Free CMMC-CCA Practice Test Questions 2026

A contractor allows for the use of mobile devices in contract performance. Some employees access designs and specifications classified as CUI on such devices like tablets and smartphones. After assessing AC.L2-3.1.18 – Mobile Device Connection, you find that the contractor maintains a meticulous record of mobile devices that connect to its information systems. AC.L2-3.1.19 – Encrypt CUI on Mobile, requires that the contractor implements measures to encrypt CUI on mobile devices and mobile computing platforms. The contractor uses device-based encryption where all the data on a mobile device is encrypted. Which of the following personnel should you interview to determine how well the contractor has implemented AC.L2-3.1.19 – Encrypt CUI on Mobile?

A. Executives in the company

B. Personnel with access control responsibilities for mobile devices

C. IT helpdesk staff who troubleshoot basic mobile device issues

D. Staff in the Human Resources department

CMMC practice PS.L2-3.9.1 – Screen Individuals requires individuals to be screened before authorizing access to organizational systems containing CUI. However, in the assessment you are currently conducting, there is no physical evidence confirming the completion of personnel screens, such as background checks, only affirmations derived from an interview session. In an interview with the HR Manager, they informed you that before an individual is hired, they submit their information through a service that performs criminal and financial checks. How would you score the OSC's implementation of CMMC practice PS.L2-3.9.1 – Screen Individuals, objective [a]?

A. More information is needed

B. Not Met

C. Not Applicable

D. Met

You are assessing an OSC that utilizes containerization technology for deploying microservices within a Kubernetes cluster. These microservices leverage various JavaScript frameworks for functionality. While a mobile device management (MDM) solution secures company phones, access to these microservices is primarily through web interfaces. From a mobile code control perspective, what is the primary concern in this scenario?

A. The lack of mobile device management (MDM) for access through web interfaces

B. Containerization technology itself might introduce security vulnerabilities

C. The use of JavaScript in containerized microservices

D. The potential execution of unauthorized mobile code through web interfaces

When interviewing a contractor’s CISO, they inform you that they have documented procedures addressing security assessment planning in their security assessment and authorization policy. The policy indicates that the contractor undergoes regular security audits and penetration testing to assess the posture of its security controls every ten months. The policy also states that after every four months, the contractor tests its incident response plan and regularly updates its monitoring tools. Impressed by the contractor’s policy implementation, you decide to chat with various personnel involved in security functionalities. You realize that although it is documented in the policy, the contractor has not audited their security systems in over two years. How many points would you score the contractor’s implementation of the practice CA.L2-3.12.1 – Security Control Assessment?

A. -5

B. -3

C. -1

D. 5

While assessing an OSC, you realize they have given identifiers to systems, users, and processes. Examining their documentation, you know they have assigned accounts uniquely to employees, contractors, and subcontractors. The OSC has an automated system that disables any identifiers that are left unused for 6 months. You also learn from interviewing IT security administrators that the OSC has defined a technical and documented policy where identifiers can only be reused after 12 months. How is the OSC likely to consider CMMC practice IA.L2-3.5.5 – Identifier Reuse if you find issues with its implementation?

A. List it in their SSP

B. Track it under limited deficiency correction

C. Hire another C3PAO to verify your assessment

D. Disregard it as it is not applicable

A contractor plans to bid for a DoD contract and has installed new network file servers to separate their commercial and DoD work. When examining the server documentation, you realize the server has some open ports. Upon further testing, you know that the server has some default features that are not essential for file storage or transfer. The server has a default remote desktop functionality that allows users remote access to the server's desktop environment. Files are transferred by default using FTP which is less secure than Server Message Block (SMB) protocol. However, the contractor's operations do not require remote access capabilities. Although the roles of each system are defined in their configuration management policy, a user can install any application or service they need. After some interviews, you learn that this ensures every employee is comfortable using a system or software they are most conversant with, despite having defined services or software for carrying out specific functions. Upon speaking with the OSC PoC when assessing CM.L2-3.4.6 –Least Functionality, they acknowledge deficiencies, place the practice in a POA&M, and request that you grant conditional certification. How would you respond?

A. Offer to provide consulting services to help them meet CM.L2-3.4.6 – Least Functionality quickly

B. Politely decline the OSC's request and inform them that CM.L2-3.4.6 – Least Functionality cannot be placed in a POA&M. Also, inform them that granting conditional CMMC certification when they do not meet the requirement is in violation of the CMMC Code of Professional Conduct (CoPC)

C. Walk out of the assessment and file a conflict of interest with the CMMC AB

D. Grant them conditional certification

After you ask to examine some audit records, the contractor's system administrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data. Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card. While interviewing the contractor's employees, you find that they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools. Considering CMMC AU.L2-3.3.8 – Audit Protection and best practices, which of the following is the MOST concerning finding regarding the employees' access to audit logging tools?

A. Employees have unrestricted access to all audit logging tools and can modify settings

B. Employees hold doors for others without requiring physical access cards

C. The system administrator needs to recalculate hashes for audit record verification before decryption

A contractor is preparing to bid on an upcoming DoD contract to provide next-generation upper limb prosthetics for injured servicemen. Part of the preparation is undergoing a CMMC assessment, and they have hired you to assess their implementation of CMMC practices. The contractor has multiple design, manufacturing, and supply chain management systems. Each system generates its audit logs, which are stored in separate repositories. Different teams analyze and review them independently, with each team reporting the findings to the respective departmental heads. For instance, the engineering team reviews and analyzes logs related to the design systems and reports to the lead engineer, while the operations team focuses on the manufacturing system logs. When interviewing personnel responsible for audit record review, analysis, and reporting, they inform you that this is deliberately set up to ensure departmental independence and granular risk identification. Based on the CMMC practice AU.L2-3.3.5 – Audit Correlation, what is the likely issue you would identify with the contractor's current approach?

A. Lack of defined processes for audit record review, analysis, and reporting

B. The audit review, analysis, and reporting processes are not correlated across systems

C. Absence of automated mechanisms for analyzing and correlating audit records

D. Failure to retain audit logs for an adequate duration

CMMC MA.L2-3.7.6 – Maintenance Personnel requires that maintenance personnel without required access authorization be supervised during maintenance activities. One of the ways organizations can achieve this is to develop a documented procedure for supervised maintenance activities. Which of the following elements should be excluded from the documented procedure?

A. A detailed list of all CUI assets that the maintenance activity might impact

B. The specific steps authorized for the visiting maintenance personnel with limited access

C. Contact information for the organization's IT security team in case of emergencies or unexpected issues

D. The method used to authenticate and monitor the supervisor's activity during the maintenance session

After you ask to examine some audit records, the contractor's system administrator informs you that there is a process to follow before accessing them. The logs are hashed using SHA-512 algorithms, and the system administrator has to run an algorithm to recalculate the hashes for the audit records to verify their integrity before running a decryption algorithm to decrypt the data. Since this might take some time, you tour the facility while interviewing personnel with audit and accountability roles. You see an employee holding the door for another without using their physical access card. While interviewing the contractor's employees, you find that they can access all audit logging tools and tweak the settings according to their needs or requirements. Upon examining the contractor's access control policy, you realize they have not defined the measures to protect audit logging tools. Which of the following statements accurately describes the contractor's compliance with protecting audit logging tools from unauthorized access, modification, and deletion, as required by AU.L2-3.3.8 – Audit Protection?

A. The contractor's compliance cannot be determined based on the information provided

B. The contractor is partially compliant, as audit logging tools are protected by the same measures as audit information

C. The contractor is fully compliant; employees can access audit logging tools to meet their requirements

D. The contractor is not compliant, as there are no defined measures to protect audit logging tools from unauthorized access, modification, or deletion

During an assessment, the OSC was found to have implemented 68% of CMMC practice SC.L2-3.13.11 – CUI Encryption. However, the OSC Assessment Official cited issues with the vendor for not fully implementing the practice. Nonetheless, it has been listed in their POA&M. Which of the following is true regarding the use of a POA&M during a CMMC assessment?

A. A POA&M addressing unimplemented security requirements is not a substitute for a completed CMMC practice

B. A POA&M can be used as evidence of full implementation for any unimplemented CMMC practices

C. If a practice is listed in the POA&M, it is considered fully implemented during the assessment

D. Assessors are required to accept any POA&M as evidence of implementation for partially implemented practices

In ensuring it meets its mandates to protect CUI under CMMC, a contractor has implemented a robust, dynamic session lock with pattern-hiding displays to prevent access and viewing of data. After every 5 minutes of inactivity, the current session is locked and a blank, black screen with a battery life indicator is displayed. As a CCA, you will potentially use the following assessment methods to examine the contractor’s implementation of session lock EXCEPT?

A. Interview the system administrator

B. Examine the system design documentation

C. Test the strength of the user’s password

D. Test the mechanisms implementing the access control policy for session lock