Free CMMC-CCA Practice Test Questions 2026

Explanation:
For cloud and hybrid environments, the Cloud Service Provider's (CSP) Customer Responsibility Matrix clearly delineates which security controls are managed by the CSP versus the OSC. This directly informs the Lead Assessor about constraints—what the OSC is responsible for assessing versus what is inherited or must be verified via third-party assessments (e.g., FedRAMP).

Correct Option:

D — Cloud Service Provider’s Customer Responsibility Matrix
The responsibility matrix is essential for scoping a hybrid assessment. It shows which CMMC practices the OSC must fully implement, which are shared, and which are solely the CSP's responsibility. Without this, the assessor cannot determine the OSC's compliance boundaries or constraints in the cloud environment.

Incorrect Options:

A — Subnetworks list
Incorrect. A subnetworks list helps understand network segmentation but does not address cloud-specific constraints or division of responsibilities between OSC and CSP. Subnets alone reveal nothing about CSP security controls or OSC obligations.

B — System inventory
Incorrect. System inventory identifies assets but does not clarify CSP/OSC responsibility boundaries. An asset listed as "cloud VM" without a responsibility matrix leaves unknown who secures the hypervisor, physical host, or network. Inventory is necessary but insufficient for hybrid constraints.

C — Company-owned hardware list
Incorrect. This only applies to on-premises assets. In a hybrid environment, many critical assets reside in the cloud and are not company-owned. This list ignores cloud constraints entirely and provides no information about CSP-managed controls.

Reference:
CMMC Scoping Guidance – Cloud and Hybrid Environment Considerations. FedRAMP Shared Responsibility Model. CMMC Assessment Guide – External Service Provider (ESP) requirements. NIST SP 800-171 Appendix G (External Service Providers).

Explanation:
For a Specialized Asset (OT equipment with unsupported OS), the OSC must provide evidence that planned mitigations (network isolation, additional security measures) are actually implemented, not just documented as plans. The Lead Assessor needs proof that isolation is completed before or during the assessment, plus evidence for all applicable CMMC practices that the OSC claims are met.

Correct Option:

D — Evidence that the network isolation is completed by the end of the assessment as well as supporting evidence for all other applicable CMMC practices.
Plans and diagrams are insufficient. The OSC must demonstrate implementation. Network isolation must be completed (not just planned) by assessment end. Additionally, all other CMMC practices applicable to this Specialized Asset (e.g., access controls, audit, configuration management) require supporting evidence.

Incorrect Options:

A — Installation and configuration documentation for the OT to ensure it was correctly built.
Insufficient. While configuration documentation may be part of evidence, the critical missing element is proof that isolation and additional security measures are implemented. Installation docs alone do not verify network isolation or risk management execution.

B — Wording in the scoping document detailing how the OT adheres to all other applicable CMMC practices.
Incorrect. Wording (text in a document) is not evidence of implementation. The OSC already provided a plan. More descriptive wording does not prove execution. Assessors need objective evidence (configurations, logs, interviews), not additional narrative.

C — Wording in the SSP detailing how the OT is managed using the OSC’s risk-based security policies.
Incorrect. The SSP already documents plans. Additional wording does not close the gap between planning and implementation. Evidence of actual management (e.g., patching logs, access reviews, monitoring) is required, not more policy language.

Reference:
CMMC Scoping Guidance – Specialized Assets (OT, legacy systems). CMMC Assessment Guide – Evidence Requirements for Specialized Assets. NIST SP 800-171 Requirement 3.11.3 (Plan of action).

Explanation:
CM.L2-3.4.1 requires establishing and documenting system baselines (configurations, software, hardware). A complete baseline includes not only what is standard but also any authorized deviations from that standard for specific end-user computers (e.g., exceptions for engineering software, legacy app compatibility). Without documenting deviations, the OSC cannot demonstrate controlled baseline management.

Correct Option:

C — Documentation of any authorized deviations from the system baselines for end-user computers.
Deviations from the baseline must be documented, authorized, and reviewed. This ensures that non-standard configurations are not security gaps or compliance violations. The evidence provided (inventories, installation plan) shows baseline intent but lacks proof that exceptions are formally managed.

Incorrect Options:

A — Documentation of the physical safeguards protecting the “gold” baseline images.
Incorrect. Physical protection of baseline images relates to media protection (MP.L2-3.8.3) or physical security (PE), not to CM.L2-3.4.1 itself. While good practice, it is not required for establishing system baselines. This option addresses a different practice.

B — Documentation of a formal baseline review integrated with a system development lifecycle.
Incorrect. Baseline review frequency and SDLC integration are not explicit requirements of CM.L2-3.4.1. The practice focuses on establishing and maintaining baselines, not necessarily tying them to a formal SDLC. This is an enhancement, not a mandatory documentation element.

D — Documentation of a formal chain of custody for new hardware on which baselines will be installed.
Incorrect. Chain of custody for hardware relates to asset management or physical security, not to baseline establishment. The baseline practice does not require tracking hardware provenance. This option describes a control not mandated by CM.L2-3.4.1.

Reference:
CMMC Level 2 Practice CM.L2-3.4.1 (Establish and document system baselines). NIST SP 800-171 Rev 2, Requirement 3.4.1. NIST SP 800-128 (Configuration Management – baseline deviations). CMMC Assessment Guide, CM domain.

Explanation:
The OSC is responsible for defining and documenting the assessment scope based on CMMC scoping guidance (CUI flow, asset categorization, network boundaries). The assessor cannot generate this document for the OSC, as that would constitute consulting and create a conflict of interest. The OSC must provide it before the assessment can proceed.

Correct Option:

B — The CCA tells the OSC they must provide the document before the assessment can begin.
The OSC owns the scope definition. The CCA's role is to verify the accuracy of the OSC's scoping, not to create it. Without a documented scope from the OSC, the assessment cannot proceed because boundaries, assets, and applicable practices are undefined. The assessor instructs the OSC to produce this prerequisite document.

Incorrect Options:

A — The Assessment Team is supposed to generate the document before moving forward.
Incorrect. Assessors cannot generate scoping documents for the OSC. Doing so violates separation of duties and the prohibition against consulting. The OSC must define its own scope based on its systems, CUI flows, and asset inventory.

C — The OSC and the Lead Assessor jointly create the document at the beginning of the assessment.
Incorrect. Joint creation blurs responsibility and may bias the assessment. The OSC creates the scope document independently; the assessor reviews and validates it. Collaboration on creation is not permitted as it places the assessor in a consulting role.

D — The Lead Assessor can regulate the assessment and create/adjust the document moving forward.
Incorrect. The Lead Assessor does not regulate by creating OSC documentation. While the assessor may identify discrepancies in the OSC's scope, adjusting or creating the scope document for the OSC is prohibited. The OSC must correct and resubmit its own document.

Reference:
CMMC Assessment Guide – Scoping Document Ownership and OSC Responsibilities. CMMC CCA Code of Professional Conduct – Prohibition on Preparing OSC Documentation. CMMC Scoping Guidance v2.0.

Explanation:
The Incident Reporting practice (IR.L2-3.6.2) requires organizations to track, document, and report incidents to designated officials (e.g., management, CISO, or appropriate external entities). The core validation is ensuring incidents are actually tracked and documented—not just reported verbally. Documentation provides auditable evidence of incident handling and reporting compliance.

Correct Option:

A — Incidents are tracked and documented
Tracking and documentation are fundamental to IR.L2-3.6.2. The CCA must verify that the OSC has a process to record incident details (date, time, description, impact, response actions, reporting status). Without documentation, there is no objective evidence that incidents are being properly reported or managed.

Incorrect Options:

B — Incident sources are configured and tuned
Incorrect. Configuring and tuning incident sources (e.g., SIEM, IDS alerts) relates to IR.L2-3.6.1 (incident detection capabilities) or SI.L2-3.14.6 (monitoring). This is not a requirement for the Incident Reporting practice (IR.L2-3.6.2). The question specifically asks about reporting, not detection.

C — Law enforcement officials are automatically notified during an incident
Incorrect. Automatic notification to law enforcement is not a CMMC requirement. Reporting to law enforcement may be required under specific legal obligations (e.g., data breach laws) but is not mandated by IR.L2-3.6.2. Reporting is typically to internal management or designated external points of contact (e.g., CISA for certain incidents).

D — Forensic investigations are performed to determine the impact of the incident
Incorrect. Forensic investigations are not always required for every incident and are not part of the Incident Reporting practice. Forensic analysis falls under IR.L2-3.6.4 (incident response testing) or advanced incident handling. The basic reporting practice does not mandate forensics.

Reference:
CMMC Level 2 Practice IR.L2-3.6.2 (Incident reporting). NIST SP 800-171 Rev 2, Requirement 3.6.2. NIST SP 800-61 (Incident Handling Guide – tracking and documentation). CMMC Assessment Guide, IR domain.

Explanation:
To determine if the OSC limits connections to external information systems (SC.L2-3.13.1), the assessor needs a complete and precise definition of all external connections—their purpose, frequency, data types, and security controls. The OSC provided vague statements ("sporadically," "isolated exceptions," "small amount of business") without fully defining the extent, which is insufficient.

Correct Option:

B — No, the OSC did not fully define the extent external connections are used.
The OSC's response lacks specificity. "Sporadic," "isolated exceptions," and "small amount" are not measurable or verifiable. The assessor cannot determine if external connections are properly limited without a complete inventory of cloud services, their business purposes, data flows (including CUI), and applicable security controls.

Incorrect Options:

A — No, the OSC stated most of its business is on-premises.
Incorrect. The fact that most business is on-premises does not address the insufficiency. The problem is undefined extent of external connections, not the proportion of on-premises versus cloud. An undefined small number of external connections still cannot be assessed for limitation controls.

C — Yes, the OSC confirmed that external connections occur.
Incorrect. Confirming that external connections exist does not satisfy the requirement to determine if they are limited. The practice requires assessment of controls that restrict and manage external connections. Simply knowing they occur provides no basis to evaluate limitation.

D — Yes, the OSC confirmed that external connections occur for system backups.
Incorrect. Even if backups are one purpose, the OSC admits "isolated exceptions" for other cloud use. These exceptions are undefined. The assessor cannot determine limitation without knowing all external connection types, including exceptions. Partial information is insufficient.

Reference:
CMMC Level 2 Practice SC.L2-3.13.1 (Limit connections to external information systems). NIST SP 800-171 Rev 2, Requirement 3.13.1. CMMC Assessment Guide – External Connection Scoping and Documentation Requirements.

Explanation:
For an asset to be considered out-of-scope, it must be unable to process, store, or transmit CUI—either because it is physically/logically separated from CUI assets (e.g., air-gapped network, separate VLAN with no routing) or inherently incapable (e.g., label printer with no persistent storage). The Lead Assessor verifies these conditions against the asset inventory.

Correct Option:

C — Assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.
This correctly states the out-of-scope criteria. Physical/logical separation ensures no CUI flow. Inherent inability (e.g., device lacks storage or network connectivity) also qualifies. The assessor reviews network diagrams, configurations, and device capabilities to confirm these conditions for each claimed out-of-scope asset.

Incorrect Options:

A — All assets in an OSC’s inventory fall within the scope.
Incorrect. Not all assets are automatically in-scope. CMMC allows out-of-scope assets if they meet separation or inherent inability criteria. Claiming all assets are in-scope ignores legitimate scoping exclusions and would unnecessarily expand assessment scope.

B — None of the assets in an OSC’s inventory fall within the scope.
Incorrect. This is false. Assets that process, store, or transmit CUI (CUI Assets) are always in-scope. Security Protection Assets are also in-scope. Many or most assets in an inventory typically fall within scope for a CMMC assessment.

D — Out-of-Scope Assets can process, store, or transmit CUI because they do not need to be physically or logically separated.
Incorrect. This is the opposite of the correct definition. If an asset can process, store, or transmit CUI, it cannot be out-of-scope. Out-of-scope assets must be incapable of doing so. No exception exists for lack of separation.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Out-of-Scope Assets definition and criteria. CMMC Assessment Guide – Asset Categorization and Scope Determination.

Explanation:
Logical separation uses software or configuration controls to isolate network traffic or resources, not physical hardware separation. Role-Based Access Control (RBAC) within an Identity and Access Management (IAM) tool logically separates users and systems by enforcing permissions based on roles, ensuring CUI assets are accessed only by authorized subjects—a key logical separation technique.

Correct Option:

C — Role-based access control within a properly implemented identity and access management tool
RBAC logically separates access by assigning permissions to roles rather than individuals. Within an IAM tool, this enforces separation between CUI and non-CUI systems/users without physical network changes. This is a logical separation technique and falls within scope for practices like AC.L2-3.1.1 and SC.L2-3.13.13.

Incorrect Options:

A — Data loss alerting configured at the edge of the network containing CUI assets
Incorrect. Data loss alerting (DLP alerts) is a monitoring and detection technique, not a separation technique. It identifies potential data exfiltration but does not logically or physically separate networks or assets. This addresses SI.L2-3.14.6, not network separation.

B — Access limitation based on badge access assigned to employees based on role
Incorrect. Badge access is a physical access control (PE.L2-3.10.3, PE.L2-3.10.4), not a logical separation technique. It controls physical entry to rooms/buildings, not network-level or system-level separation. Physical controls are assessed separately and do not constitute logical network separation.

D — A proxy-configured firewall that prevents data from flowing along the physical connection path
Incorrect. While a proxy firewall can provide separation, the description focuses on preventing data flow along a physical path. This mixes physical and logical concepts. A correctly configured firewall for logical separation would enforce rules based on IP, port, or protocol—not primarily "physical connection path." This option is poorly defined and misrepresents logical separation.

Reference:
CMMC Level 2 Practice SC.L2-3.13.13 (Separate subnetworks). NIST SP 800-171 Requirement 3.13.13. CMMC Assessment Guide – Logical vs. Physical Separation. NIST SP 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Explanation:
When a legacy or mission-critical system cannot support software-based MFA (e.g., OTP tokens, smart cards), a physical second factor may suffice. Badge access to the room housing the mission system serves as "something you have" (the badge) combined with "something you know" (password), meeting MFA intent even if the system itself cannot enforce logical MFA.

Correct Option:

C — Badge access to the mission system room
Physical badge access (proximity card, smart badge) provides a second authentication factor (something you have) when the system cannot support logical MFA. The OSC must demonstrate that physical access to the system console or server room is required before privileged access is granted, compensating for the technical limitation.

Incorrect Options:

A — VPN access to the mission system
Incorrect. VPN access typically uses a password (something you know) plus potentially another factor. However, VPN alone is not a second factor applied to the mission system itself. VPN authenticates network access, not privileged access to the system. The system's own privileged accounts remain without MFA.

B — User access logs on the mission system
Incorrect. Access logs are audit records (AU domain), not an authentication factor. Logs record activity after the fact; they do not prevent unauthorized access at login. Logs cannot serve as "something you have," "something you are," or "somewhere you are."

D — Remote access logs on the mission system
Incorrect. Same issue as option B. Remote access logs document who accessed and when, but they are not an authentication mechanism. They provide no real-time second factor at login. Logs are evidence for review, not a compensating control for missing MFA.

Reference:
CMMC Level 2 Practice IA.L2-3.5.3 (Multifactor authentication) – allowable exceptions. NIST SP 800-171 Requirement 3.5.3. NIST SP 800-171B (Privileged user MFA). CMMC Assessment Guide – Compensating Controls for MFA on Legacy Systems.

Explanation:
SI.L2-3.14.7 requires the OSC to identify unauthorized use of the system. The OSC has configured a cloud-based SIEM to monitor all aspects of the vendor's cloud environment where CUI resides. With the SSP defining authorized use and referencing identification procedures, the practice is MET—provided the SIEM covers the in-scope cloud assets and the vendor's FedRAMP MODERATE authorization is accepted.

Correct Option:

D — MET because the cloud SIEM is configured to monitor all of the vendor’s cloud environment.
The SIEM monitors the entire cloud environment used for CUI (identity, email, storage, office suite). This enables identification of unauthorized use. FedRAMP MODERATE provides an acceptable baseline for the underlying cloud infrastructure. The OSC's SSP documents the practice. Therefore, the practice is MET.

Incorrect Options:

A — NOT MET because logs from physical infrastructure are not captured by the SIEM.
Incorrect. Under FedRAMP MODERATE, physical infrastructure logs are the CSP's responsibility. The OSC inherits those controls. The OSC is not required to capture physical infrastructure logs directly. CMMC allows inheritance of CSP-managed controls for cloud environments.

B — NOT MET because locally installable applications from a cloud-native environment are not allowed.
Incorrect. There is no CMMC prohibition against locally installable applications from a cloud vendor. The assessment focuses on SIEM monitoring and identification of unauthorized use. Local applications are permitted if properly secured and scoped.

C — MET because being cloud-native is a great way to contain risk to a vendor’s environment.
Incorrect. This reasoning is flawed. Being cloud-native does not automatically make any practice MET. The scoring must be based on evidence (SIEM configuration, SSP documentation, authorized use definition), not generic advantages of cloud-native architecture.

Reference:
CMMC Level 2 Practice SI.L2-3.14.7 (Identify unauthorized use). FedRAMP MODERATE authorization recognition in CMMC. CMMC Assessment Guide – Inherited Controls from CSPs. NIST SP 800-171 Requirement 3.14.7.

Explanation:
To validate restrictions on privileged account use (AC.L2-3.1.6), the assessor has already interviewed users and reviewed policy/procedures. Next, the assessor should examine system architecture documentation (e.g., user role definitions, group memberships, permission assignments) to objectively verify which accounts exist, their privileges, and whether privileged accounts are appropriately limited.

Correct Option:

A — Examine the system architecture of the OSC to identify privileged accounts
Examining system architecture (AD/LDAP groups, sudoers, role definitions) provides objective evidence of privileged account existence and configuration. This complements interviews by confirming that only authorized privileged accounts exist and that non-privileged accounts cannot perform privileged functions. Architecture review is a standard Examine method.

Incorrect Options:

B — Test the processes for non-privileged accounts to perform privileged functions
Incorrect. Testing whether non-privileged accounts can perform privileged functions is a Test method that could disrupt operations or violate policy. More importantly, the assessor should first validate that privileged accounts are properly restricted before attempting negative testing. This option is logically premature.

C — Examine the procedure assigning privileged roles to non-privileged functions
Incorrect. Privileged roles should not be assigned to non-privileged functions. Examining such a procedure would be irrelevant because it contradicts least privilege. This option misstates the control objective. The assessor needs to examine privileged account assignments, not "non-privileged functions."

D — Test the processes for privileged accounts with privileged users
Incorrect. This is vague and likely redundant. The assessor already interviewed privileged users. Testing "processes for privileged accounts with privileged users" is unclear—does this mean re-authentication testing? Privileged command auditing? Without specificity, this is not a standard validation step and may duplicate interview findings.

Reference:
CMMC Level 2 Practice AC.L2-3.1.6 (Non-privileged account use). NIST SP 800-171 Requirement 3.1.6. CMMC Assessment Guide – Combining Interview and Examine methods. NIST SP 800-53 AC-6 (Least Privilege).

Explanation:
After collecting and examining evidence, the assessor's next logical step is to determine and record initial practice scores based on that evidence. Final scores come later after analysis, validation, and potential additional evidence collection. The assessment plan is developed before evidence collection. Final/delivered results occur at the end of the assessment.

Correct Option:

D — Determine and record initial practice scores.
Once evidence is collected and examined, the assessor must evaluate each practice against CMMC Level 2 requirements and assign an initial MET/NOT MET score. These initial scores are documented, subject to review, and may be adjusted as the assessment continues. This is the direct next step after evidence examination.

Incorrect Options:

A — Develop an assessment plan.
Incorrect. The assessment plan is created during the Planning Phase before any evidence collection begins. Developing a plan after collecting evidence is out of sequence. The plan guides what evidence to collect; it does not follow collection.

B — Deliver recommended assessment results.
Incorrect. Delivery of results occurs at the conclusion of the assessment, after scoring, quality review, and finalization. Doing this immediately after evidence collection skips critical steps (scoring, validation, reconciliation). This is premature.

C — Generate final recommended assessment results.
Incorrect. Final results are generated at the end of the assessment lifecycle, after initial scoring, potential re-examination, and quality assurance processes. The assessor cannot produce final results immediately after evidence collection without completing scoring and validation.

Reference:
CMMC Assessment Guide – Assessment Phases (Planning → Evidence Collection → Scoring → Final Reporting). CMMC CCA Handbook – Scoring Methodology and Workflow.