Free CMMC-CCA Practice Test Questions 2026

In your assessment of an OSC’s information systems, you realize that the OSC has been having issues determining what is and isn’t CUI. One of the employees asks for your help identifying CUI so that they can take measures to protect it. They also request that you recommend a resource where they can understand the national CUI policy. Which of the following is the BEST resource they should visit to understand what CUI is and the national CUI policy?

A. 48 CFR 52.204-21 and NIST SP 800-171

B. DFARS 252.204-7012 and ISOO CUI Registry

C. 32 CFR Part 2002 and ISOO CUI Registry

D. 22 CFR Part 120-130

You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2- 3.3.9 – Audit Management?

A. Partially Met – The contractor has limited audit management privileges to a subset of privileged users, but the roles may not be appropriately defined

B. Met – The contractor has defined privileged user roles for audit management

C. Not Applicable – The practice is not relevant to the contractor's environment

D. Not Met – The contractor has granted audit management privileges to multiple privileged roles, which goes against the requirement to limit access to a subset of defined privileged users

Understanding that changes are critical in any production environment, a DoD contractor has instituted measures to manage them. All software changes can only be implemented by defined individuals. These changes must have gone through a rigorous change approval process and must be implemented from a secure server located in the company's headquarters. The personnel affecting the changes access the server room using access cards and an iris scan. To log into the server, they must enter their passwords to receive a one-time password (OTP), which must be keyed in within 2 minutes. After any changes are made, the chairperson of the contractor's Change Review Board and the CISO get a notification to approve the changes before they take effect. To determine if the contractor has implemented enough measures to meet CM.L2-3.4.5 – Access Restrictions for Change, you need to examine all the following EXCEPT?

A. Procedures addressing access restrictions for changes to the system

B. Plan of Action and Milestones

C. Contractor's configuration management policy

D. System architecture and configuration documentation

When assessing a contractor’s implementation of CMMC requirements, you realize they have multiple data centers and regional offices, each having its access control mechanisms and security perimeter. The contractor uses a remote access solution to allow external partners and employees to collaborate on projects that involve CUI. The solution requires routing configuration to ensure the remote access to CUI is not compromised. Why should all traffic be routed through a managed Access Control point?

A. It simplifies network architecture and reduces complexity

B. Reduces the susceptibility to unauthorized access to organizational systems

C. It enables easier troubleshooting and monitoring of network traffic

D. It provides better performance and lower latency for remote users

CMMC practice MA.L2-3.7.3 – Equipment Sanitization requires organizations to sanitize equipment leaving their facilities for off-site maintenance for CUI. What standard would the OSC use to sanitize various media?

A. NIST SP 800-53

B. NIST SP 800-88

C. NIST SP 800-171

D. NIST SP 800-171A

Assessing a DoD contractor, you observe they have implemented physical security measures to protect their facility housing organizational systems that process or store CUI. The facility has secure locks on all entrances, exits, and windows. Additionally, video surveillance cameras are installed at entry/exit points, and their feeds are monitored by security personnel. Feeds from areas where CUI is processed or stored and meeting rooms where executives meet to discuss things that have to do with CUI and other sensitive matters are segregated and stored on a designated server after monitoring. Walking around the facility, you notice network cables are hanging from the walls. To pass through a door, personnel must swipe their access cards. However, you observe an employee holding the door for others to enter. Although power cables are placed in wiring closets, they aren't locked, and the cabling conduits are damaged. Which of the following is NOT a concern regarding the contractor's implementation of CMMC practice PE.L2-3.10.2 – Monitor Facility?

A. Video surveillance monitoring at entry/exit points

B. Unlocked wiring closets

C. Network cables hanging from the walls

D. Damaged cable conduits

During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 – Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company’s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. Based on the scenario, what is the MOST concerning aspect from a CMMC compliance perspective regarding CMMC practice SC.L2-3.13.9 – Connections Termination?

A. The application is hosted on a dedicated server within the company’s internal network

B. Users log in with usernames and passwords, potentially lacking multi-factor authentication

C. The lack of a documented policy or a defined period of inactivity for terminating remote access connections creates uncertainty and inconsistency

D. The server operating system utilizes default settings for connection timeouts, which may be insufficient

You are assessing a contractor’s implementation for CMMC practice MA.L2-3.7.4 – MediaInspection by examining their maintenance records. You realize the maintenance logs identify a repeating problem. A recently installed central server has been experiencing issues affecting the performance of the contractor’s information systems. This is confirmed by your interview with the contractor’s IT team. You requested to investigate the server, and the IT team agreed. On the server, there is a file named conf.zip that gets your attention. You decide to open the file in an isolated computer for further review. To your surprise, the file is a .exe used when testing the server for data exfiltration. How should this incident be handled?

A. By immediately reporting it to the FBI's Cyber Division

B. Decommissioning the server and installing a new one

C. In accordance with the incident response plan

D. By sandboxing the malicious code and continuing with business as usual

A mid-sized company specializing in machining is preparing to bid for an upcoming DoD contract to provide machined components crucial for defense systems. As CMMC compliance will be required, the company’s top executives have invited you to assess their implementation of CMMC Level 2 requirements. During your visit to their environment of operations, you discover that its production floor has several Computer Numerical Control (CNC) machines for precision machining, which are all connected to a local network for data transfer and control. The CNC machines receive design files from a central server in the company’s data center and communicate with a SCADA quality control system that monitors production metrics and performance. The central server hosts the design files, which are only accessible to authorized engineers and operators and backed up in an Amazon EBS cloud instance to ensure availability across the company’s multiple machining shops in different states. Furthermore, the company allows employees to upload designs to the server remotely using VPNs and virtual desktop instances. What is the BEST physical control the company can use for preventive purposes?

A. Using proximity card readers

B. Installing CCTVs

C. Displaying a large banner written "Authorized Personnel Only"

D. Locking all entrances

During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI)handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Once the inconsistencies are addressed, when should the contractor’s privacy and security notice be displayed?

A. Only during the initial system logon

B. During the initial system logon and when accessing specific CUI-related applications and data

C. Only when handling or processing export-controlled technical data

D. Continuously on all systems and workstations, regardless of user activity

You decide to interview the IT security team to understand if and how a contractor has implemented audit failure alerting. You learn they have deployed AlienVault OSSIM, a feature-rich security information and event management (SIEM) tool. The SIEM tool has been configured to send automatic alerts to system and network administrators if an event affects the audit logging process. Alerts are generated for the defined events that lead to failure in audit logging and can be found in the notification section of the SIEM portal. However, the alerts are sent to the specified personnel 24 hours after the occurrence of an event. As an assessor evaluating the implementation of AU.L2-3.3.4 – Audit Failure Alerting, which of the following would be a key consideration regarding the evidence provided by the contractor?

A. Ensuring the defined alert notification methods (e.g., email, SMS) are secure and encrypted

B. Verifying that the types of audit logging failures defined cover a comprehensive range of potential scenarios

C. Determining if the documented personnel roles for alert notification align with the organization's hierarchy

D. Checking if the alert notification process integrates with third-party monitoring services

A contractor has retained you to assess compliance with CMMC practices as part of their triennial review. During your assessment of the AU domain, you discovered that the contractor has recently installed new nodes and servers on their network infrastructure. To assess their implementation of AU.L2-3.3.7 – Authoritative Time Source, you trigger some events documented to meet AU.L2-3.3.1 – System Auditing across both the new and existing systems, generating audit logs. Upon examining these logs, you notice inconsistencies in the timestamps between newly installed and previously existing nodes. Further investigation reveals that while the contractor has implemented a central Network Time Protocol (NTP) server as the authoritative time source, the new systems are configured to automatically adjust and synchronize their clocks only when the time difference with the NTP server exceeds 30 seconds. Based on this scenario, why is time synchronization with the NTP server necessary, and what is the recommended synchronization time?

A. To ensure that all systems record the audit logs using the same time source, with a recommended synchronization time of 1 second

B. To allow users to set their preferred time zones on individual systems, with a recommended synchronization time of 24 hours

C. To reduce the network bandwidth used by system clocks, with a recommended synchronization time of once a month

D. To increase the accuracy of digital clocks on devices, with a recommended synchronization time of 1 week