documentation

D. Examining the mechanisms for implementing system audit logging

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. Which of the following is a potential assessment method for AU.L2- 3.3.1 – System Auditing?

A. Examine procedures addressing audit record generation

B. Testing procedures addressing control of audit records

C. Testing the system configuration settings and associated documentation

D. Examining the mechanisms for implementing system audit logging

reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What key features regarding the deployment of Splunk for AU.L2-3.3.6 – Reduction & Reporting would you be interested in assessing?

A. Ensure that Splunk is configured with appropriate RBAC to restrict access to log data, reports, and dashboards, ensuring that only authorized personnel can view or modify audit logs

B. Ensure Splunk can retain audit records for a protracted amount of time

C. Ensure that Splunk employs various filter rules for reducing audit logs to eliminate nonessential data and processes to analyze large volumes of log files or audit information, identifying anomalies and summarizing the data in a format more meaningful to analysts, thus generating customized reports

D. Ensure Splunk can support compliance dashboards that provide real-time visibility into CMMC compliance status

During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 – Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company’s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. The scenario mentions that the server utilizes default settings for connection timeouts. What additional approach, besides relying solely on user awareness, could be implemented to achieve connection termination based on inactivity and comply with CMMC practice SC.L2-3.13.9 – Connections Termination?

A. Modify the server-side application settings to automatically terminate inactive user sessions after a defined period

B. Implement a centralized inactivity monitoring tool to identify inactive connections across the network and notify administrators for manual termination

C. Upgrade the server operating system to the latest version, as newer versions may have stricter default timeouts for idle connections

D. Educate users about the importance of logging out and the risks associated with leaving sessions open

A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 – Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media. Which of the following best describes a control that maintains accountability for media containing CUI during transport outside of controlled areas?

A. Using tamper-proof packaging and a reputable shipping service with tracking

B. Implementing strong passwords for all user accounts

C. Training employees on information security best practices

D. Restricting access to the system where the CUI data resides

CMMC practice PS.L2-3.9.1 – Screen Individuals requires individuals to be screened before authorizing access to organizational systems containing CUI. However, in the assessment you are currently conducting, there is no physical evidence confirming the completion of personnel screens, such as background checks, only affirmations derived from an interview session. In an interview with the HR Manager, they informed you that before an individual is hired, they submit their information through a service that performs criminal and financial checks. How would you score the OSC's implementation of CMMC practice PS.L2-3.9.1 – Screen Individuals, objective [a]?

A. More information is needed

B. Not Met

C. Not Applicable

D. Met

You are assessing a contractor that develops software for air traffic control systems. In reviewing their documentation, you find that a single engineer is responsible for designing new ATC system features, coding the software updates, testing the changes on the development network, and deploying the updates to the production ATC system for customer delivery. How will proper separation of duties help the contractor meet the intent of AC.L2-3.1.4 – Separation of Duties?

A. It allows the engineers to specialize in specific areas

B. It reduces concentrated privileges and power and improves checks & balances. Errors and malicious actions are more likely to be caught. Risk is reduced without relying solely on one individual

C. It reduces the overall cost of software development

D. It simplifies the development process