Free CMMC-CCA Practice Test Questions 2026

Explanation:
Managing a system baseline directly relates to Configuration Management (CM). A hardware and software list is an asset inventory, but the management of the baseline—tracking changes, maintaining approved configurations, documenting deviations—falls under CM.L2-3.4.1 and CM.L2-3.4.2. Configuration management processes ensure the baseline remains controlled and up to date.

Correct Option:

C — Configuration management
Configuration management is the practice of establishing, maintaining, and controlling system baselines (hardware, software, firmware configurations). Having a hardware/software list is the starting point; configuration management processes (change control, version tracking, approval workflows) provide evidence that the baseline is actively managed, not just documented.

Incorrect Options:

A — Media protection
Incorrect. Media protection (MP domain) addresses sanitization, marking, storage, and transport of media containing CUI. It does not relate to managing system baselines. A hardware/software list is not evidence of media protection.

B — Physical protection
Incorrect. Physical protection (PE domain) covers physical access controls, visitor escorting, and facility security. Managing hardware/software baselines has no direct relationship to physical protection, except perhaps for physical security of asset storage—but that is not the "best" evidence for baseline management.

D — Identification and authentication policy
Incorrect. Identification and authentication (IA domain) deals with user and device identity verification, passwords, MFA, and replay resistance. While related to system access, it is not the primary evidence for managing system baselines. The question explicitly asks about managing the hardware/software baseline.

Reference:
CMMC Level 2 Practice CM.L2-3.4.1 (System baselines) and CM.L2-3.4.2 (Control system configuration changes). NIST SP 800-171 Requirements 3.4.1 and 3.4.2. CMMC Assessment Guide – CM domain evidence examples.

Explanation:
For an interview to be valid, the assessor must question personnel who actually implement, perform, or support the practices being assessed. These individuals possess firsthand operational knowledge. Interviewing managers or uninformed staff yields unreliable evidence. The CMMC Assessment Guide explicitly requires that interview subjects be those with direct responsibility for the practice.

Correct Option:

C — Asked to those who implement, perform, or support the practices
This is the core requirement for interview validity. The assessor must identify and question the personnel who execute or support the security practice daily (e.g., system administrators, incident responders, access control managers). Their responses provide accurate evidence of implementation, unlike secondhand or managerial accounts.

Incorrect Options:

A — Yes/no questions
Incorrect. Interview questions are not restricted to yes/no format. Open-ended questions (e.g., "Walk me through how you handle incident reporting") often yield richer evidence. The assessor uses professional judgment to structure questions appropriately; yes-only is an artificial restriction.

B — Asked by any member of the OSC’s team
Incorrect. The OSC team does not ask interview questions. The assessor asks questions; OSC personnel provide answers. This option appears to confuse roles. The assessor controls the interview process, not the OSC.

D — Asked with multiple people simultaneously to limit the number of interviews needed
Incorrect. Group interviews may be convenient but are not a requirement, and they can be problematic (witness contamination, reluctance to speak candidly). The CMMC Assessment Guide does not mandate simultaneous interviews. Individual interviews are often preferred for accuracy and candor.

Reference:
CMMC Assessment Guide (CAG) – Interview Method: Subject Selection Criteria. CMMC CCA Handbook – Conducting Effective Interviews. NIST SP 800-171A (Assessment Procedures) – Interview objectives.

Explanation:
If the CUI and non-CUI networks share a single Internet connection, the network boundary and associated security controls (firewalls, routers, intrusion detection) exist in a shared infrastructure component. That component resides in or affects the non-CUI building/area, making it potentially in-scope. The assessor must verify that isolation is truly maintained at the shared gateway.

Correct Option:

C — If network diagrams indicate the commercial and federal sectors share a single Internet connection
A shared Internet connection means CUI traffic and non-CUI traffic pass through common perimeter devices (e.g., same firewall, router, ISP link). Those devices and their configurations are security protection assets (SPAs) and must be assessed. The assessor may need access to the building housing those devices, even if not originally scoped.

Incorrect Options:

A — If the assessor sees personnel carrying locked cases into the other building
Incorrect. Locked cases alone do not indicate CUI flow or security control presence. Personnel could be transporting non-CUI materials or personal items. Without evidence that CUI is involved or that security controls reside in that building, this does not justify expanding assessment scope.

B — If the OSC has an underground passageway connecting the CUI building to a non-CUI building
Incorrect. A physical passageway does not automatically create a logical network connection or CUI flow. If the passageway is physically secured (locked doors, guards, access control), CUI may still be isolated. The assessor should ask about security of the passageway but not automatically request access to the other building.

D — If Human Resources that supports both commercial and federal sectors sits in the other building
Incorrect. HR supporting both sectors does not imply CUI access or processing. HR personnel may handle personnel data but not necessarily CUI. Unless HR systems actually process, store, or transmit CUI, or provide security protections for CUI, this alone does not justify expanding scope.

Reference:
CMMC Scoping Guidance – Shared Infrastructure and Boundary Devices. CMMC Assessment Guide – Determining Scope Based on Data Flow and Shared Services. NIST SP 800-171 Requirement 3.13.13 (Separate subnetworks).

Explanation:
While responsibility matrices allocate security tasks between OSC and ESP, the OSC retains ultimate responsibility for meeting CMMC requirements. If the ESP fails to implement a control, the OSC is still accountable to the government. This is the most important principle in ESP relationships—outsourcing does not transfer compliance liability away from the OSC.

Correct Option:

D — Only the OSC is being assessed for compliance, and while the ESP may have a lot of responsibilities in the matrix, the OSC is ultimately responsible for meeting the requirements as specified by government mandates.
This is correct. The CMMC assessment evaluates the OSC's compliance posture. The OSC cannot delegate away its legal and contractual obligations. If an ESP fails to perform, the OSC is non-compliant. The OSC must ensure ESPs meet required controls through contracts, monitoring, and evidence collection.

Incorrect Options:

A — The ESP is technically not part of the DIB and has no responsibility to be CMMC compliant in its own right.
Incorrect. Some ESPs are part of the Defense Industrial Base (DIB) and may require their own CMMC certification depending on their handling of CUI. Stating they have "no responsibility" is false. Even if not certified, they still have security obligations under the OSC's contract.

B — The CMMC Assessment Team will factor in any documentation provided by the ESP when evaluating the OSC for compliance.
Incorrect. While documentation is considered, this is not the "most important" thing to remember. The team also requires evidence that controls are actually implemented, not just documentation. Importance lies with OSC accountability, not documentation consideration.

C — The relationship of an OSC with an ESP is a partnership and the CMMC Assessment will evaluate the ESP at the same time as the OSC.
Incorrect. The CMMC assessment does not evaluate the ESP directly. The ESP is not a certified entity under the OSC's assessment. The assessor evaluates the OSC's compliance, which may include reviewing ESP-provided evidence (e.g., FedRAMP packages, SOC reports), but the ESP itself is not assessed.

Reference:
CMMC Model v2.0 – External Service Provider (ESP) requirements. CMMC Assessment Guide – OSC Responsibility for ESPs. DFARS 252.204-7012 (Contractor responsibility). NIST SP 800-171 Appendix G (External Service Providers).

Explanation:
When data is suspected to be CUI but unmarked, the company must have a documented procedure to determine its proper handling. This aligns with CMMC practice AC.L2-3.1.22 (Control CUI posted on public systems) and NIST SP 800-171 requirements for marking and handling. The procedure ensures unmarked suspected CUI is not mishandled or improperly discarded.

Correct Option:

D — Have a procedure for proper handling of unlabeled data.
A documented procedure addresses how to identify, verify, protect, and either mark or escalate unlabeled suspected CUI. This prevents unauthorized disclosure or destruction. The procedure should include contacting the data originator, checking contract requirements, and applying CUI protections until resolved.

Incorrect Options:

A — Treat all data as CUI even if not marked.
Incorrect. Treating all data as CUI is operationally impractical and unnecessary. It overburdens systems with controls for non-CUI data and may violate efficiency or cost constraints. The OSC must discern CUI based on contracts, marking, or reasonable suspicion, not a blanket assumption.

B — If data are not marked, then they are not CUI.
Incorrect. This is dangerous and non-compliant. CUI may be unmarked due to error, oversight, or transmission chain failures. The OSC is still responsible for protecting known or reasonably suspected CUI regardless of marking. Ignoring unmarked CUI risks data breach and compliance failure.

C — Have a procedure for deleting unlabeled data.
Incorrect. Deleting suspected CUI without proper verification could destroy evidence, violate records retention requirements, or cause loss of mission-critical information. The appropriate response is to protect and verify, not automatically delete. Deletion is an extreme measure, not a default procedure.

Reference:
CMMC Level 2 Practice AC.L2-3.1.22 (Control CUI on public systems) and marking requirements. NIST SP 800-171 Requirement 3.1.22. 32 CFR Part 2002 (CUI Marking and Handling). CUI Registry (archives.gov/cui).

Explanation:
PE.L2-3.10.3 requires escorting visitors and maintaining observation of their activities. The escort sitting outside a small room with only one entry is acceptable provided the escort maintains continuous, unobstructed visual observation of the visitor's actions. The policy does not mandate physical presence in the same room if observation remains effective.

Correct Option:

D — Yes, so long as the visitor’s actions can still be viewed by the escort
The core requirement is observation and control, not literal physical co-location. If the escort can clearly see the visitor's activities (e.g., through an open doorway, window, or continuous line of sight) and can intervene if necessary, the practice aligns with the escort policy. The single entry ensures no undetected exit.

Incorrect Options:

A — No, the escort is not allowed to sit down
Incorrect. The escort policy does not address whether the escort sits or stands. Sitting does not impair observation. This is an irrelevant detail and has no bearing on compliance with PE.L2-3.10.3. The position (sitting vs. standing) does not determine effectiveness.

B — No, the escort must always be in the same room
Incorrect. The policy does not explicitly require the escort to be in the same physical room. It requires escorting and observation. The scenario describes effective observation from outside a small room with one entry. Being in the same room is not mandatory if observation is maintained.

C — Yes, since the visitor can only use a single entry
Incomplete. While a single entry aids control, the determinative factor is whether the escort can observe the visitor's actions. The answer "yes" is correct only if observation is maintained. This option's reasoning is incomplete and could be misleading if observation is blocked.

Reference:
CMMC Level 2 Practice PE.L2-3.10.3 (Escort visitors). NIST SP 800-171 Requirement 3.10.3. CMMC Assessment Guide – Physical Protection domain – Escort interpretation for small or confined spaces.

Explanation:
To assess physical controls at a colocation facility housing CUI assets, the CCA must perform both activities: (1) physically visit the facility to observe and test keycard logging, sign-in/out, cage security, and (2) review the OSC's internal process for managing access to cage keys (issuance, tracking, revocation). A service agreement review alone is insufficient.

Correct Option:

C — Physically visit the colocation facility to determine the effectiveness of controls and review the OSC’s process for maintaining access to the keys.
This combines required actions. Physical visit validates implemented controls (not just documented). Reviewing the OSC's key management process ensures only authorized personnel have cage access. Both are necessary for practices PE.L2-3.10.3 (visitor control) and PE.L2-3.10.5 (physical access control).

Incorrect Options:

A — Physically visit the colocation facility to determine the effectiveness of controls.
Incomplete. Physical visit addresses colocation facility controls but ignores the OSC's own key management process. Keys accessible to OSC-authorized personnel require documented control (who has keys, how issued, how revoked). This must be reviewed separately.

B — Evaluate the colocation facility security process as listed in the service agreement.
Insufficient. Service agreements document intended controls but do not prove actual implementation. The CCA must verify controls in operation. Additionally, key management is the OSC's responsibility, not the colocation facility's, and is not found in the service agreement.

D — Evaluate the colocation facility security process as listed in the service agreement and review the OSC’s process for maintaining access to the keys.
Insufficient. Reviewing the service agreement (documentation) is not equivalent to a physical visit. The CCA must observe keycard systems, sign-in logs, cage locks, and physical conditions. Remote review of agreements cannot verify operational effectiveness.

Reference:
CMMC Level 2 Practices PE.L2-3.10.3, PE.L2-3.10.5. NIST SP 800-171 Requirements 3.10.3, 3.10.5. CMMC Assessment Guide – Physical Protection domain – Colocation facility assessment requirements.

Explanation:
NIST SP 800-171 (3.13.8) and CMMC SC.L2-3.13.8 require cryptographic protection for CUI during transmission unless alternative physical safeguards are used. Valid alternatives include trusted couriers, locked transport cases, and physical access monitoring. Tamper protection technologies (e.g., tamper-evident seals) protect at rest or during storage, not during transmission, and are not a recognized substitute for transmission encryption.

Correct Option:

D — Tamper protection technologies
Tamper protection (tamper-evident tape, anti-tamper switches) detects unauthorized physical access but does not prevent disclosure during transmission. The data is still exposed when transmitted without encryption. This is not an accepted alternative to cryptographic mechanisms for transmission according to NIST or CMMC guidance.

Incorrect Options:

A — Trusted couriers
Correct as an alternative physical safeguard. If a trusted courier physically transports media containing CUI with chain of custody controls, encryption may not be required for that transmission medium. This is explicitly recognized as an alternative in NIST SP 800-171.

B — Lockable casings
Correct as an alternative physical safeguard. Locked hard cases, tamper-resistant containers, or lockable briefcases used during physical transport of media provide physical protection that can substitute for encryption, provided access is controlled.

C — Physical access site monitoring
Correct as an alternative physical safeguard. If transmission occurs within a physically monitored and controlled site (e.g., internal wired network with restricted building access), encryption may not be mandatory. Monitoring includes guards, cameras, and access logs.

Reference:
CMMC Level 2 Practice SC.L2-3.13.8 (Cryptographic protection for transmission). NIST SP 800-171 Rev 2, Requirement 3.13.8. NIST SP 800-171A (Assessment Procedures) – Alternative physical safeguards.

Explanation:
After determining scope and reviewing key documents (SSP, self-assessment results, staff roles), the logical next preparation step is to identify the specific evidence needed to assess each practice. A preliminary list of anticipated evidence helps plan interviews, examinations, and tests, ensuring efficient use of assessment time and resources.

Correct Option:

C — A preliminary list of the anticipated evidence
The assessor uses the SSP and scope to map each CMMC practice to expected evidence (policies, procedures, logs, configurations, interview subjects). This list guides data collection, confirms OSC readiness, and prevents missing evidence. It is a standard deliverable in assessment planning.

Incorrect Options:

A — A list of objectives
Incorrect. Assessment objectives are defined by CMMC Level 2 practices themselves, not by the OSC. The assessor does not request a "list of objectives" from the OSC. Objectives are inherent to the assessment model and already known to the assessor.

B — A manual for each system
Incorrect. While system manuals may be useful for understanding specialized assets, they are not a standard or most likely request at this stage. Manuals are rarely required evidence for CMMC practices and are not listed in typical evidence request templates.

D — A list of assets that are determined to be out-of-scope
Incorrect. The assessor has already determined the assessment scope (including what is in-scope). Out-of-scope assets are not assessed. Requesting a list of out-of-scope assets is unnecessary at this preparation stage and may confuse scope boundaries.

Reference:
CMMC Assessment Guide – Planning Phase (Evidence Identification). CMMC CCA Handbook – Pre-Assessment Evidence Requests. CMMC Level 2 Assessment Preparation Guide.

Explanation:
The OSC needs automatic unlocking, individual tracking, and access history. A badge system (proximity card, smart card) meets all three requirements: badges automatically unlock doors for authorized personnel, each badge uniquely identifies the individual, and logs provide access history. This satisfies PE.L2-3.10.5 (physical access control) and PE.L2-3.10.4 (access logs).

Correct Option:

C — Install a badge system and require each individual to use their badge to gain entry to the building.
Badge systems provide unique identifiers per user, automatic door unlocking, electronic logging of entry/exit times and identities, and easy revocation (deactivating lost/stolen badges). This fully addresses the OSC's requirements for automation, individual tracking, and historical access records.

Incorrect Options:

A — Maintain a list of authorized personnel and assign them a building key.
Incorrect. Keys provide no individual tracking (keys can be copied or shared) and no access history. Keys cannot automatically unlock based on authorization in real time beyond physical possession. This fails all three stated requirements.

B — Maintain security cameras to continuously monitor access to the building.
Incorrect. Cameras record video but do not automatically unlock doors, do not individually identify personnel without manual review (and often cannot read badges/faces reliably), and do not produce structured access history easily queried. This does not meet the stated requirements.

D — Install a keypad system and require the entry code to be changed when an individual leaves the company.
Incorrect. Keypad codes are shared or known by multiple individuals, preventing individual tracking. Access history cannot distinguish who entered using the code. Changing codes upon departure is administratively burdensome and fails individual accountability.

Reference:
CMMC Level 2 Practice PE.L2-3.10.5 (Physical access control) and PE.L2-3.10.4 (Access logs). NIST SP 800-171 Requirements 3.10.4, 3.10.5. CMMC Assessment Guide – Physical Protection domain – Badge system requirements.

Explanation:
A policy is not effectively implemented if personnel routinely violate it without detection or correction. The assessor finds that employees access CUI on teleworking laptops lacking full disk encryption, directly contradicting the policy. This indicates insufficient implementation—the control is not consistently applied. Practice SC.L2-3.13.8 (encryption for CUI) is likely NOT MET.

Correct Option:

B — Insufficient because there are teleworking instances where the policy is not followed.
Implementation requires consistent application of controls across all covered scenarios. Documented exceptions are acceptable if risk-assessed and authorized, but the scenario indicates unauthorized non-compliance. The assessor must cite this as a gap—policy exists but enforcement/monitoring is insufficient.

Incorrect Options:

A — Acceptable because it requires full disk encryption of company laptops.
Incorrect. A policy document alone does not constitute acceptable implementation. Evidence of actual enforcement and compliance is required. Since employees violate the policy in practice, the implementation is insufficient regardless of the policy's wording.

C — Acceptable as long as an equivalent technical safeguard is implemented for all teleworking scenarios.
Incorrect. The scenario does not state that any equivalent safeguard exists. Even if it did, equivalent safeguards must be documented, authorized, and validated. The policy specifically requires full disk encryption; deviations would need formal exception handling, which is not described.

D — Insufficient because full disk encryption is not required for laptops to comply with CMMC requirements.
Incorrect. Full disk encryption is a valid method to meet SC.L2-3.13.8 (encryption of CUI on mobile devices) and is often required or strongly recommended. The insufficiency here is not due to encryption not being required; it is due to policy violation.

Reference:
CMMC Level 2 Practice SC.L2-3.13.8 (Cryptographic protection). NIST SP 800-171 Requirement 3.13.8. CMMC Assessment Guide – Policy vs. Implementation Gap Assessment. NIST SP 800-171A – Objective 2 (Implementation verification).

Explanation:
To verify that only the IT manager can change laptop setup and user privileges, the assessor must examine system audit logs. Audit logs record who performed privileged actions (e.g., changes to configurations, user privilege escalations) and when. Logs provide objective evidence of whether unauthorized individuals have made changes, confirming or contradicting the IT department's claim.

Correct Option:

A — System audit logs
Audit logs (e.g., Windows Event Logs, syslog, change management logs) capture the identity of users executing privileged commands. By reviewing logs for laptop configuration changes and privilege modifications, the assessor can verify that only the IT manager performed these actions or detect violations. This is objective evidence under AU.L2-3.3.1.

Incorrect Options:

B — Inventory records
Incorrect. Inventory records track asset existence, location, and assigned user but do not record who changed configurations or privileges. Inventory does not provide evidence of privileged action accountability.

C — Acceptable use policy
Incorrect. An acceptable use policy (AUP) documents rules for system usage but does not prove who actually performed configuration changes. Policy defines what should happen; audit logs show what did happen.

D — Remote access procedures
Incorrect. Remote access procedures document how remote connections are established and secured. They do not contain records of who changed laptop setups or user privileges. Procedures are prospective, not retrospective evidence.

Reference:
CMMC Level 2 Practice AU.L2-3.3.1 (Create and retain system audit logs). NIST SP 800-171 Requirement 3.3.1. CMMC Assessment Guide – Audit and Accountability domain – Using logs to verify privilege separation.