Free CMMC-CCA Practice Test Questions 2026

While reviewing a contractor's Microsoft Active Directory authentication policies, you observe that the account lockout threshold is configured to allow 5 consecutive invalid login attempts before locking the account for 15 minutes. Additionally, the reset account lockout counter is set to 30 seconds after each unsuccessful login attempt. Based on this scenario, which of the following statements are TRUE about the contractor's implementation of CMMC practice AC.L2-3.1.8 – Unsuccessful Logon Attempts?

A. The contractor has successfully implemented practice AC.L2-3.1.8 – Unsuccessful Logon Attempts warranting a score of MET

B. The contractor's approach does not provide sufficient protection against unauthorized access attempts

C. Based on the current implementation, CMMC practice AC.L2-3.1.8 cannot be scored as MET

D. The contractor's approach does not adequately address the required assessment objectives

In assessing an OSC's CUI handling practices, you learn they use an approved algorithm (AES-256) to encrypt the data to ensure its confidentiality. However, the encryption module they are using has not been validated under the FIPS 140 standard. The OSC believes that using an approved algorithm is sufficient to comply with the CMMC practice for CUI encryption requirements. Which of the following would be the most appropriate next step for the assessor?

A. Interview personnel responsible for cryptographic protection to determine if FIPSvalidated cryptography is used elsewhere in the organization

B. Test the encryption mechanism by attempting to decrypt the encrypted data without the proper keys

C. Recommend that the OSC switch to a different, approved algorithm

D. Accept the OSC's implementation as compliant, given that they are using a strong encryption algorithm

You are conducting a CMMC assessment for a contractor that develops software applications for the DoD. During the assessment of the AU domain, you request to examine the contractor's audit and accountability policies, access control procedures, and system configuration documentation related to the management of audit logging functionality. Upon reviewing the documentation, the contractor has implemented a Role-Based Access Control (RBAC) model, where privileged users are assigned different roles based on their responsibilities. One of these roles is the "Audit Administrator" role, which is granted the necessary privileges to manage audit logging functionality across the contractor's systems. However, during interviews with the system administrators, you learn that besides the Audit Administrator role, several other privileged roles, such as the "System Administrator" and "Network Administrator" roles, can also manage audit logging functionality. When you inquire about the rationale behind granting multiple privileged roles access to audit management functions, the contractor's security team explains that this approach allows for better operational flexibility and ensures that different teams can perform audit logging tasks based on their areas of responsibility. Based on the information provided in the scenario, how would you assess the contractor's compliance with CMMC practice AU.L2- 3.3.9 – Audit Management?

A. Partially Met – The contractor has limited audit management privileges to a subset of privileged users, but the roles may not be appropriately defined

B. Met – The contractor has defined privileged user roles for audit management

C. Not Applicable – The practice is not relevant to the contractor's environment

D. Not Met – The contractor has granted audit management privileges to multiple privileged roles, which goes against the requirement to limit access to a subset of defined privileged users

Understanding that changes are critical in any production environment, a DoD contractor has instituted measures to manage them. All software changes can only be implemented by defined individuals. These changes must have gone through a rigorous change approval process and must be implemented from a secure server located in the company's headquarters. The personnel affecting the changes access the server room using access cards and an iris scan. To log into the server, they must enter their passwords to receive a one-time password (OTP), which must be keyed in within 2 minutes. After any changes are made, the chairperson of the contractor's Change Review Board and the CISO get a notification to approve the changes before they take effect. Based on the contractor's current implementation, how would you score their effort to address CM.L2-3.4.5 – Access Restrictions for Change?

A. Met (+1 point)

B. Met (+5 points)

C. Met (+3 points)

D. Not Met (-5 points)

During your review of an OSC’s system security control, you focus on CMMC practice SC.L2-3.13.9 – Connections Termination. The OSC uses a custom web application for authorized personnel to access CUI remotely. Users log in with usernames and passwords. The application is hosted on a dedicated server within the company’s internal network. The server operating system utilizes default settings for connection timeouts. Network security is managed through a central firewall, but no specific rules are configured for terminating inactive connections associated with the CUI access application. Additionally, there is no documented policy or procedure outlining a defined period of inactivity for terminating remote access connections. Interviews with IT personnel reveal that they rely solely on users to remember to log out of the application after completing their work. How could the firewall be configured to help achieve the objectives of CMMC practice SC.L2-3.13.9 – Connections Termination, for the remote access application?

A. Creating firewall rules to identify and terminate connections associated with the CUI access application that have been inactive for a predefined period

B. Encrypting all traffic between the user device and the server to protect CUI in transit

C. Implementing intrusion detection and prevention systems (IDS/IPS) to identify and block suspicious activity on the server

D. Blocking all incoming traffic to the server hosting the CUI access application, except from authorized IP addresses

Mobile devices are increasingly becoming important in many contractors’ day-to-day activities. Thus, the contractors must institute measures to ensure they are correctly identified and any connections are authorized, monitored, and logged, especially if the devices or their connections process, store, or transmit CUI. You have been hired to assess a contractor’s implementation of CMMC practices, one of which is AC.L2-3.1.18 – Mobile Device Connections. To successfully test the access control capabilities authorizing mobile device connections to organizational systems, you must first identify what a mobile device is. Mobile devices connecting to organizational systems must have a device-specific identifier. Which of the following is the main consideration for a contractor when choosing an identifier?

A. Choosing an identifier that can accommodate all devices and be used consistently within the organization

B. Prioritize using identifiers that are easy to remember and user-friendly

C. The identifier must be easily differentiable from one device to another

D. Use random identifiers to identify mobile devices on the network easily

You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. The following evidence would help determine if the contractor is properly authorizing and enforcing controls on CUI data flow across their environment, EXCEPT?

A. Reviewing firewall and ExpressRoute connections

B. Reviewing audit logs related to the VPN connections

C. Analyzing policies, records, and configurations related to data center connections

D. Analyzing CCTV footage

Upon examining a contractor's security and awareness training policy for compliance with AT.L2-3.2.2 – Role-Based Training, you determine that they offer their employees training on handling CUI securely. However, system auditors, system administrators, penetration testers, and other cybersecurity roles are all provided biannual training on CUI handling and cybersecurity best practices. How would you assess the contractor's implementation of CMMC practice AT.L2-3.2.2 – Role-Based Training?

A. Not Met

B. Partially Met

C. Not Applicable

D. Met

Examining an OSC password policy, you learn that a password should have a minimum of 15 characters. It also should have 3 uppercase, 2 special characters, and other alphanumeric characters. Passwords have to be changed every 45 days and cannot be easily tied to the account owner. Passwords cannot be reused until 30 cycles are complete. The OSC's systems send a temporary password to the user's email or authentication app, which is one of the events described in their password usage policy. However, a recent penetration test report shows that the generated temporary passwords did not have sufficient entropy, and an attacker may guess a temporary password through brute force attacks. Which CMMC practice has the contractor successfully implemented? Select all that apply.

A. IA.L2-3.5.9 – Temporary Passwords

B. IA.L2-3.5.7 – Password Complexity and IA.L2-3.5.8 – Password Reuse

C. IA.L2-3.5.3 – Multifactor Authentication

D. IA.L2-3.5.6 – Identifier Handling

You are assessing an OSC that develops applications handling Controlled Unclassified Information (CUI). As part of the assessment, you review their vulnerability scanning process. According to their risk assessment policy, the OSC conducts system vulnerability scans every three months. However, they also utilize a centralized, automated vulnerability scanning tool that performs daily scans. Upon discovering any vulnerabilities, the OSC’s team applies patches and rescans their systems. Their environment includes backend database servers, web applications with custom Java code, virtual machine hosts running containerized applications, network firewalls, routers, switches, and developer workstations. During the assessment, you find that their scanning solution integrates the latest vulnerability feeds from the National Vulnerability Database (NVD), Open Vulnerability and Assessment Language (OVAL), and vendor sources. The tool generates reports using Common Vulnerability Scoring System (CVSS) metrics, and even remotely connected developer laptops are included in the scans. However, upon reviewing the vulnerability reports, you observe that the same high/critical vulnerabilities persist month after month without evidence of remediation.Furthermore, there is no record of source code scanning for their custom applications, and virtual machine hosts running the containerized applications are not included in the scans. Which of the following would be an appropriate compensating control or mitigation for the lack of source code scanning?

A. Deploy web application firewalls in front of the custom applications

B. Increase the frequency of automated vulnerability scans on the production environment

C. Perform periodic penetration testing and code reviews on the custom applications

D. Implement secure coding standards and practices during application development

Change is a part of any production process and must be meticulously managed. System Change Management is a CMMC requirement, and you have been called in to assess the implementation of CMMC requirements. When examining the contractor’s change management policy, you realize there is a defined change advisory board that has a review and approval mandate for any proposed changes. The change advisory board maintains a change request system where all the changes are submitted and documented for easy tracking and review. The contractor also has a defined rollback plan defining what to do in case the approved changes result in unexpected issues or vulnerabilities. What evidence artifacts can the contractor also cite as evidence to show their compliance with CM.L2- 3.4.3 – System Change Management besides their change management policy?

A. Employee satisfaction surveys regarding the change management process

B. System uptime statistics showing improved stability after change management implementation

C. Organizational procedures addressing system configuration change control and change control/audit review reports

D. Antivirus scan reports detailing detected and quarantined threats

You are conducting a CMMC assessment for a contractor that handles sensitive defense project data. Reviewing their documentation shows that the contractor has an on-premises data center that houses CUI on internal servers and file shares. A corporate firewall protects this data center network. However, the contractor also uses a hybrid cloud infrastructure, storing some CUI in Microsoft Azure cloud storage, which can be accessed using ExpressRoute private network connections. Additionally, their engineers connect remotely to the data center to access CUI via a site-to-site VPN from their home networks. Which of the following components of the contractor's environment should NOT be in scope when assessing practice AC.L2-3.1.3 – Control CUI Flow?

A. Azure cloud storage

B. The corporate firewall and ExpressRoute connections

C. The VPN and on-premises servers/file shares

D. Employees' homes