Free CMMC-CCA Practice Test Questions 2026

Explanation:
The OSC has an open (no password), unauthenticated guest network that connects directly to the local LAN containing CUI assets. This violates multiple CMMC Level 2 practices, including AC.L2-3.1.12 (monitor/control remote access), AC.L2-3.1.13 (remote access confidentiality/integrity), and SC.L2-3.13.13 (separate subnetworks). Therefore, the OSC has NOT met network access restriction requirements.

Correct Option:

B — No, the OSC has not met the network access restriction requirements.
An open guest network connected to the CUI LAN allows unauthorized, unauthenticated, unmonitored access to the internal network. This fails fundamental access restrictions. The OSC must isolate guest networks from CUI assets (e.g., via VLAN, firewall, separate physical infrastructure) and require authentication.

Incorrect Options:

A — No, the OSC needs to go through an additional assessment.
Incorrect. The issue is not a need for "additional assessment." The OSC has a clear compliance failure. Additional assessment does not fix the technical control gap. The statement misdirects from the actual finding.

C — Yes, there are no network access restriction requirements.
Incorrect. CMMC Level 2 includes numerous network access restriction requirements (AC and SC domains). This claim is factually false. The OSC cannot claim exemption from these requirements.

D — Yes, the OSC has met the network access restriction requirements.
Incorrect. The described configuration is a textbook violation. Open guest networks with LAN connectivity expose CUI assets to unauthorized access, man-in-the-middle attacks, and network reconnaissance. This does not meet requirements.

Reference:
CMMC Level 2 Practices AC.L2-3.1.12, AC.L2-3.1.13, SC.L2-3.13.13. NIST SP 800-171 Requirements 3.1.12, 3.1.13, 3.13.13. NIST SP 800-207 (Zero Trust Architecture) – Guest network isolation. CMMC Assessment Guide – Network Access Restriction domain.

Explanation:
CM.L2-3.4.6 (least functionality) requires configuring systems to provide only essential capabilities and disabling non-essential functions. Personnel who wrote the configuration management policy typically have theoretical/documentation knowledge but rarely know actual system configurations or which functions are enabled/disabled. They are the least likely to provide useful operational evidence for least functionality.

Correct Option:

C — Interview personnel who wrote the configuration management policy.
Policy authors know intent and requirements but usually lack hands-on knowledge of system configurations, registry settings, enabled protocols, or disabled services. Their testimony provides policy-level information, not implementation evidence. For least functionality, assessors need operational staff (system administrators, security engineers).

Incorrect Options:

A — Interview personnel with information security responsibilities.
Likely useful. Information security personnel (e.g., security analysts, ISSOs) typically implement or oversee least functionality configuration, including whitelisting, disabling unnecessary ports/protocols, and maintaining secure baselines. Their interviews yield relevant operational evidence.

B — Interview personnel with application development responsibilities.
Likely useful. Developers can confirm which application features are essential versus non-essential, provide input on disabled functionality, and demonstrate that development environments follow least functionality principles. Their perspective is valuable.

D — Interview personnel with security configuration management responsibilities.
Highly useful. Security configuration managers directly implement, monitor, and maintain least functionality controls—e.g., removing unnecessary software, disabling services, applying secure configuration guides (CIS, STIGs). They are primary sources for this practice.

Reference:
CMMC Level 2 Practice CM.L2-3.4.6 (Least functionality). NIST SP 800-171 Requirement 3.4.6. CMMC Assessment Guide – Selecting interview subjects based on control ownership. NIST SP 800-171A – Objective 2 (Implementation) vs. Objective 1 (Policy).

Explanation:
Wi-Fi configuration without prior approval impacts three domains: AC (access control – who can connect), IA (identification and authentication – no credential check), and SC (system and communications protection – wireless security, encryption, and boundary protection). The other domains (MP, SI, PE) are not the primary domains for Wi-Fi approval controls.

Correct Option:

C — Access Control (AC), Identification and Authentication (IA), and System and Communications Protection (SC)
AC.L2-3.1.13 controls remote (wireless) access. IA.L2-3.5.2 authenticates users. SC.L2-3.13.12 requires wireless protection and SC.L2-3.13.13 separates networks. All three are directly relevant to unapproved Wi-Fi connections. MP, SI, and PE address media, integrity, and physical security, not wireless approval.

Incorrect Options:

A — Media Protection (MP), Access Control (AC), and Physical Protection (PE)
Incorrect. MP addresses removable media, not Wi-Fi. PE addresses physical barriers (locks, guards), not wireless. Only AC is relevant. IA and SC are missing but critical for Wi-Fi.

B — Identification and Authentication (IA), Media Protection (MP), and System and Information Integrity (SI)
Incorrect. IA is relevant, but MP and SI are not primary for Wi-Fi approval. SI deals with flaw remediation and malicious code. MP deals with media sanitization. AC and SC are missing.

D — System and Communications Protection (SC), System and Information Integrity (SI), and Physical Protection (PE)
Incorrect. SC is relevant, but SI and PE are not primary. SI does not govern Wi-Fi approval. PE does not address wireless connectivity. AC and IA are missing but essential.

Reference:
CMMC Level 2 Domains: AC (Access Control), IA (Identification and Authentication), SC (System and Communications Protection). NIST SP 800-171 Requirements 3.1.13, 3.5.2, 3.13.12, 3.13.13. CMMC Assessment Guide – Wireless Configuration Domain Mapping.

Explanation:
Before a CMMC assessment begins, the Lead Assessor must submit Absence of Conflict of Interest (ACI) and Confirmation Statement to the Cyber-AB for each assessment team member. This ensures impartiality and compliance with CMMC ethics rules. NDAs, travel plans, and general qualifications are handled separately and not required to be submitted to the Cyber-AB pre-assessment.

Correct Option:

D — Absence of Conflict of Interest and Confirmation Statement
The Cyber-AB requires formal ACI documentation for each assessor on every assessment. This statement confirms no financial, personal, or organizational conflicts exist. It must be submitted before assessment start as part of assessment registration and compliance with CMMC Code of Professional Conduct.

Incorrect Options:

A — Individual travel plans
Incorrect. Travel plans are logistical arrangements between the OSC and the C3PAO. The Cyber-AB does not require submission of travel plans. This is operational, not compliance-related.

B — Non-disclosure agreements
Incorrect. NDAs are signed between the OSC and the C3PAO/assessors. They protect OSC proprietary information. The Cyber-AB does not collect or require submission of NDAs. This is a private contractual matter.

C — Verified NIST SP 800-171 assessor qualifications
Incorrect. Assessor qualifications (certifications, training) are verified when the assessor becomes CCA-certified and maintained in the Cyber-AB system. They are not re-submitted for each assessment. The pre-assessment submission requirement is ACI, not qualification re-verification.

Reference:
CMMC Cyber-AB Assessment Process – Pre-Assessment Submission Requirements. CMMC CCA Code of Professional Conduct – Conflict of Interest. CMMC Assessment Guide – Assessor Ethics and Independence.

Explanation:
CMMC certification is granted at the OSC (organization) level, not per location or enclave. Even if multiple areas (HQ, host units, enclaves) were reviewed, the final assessment findings must be aggregated to the overall OSC level. This produces a single certification decision. Reporting deficiencies per area without aggregation does not meet CMMC reporting requirements.

Correct Option:

B — Confirm the final findings are aggregated to the OSC level.
The Lead Assessor must combine findings from all assessed assets, locations, and enclaves into a single OSC-level determination for each practice. If any instance of a practice fails across any assessed asset, the practice is NOT MET at the OSC level, unless the limited deficiency correction program applies per CMMC guidance.

Incorrect Options:

A — Identify items that were moved to the POA&M.
Incorrect. The limited practice deficiency correction program allows certain deficiencies to be corrected post-assessment, but the question asks what the Lead Assessor MUST do when compiling results. Aggregation (option B) is the mandatory step. POA&M identification is part of reporting but not the primary requirement described.



C — Record the agreements made with the OSC Assessment Official.
Incorrect. Agreements (e.g., schedules, evidence access) are documented during planning and conduct, not as part of compiling final assessment results. This is not a required element of the final results report.

D — Ensure the report includes all of the evidence that has been collected.
Incorrect. The assessment report includes findings and scores, not all raw evidence. Including all evidence would be impractical and violates confidentiality. Evidence is retained by the assessor/C3PAO but not appended to the final report.

Reference:
CMMC Assessment Guide – Reporting Phase – Aggregation of Findings. CMMC Level 2 Assessment Scoping Guidance – OSC-Level Determination. CMMC Cyber-AB Scoring Guidelines – Practice Deficiency Correction Program.

Explanation:
Testing on a mirrored system is acceptable only if the assessor can verify that the mirrored system is identical to the production system in configuration, controls, and data flow. Without this evidence, testing on a mirrored system may produce invalid results. The Lead Assessor should request proof of equivalence before deciding whether to proceed with testing.

Correct Option:

D — To ask the OSC for evidence that a mirrored system is exactly the same as the production system to conduct testing
This is the correct professional approach. The assessor must validate that the mirrored system is an accurate representation of production for the controls being tested. Evidence may include configuration comparisons, synchronization logs, change management records, or architecture documentation. Only then can testing results be considered valid.

Incorrect Options:

A — Only to test the processes conducted by the supporting groups
Incorrect. Testing supporting group processes does not validate system-level controls (e.g., access control enforcement, audit logging). The assessor should not default to a limited approach without first exploring the mirrored system option properly.

B — Only to test the Customer Matrices that are available
Incorrect. "Customer Matrices" (likely responsibility matrices) are documents to be examined, not tested. Testing applies to systems, configurations, and live processes. This option confuses Examine with Test methods and is not responsive to the mirrored system question.

C — Not to perform testing as a mirrored system is not an acceptable substitute for the production system
Incorrect. Mirrored systems can be acceptable substitutes if proven equivalent. CMMC Assessment Guide permits testing on non-production systems that are exact replicas. Rejecting without requesting equivalence evidence is premature and may miss valuable assessment data.

Reference:
CMMC Assessment Guide – Assessment Methods: Test – Use of mirrored or test systems. CMMC CCA Handbook – Testing on non-production environments. NIST SP 800-171A – Evidence equivalence requirements.

Explanation:
The waterjet machines process CUI (CUI is loaded onto them for machining). However, they have limited computing capabilities and likely cannot support standard CMMC controls (e.g., antivirus, audit logging). They qualify as Specialized Assets (e.g., operational technology, IoT, legacy systems) and are within the scope of assessment but may be assessed with alternative or compensating controls.

Correct Option:

C — Yes, these waterjet machines are Specialized Assets that are within the scope of a CMMC Assessment.
Specialized Assets are a recognized asset category for systems that process CUI but cannot fully implement typical CMMC practices. They are in-scope, and the OSC must demonstrate risk management using organizational policies, procedures, and any feasible technical controls. They are not automatically out-of-scope.

Incorrect Options:

A — No, these waterjet machines are Out-of-Scope Assets and do not need to be assessed.
Incorrect. Out-of-scope assets cannot process, store, or transmit CUI. These machines do process CUI (machining parts with CUI data), so they cannot be out-of-scope. This misclassification would leave a CUI-handling asset unassessed.

B — Yes, these waterjet machines are CUI Assets that must be assessed because they handle CUI.
Incorrect. While they handle CUI, calling them standard CUI Assets implies they must fully implement all applicable CMMC practices. The more precise categorization is Specialized Asset due to limited computing capabilities, which allows different assessment expectations (e.g., alternative controls).

D — No, these waterjet machines are Contractor Risk Managed Assets and do not need to be assessed.
Incorrect. Contractor Risk Managed Assets (CRMA) do not process, store, or transmit CUI. These machines do process CUI during machining, so they cannot be CRMA. CRMA status would improperly exclude them from assessment.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Specialized Assets (e.g., OT, IoT, legacy systems). CMMC Assessment Guide – Asset Categorization. NIST SP 800-171 – Operational Technology considerations.

Explanation:
When External Service Providers (ESPs) perform security functions on behalf of the OSC, certain CMMC practices may be inherited from the ESP (e.g., physical security of a cloud data center). The Lead Assessor looks for these inherited controls in pre-assessment documentation to verify proper inheritance (e.g., via FedRAMP authorization, SOC reports, or responsibility matrices).

Correct Option:

A — Noted as inherited
Inheritance indicates the OSC relies on the ESP to meet specific practices. The assessor must review evidence of inheritance (e.g., FedRAMP package, customer responsibility matrix, ESP attestation). Properly noting inherited controls ensures the OSC is not erroneously marked NOT MET for controls outside its direct implementation.

Incorrect Options:

B — Marked as requiring a waiver
Incorrect. CMMC does not have a formal "waiver" process for practices. Controls are either MET, NOT MET, or (under limited deficiency correction) planned for remediation. Waivers are not a standard CMMC concept. This distractor has no basis in CMMC assessment.

C — Marked as NOT APPLICABLE
Incorrect. CMMC Level 2 practices are generally all applicable unless the OSC can justify non-applicability based on scope (e.g., no wireless if no wireless exists). ESP relationships do not automatically make practices NOT APPLICABLE. Inheritance is the correct concept, not N/A.

D — Noted as partially implemented
Incorrect. CMMC scoring is binary (MET/NOT MET) except for the limited practice deficiency correction program. "Partially implemented" is not a scoring category. While an OSC may be working toward full implementation, the assessor does not look for "partially implemented" in pre-assessment documentation as a target finding.

Reference:
CMMC Assessment Guide – External Service Providers (ESPs) and Inherited Controls. CMMC Scoping Guidance – ESP responsibility matrices. FedRAMP Inheritance Model. NIST SP 800-171 Appendix G.

Explanation:
The security company requires access to the OSC's network (same network as employee computers and potentially CUI) to manage cameras. This introduces risk. If the third party is not properly vetted, under contract with security requirements, or monitored, this is a clear negative finding. Unmanaged third-party network access violates AC.L2-3.1.12, AC.L2-3.1.14, and CA.L2-3.12.4 (security assessments of external service providers).

Correct Option:

B — A non-certified third party accesses the OSC’s network to manage the cameras
"Non-certified" in this context means the third party lacks documented security controls, a signed agreement, or CMMC/DoD compliance posture. Granting network access without proper assessment, monitoring, and contractual security obligations is a significant compliance gap. The OSC must manage external network access risks.

Incorrect Options:

A — Video surveillance needs to be of both private and public areas of the building
Incorrect. PE.L2-3.10.2 requires monitoring of facility access points (e.g., doors), not public areas. Private areas (restrooms, break rooms) typically are not monitored due to privacy laws. This is not a clear negative finding.

C — Video surveillance alone does not satisfy the facility monitoring requirement of PE.L2-3.10.2
Incorrect. Video surveillance can satisfy facility monitoring if it covers external doors, logs access, and provides review capability. The statement is false; video alone can be sufficient. This is not a valid negative finding.

D — A non-certified third party’s data center may not store video recordings for a company authorized to process CUI
Incorrect. Third-party storage of video recordings is permissible if contractual safeguards exist (e.g., data protection clauses, incident reporting). Video recordings of doors do not necessarily contain CUI. There is no automatic prohibition.

Reference:
CMMC Level 2 Practices AC.L2-3.1.12 (Remote access control), AC.L2-3.1.14 (Restrict remote access), CA.L2-3.12.4 (Security assessments of ESPs). NIST SP 800-171 Requirements 3.1.12, 3.1.14, 3.12.4. CMMC Assessment Guide – Third-party network access risks.

Explanation:
Information at rest refers to data stored on media (hard drives, databases, backups). Cryptographic mechanisms—specifically encryption (full disk, file-level, or database encryption)—are the primary and most effective protection for data at rest. Encryption ensures that even if physical media is stolen, the data remains unreadable without the decryption key.

Correct Option:

D — Cryptographic mechanisms
NIST SP 800-171 requirement 3.13.16 explicitly requires cryptographic mechanisms to protect CUI at rest. Encryption (e.g., BitLocker, LUKS, file-level encryption) provides strong confidentiality protection. No other listed mechanism offers comparable protection against physical theft or unauthorized access.

Incorrect Options:

A — Patching
Incorrect. Patching addresses software vulnerabilities but does not protect stored data if the physical media is removed or if an attacker gains access through unpatched software. Patching is a system integrity control, not a confidentiality control for data at rest.

B — File share
Incorrect. A file share is a method of making data available over a network, not a protection mechanism. File shares often increase risk unless properly secured with access controls and encryption, which are separate mechanisms.

C — Secure offline storage
Incorrect. While storing data offline (e.g., disconnected hard drive in a safe) provides physical security, it is not the most likely mechanism in typical enterprise environments. It is operational and less scalable than encryption. Offline storage also does not protect data during online use.

Reference:
CMMC Level 2 Practice SC.L2-3.13.16 (Protect CUI at rest). NIST SP 800-171 Rev 2, Requirement 3.13.16. NIST SP 800-111 (Guide to Storage Encryption). CMMC Assessment Guide – SC domain – Data at rest protection.

Explanation:
Very recent procedure dates raise a concern about "paper compliance"—documents created for the assessment but not yet implemented. To determine if these documents are acceptable as evidence, the assessor must move beyond examination to observation (witnessing the procedure in action) or interview (testing staff knowledge). Observation provides direct evidence of implementation.

Correct Option:

D — Set up an observation session to determine if the procedures are in use and people are knowledgeable of their deployment and use.
Observation is the most direct method to validate that recently documented procedures are actually followed. The assessor can watch staff perform tasks, verify alignment with the new procedure, and assess personnel knowledge. This distinguishes between real implementation and documentation-only compliance.

Incorrect Options:

A — Ensure the documents were approved by a senior-level manager.
Incorrect. Senior approval indicates policy authority but does not confirm implementation or staff awareness. A recently approved document may still have no operational adoption. Approval alone does not make evidence acceptable.

B — Determine the outlined reasonableness of the procedures.
Incorrect. Reasonableness (whether a procedure makes logical sense) does not verify that it is used. A reasonable procedure may still be ignored in practice. This is a document quality check, not an implementation validation.

C — Determine if the people involved in writing the procedures are on the list of those who can be interviewed.
Incorrect. Procedure writers may have policy knowledge but often are not the personnel who execute the procedure. Interviewing writers does not confirm operational use. The assessor needs to observe or interview end users.

Reference:
CMMC Assessment Guide – Evidence Sufficiency: Recency of Documentation. CMMC CCA Handbook – Combining Examine, Interview, and Observation methods. NIST SP 800-171A – Objective 2 (Implementation) verification.

Explanation:
To best ensure evidence meets the intent of a CMMC practice, the assessor must verify three attributes: completeness (no missing components), validation (authenticity and accuracy, e.g., logs not fabricated), and mapping (clear linkage from evidence to specific practice requirements). Option C encapsulates all three, ensuring evidence is both sufficient and relevant.

Correct Option:

C — Ensure the evidence is complete, validated, and can be mapped to the practice requirements.
Completeness ensures no gaps in the evidence set. Validation confirms evidence is genuine and accurate (e.g., timestamps, digital signatures). Mapping ensures each requirement element is addressed by specific evidence. This triple-check is the gold standard for evidence sufficiency in CMMC assessments.

Incorrect Options:

A — Ensure the evidence for each objective under a practice is adequate.
Incomplete. "Adequate" is vague and does not explicitly include validation (authenticity) or explicit mapping. While objectives are important, this option misses key elements of evidence quality assessment.

B — Ensure the evidence is sufficient to meet the requirements for a practice.
Incomplete. "Sufficient" is also vague. Without completeness, validation, and mapping, sufficiency cannot be reliably determined. This option states the goal but not the specific criteria for achieving it.

D — Ensure the evidence covers all the scope and the identified organizations and corresponds to the practice and objectives.
Incomplete. Coverage of scope and organizations addresses completeness but omits validation (authenticity checking) and explicit mapping to practice requirements. Validation is critical to prevent fabricated or outdated evidence from being accepted.

Reference:
CMMC Assessment Guide – Evidence Evaluation Criteria (Completeness, Validity, Mapping). CMMC CCA Handbook – Evidence Sufficiency Determination. NIST SP 800-171A – Evidence Collection and Assessment.