Free CMMC-CCA Practice Test Questions 2026

After a security audit, a contractor documents specific vulnerabilities and deficiencies in an audit report. After examining its POA&M, you realize it has a clearly defined policy on addressing these deficiencies and by when. However, after interviewing the contractor’s security and compliance team, you learn that while an audit is regularly conducted, the remediating measures are not always taken, and when taken, they are not always practical. The security and compliance team informs you they have tried reaching the system administrator to explain the repercussions of this without success. What assessment objective has the contractor failed to implement from CMMC practice CA.L2-3.12.2 – Plan of Action?

A. The contractor has implemented all the assessment objectives in CA.L2-3.12.2 – Plan of Action

B. Develop a change management plan that describes how to implement the remediation actions

C. Implement a plan of action to correct the identified deficiencies and reduce or eliminate identified vulnerabilities that are ineffective

D. Identify the vulnerabilities and deficiencies that the plan of action will address

When assessing an OSC’s compliance with IR requirements, you realize they have deployed a system that tracks incidents, documents details, and updates the status throughout the incident response process. Personnel to whom incidents must be reported are identified and designated. While examining their documentation, you come across an incident response template that they use to capture all relevant information and ensure consistency in reporting to the identified authorities and organizational officials. Interviewing the IR team, you learn there is an escalation process that the contractor’s cybersecurity team can use to address more serious incidents. From the scenario, the contractor has met all the required objectives for CMMC practice IR.L2-3.6.2 – Incident Reporting, meaning its implementation of the said practice will be scored MET with a total of 5 points. For how long must the OSC retain the incident records?

A. 72 hours

B. 90 days

C. 90 hours

D. 72 days

You are evaluating an OSC for compliance with CMMC Level 2 practices. During your assessment of SC controls, you use a series of assessment methods to understand how effectively the OSC has implemented them. The OSC has a documented security policy outlining user roles and responsibilities. The OSC’s system and communications protection policy states that basic user and privileged functionalities are separated. They have deployed Azure AD to help enforce this requirement through identity management. Interviews with system administrators reveal they have elevated privileges for system management tasks. A review of system configuration settings shows separate user accounts for standard users and administrators. However, you notice that some employees use personal cloud storage services for storing work documents. Considering CMMC practice SC.L2-3.13.4 – Shared Resource Control, which of the following actions would be most effective in addressing the identified risk?

A. Implementing stricter password complexity requirements for user accounts

B. Conducting a vulnerability assessment of the OSC’s network infrastructure

C. Providing additional security awareness training to employees on data handling best practices

D. Developing and enforcing a policy that prohibits the use of personal cloud storage for work documents

You are assessing an OSC that uses various collaborative computing devices, such as video conferencing systems, networked whiteboards, and webcams, for remote meetings and presentations. During your assessment, you examine the OSC’s collaborative device inventory and find that they have identified and documented all collaborative computing devices. Most of the identified devices have indicators (e.g., LED lights) that notify users when the devices are in use. The OSC has also implemented a policy prohibiting the remote activation of collaborative computing devices without user consent. However, you find that the web cameras can be activated remotely by authorized IT personnel for troubleshooting purposes. In addition to interviewing personnel, what other evidence would be helpful to assess the OSC’s compliance with CMMC practice SC.L2-3.13.12 – Collaborative Device Control regarding the remote activation of web cameras? Choose all that apply.

A. A documented risk assessment that identifies the potential risks associated with remote camera activation and outlines mitigation strategies

B. Network traffic logs showing no instances of remote activation attempts on the web cameras

C. User training records indicating that employees are aware of the policy and understand thepotential consequences of unauthorized remote camera activation

D. System configuration settings for the web cameras, verifying that remote activation is enabled

Removable media can pose significant cybersecurity risks to an organization if not adequately controlled and secured. Understanding the dangers of this, an OSC has crafted a meticulous removable media policy. It defines removable media, types of removable media, examples of removable media, etc. The policy limits the use of removable media unless authorized; even then, the media must be scanned for malware. Organizational removable media has specific signatures unique to organizational systems and provided to a defined group of personnel. Any data stored on such media is encrypted, and the OSC has disabled autorun and closed some ports on their computer systems. The contractor also has deployed an endpoint protection solution for every employee searched while entering or leaving the facility. Users must also pass through a walk-in metal detector to ensure they do not sneak in thumb drives and SD cards. Based on the OSC's effort, how would you score their implementation of CMMC practice MP.L2-3.8.7 – Removable Media?

A. Not Applicable

B. Met

C. Partially Met

D. Not Met

A vulnerability scan on a defense contractor's system identifies a critical security flaw in a legacy database application that stores CUI. Remediating the flaw would require a complete overhaul of the application, causing significant downtime and potentially disrupting critical business functions. Given the potential consequences of remediation, the contractor is considering deferring the fix. Which course of action best aligns with the guidance of CMMC practice RA.L2-3.11.3 – Vulnerability Remediation?

A. Immediately contract a third party to assist with remediation

B. Document the risk acceptance rationale and continue monitoring the risk from the vulnerability

C. Permanently disregard the vulnerability and take no further action

D. Implement compensating controls to reduce the associated risk

To comply with CMMC requirement IR.L2-3.6.3 – Incident Response Testing, organizations seeking certification (OSCs) must have a plan to regularly test their ability to respond to cyber incidents. This testing ensures that OSCs can effectively identify, contain, and recover from security breaches. An OSC can cite the following evidence artifacts to show compliance with the practice, EXCEPT?

A. Evidence of regular incident response drills and response time management, recovery testing, and post-incident analysis

B. Media sanitization plans

C. Documentation of tabletop exercises and their outcomes

D. Test documentation, including the scenario, response, findings, and any necessary corrective actions

An OSC uses a third party in all system repairs and has hired an MSP for penetration testing. The third party comes for either adaptive, preventative, perfective, or corrective system maintenance every three months, and the penetration tester does so continuously. Whenever the third party comes for maintenance, there's no documentation of the issues they tackled. On the other hand, the penetration tester delivers meticulously detailed documentation per their contract with the OSC. To comply with CMMC practice MA.L2- 3.7.1 – Perform Maintenance, what should the OSC implement for the maintenance activities performed by the third-party vendor?

A. Increase the frequency of maintenance activities to monthly intervals

B. Perform all maintenance activities in-house without relying on a third-party vendor

C. Require the third-party vendor to provide detailed maintenance logs and records

D. Discontinue the use of the MSP for penetration testing

An engineering company works on DoD contracts that involve handling CUI. They use hardcopy media such as printed paper, microfilms, and digital media, including flash drives, SSDs, DVDs, and internal and external hard drives. During a CMMC assessment, you discover the engineering company has defined procedures addressing media storage and access governed by an access control policy. All media containing CUI is marked and stored in biometrically locked cabinets. To store CUI on digital media, an authorized user must be identified using their biometrics or authenticated using an integrated MFA solution. To access non-digital media, the user must be on a defined list of authorized personnel and sign three forms. You also learn that the contractor maintains a comprehensive inventory of all CUI media. The scenario describes a multi-factor authentication (MFA) solution being used to access digital media containing CUI. However, the access control procedures for non-digital media require authorized personnel to sign three separate forms. While both methods aim to verify user identity, which of the following is the MOST significant security concern associated with the reliance on a paper-based form process?

A. The paper forms cannot be easily integrated with other security systems

B. It can be time-consuming to complete the forms for frequent access

C. It requires users to memorize more information for access

D. The forms are susceptible to forgery, resulting in unauthorized access

When examining an OSC’s procedures for addressing transmission integrity and confidentiality, you interview their system administrator and learn that they use Secure File Transfer Protocol (SFTP)for secure CUI transmission. The OSC employs AES-256 to encrypt data before transmitting it. Any external connections to their internal servers or systems can only occur via a VPN. All emails containing CUI are encrypted and sent using Secure/Multipurpose Internet Mail Extensions (S/MIME). Internal CUI transfers are conducted over WPA3 secure Wi-Fi. All areas of the OSC’s facilities where CUI is stored or processed are secured with biometrics. To prevent unauthorized CUI exfiltration or transfer, the OSC has deployed a data loss prevention solution. During employee interviews, you learn they receive regular awareness training on the importance of data encryption during transmission. Additionally, they conduct regular audits of transmission protocols and encryption measures to ensure their effectiveness. While AES-256 is a strong encryption algorithm, according to CMMC practice SC.L2-3.13.8 – Data in Transit, what additional factor is crucial for ensuring FIPS compliance with cryptographic modules used for protecting CUI in transit?

A. The encryption algorithm must be open-source and publicly available for scrutiny

B. The encryption software must be user-friendly and easy to implement for widespread adoption

C. The cryptographic module used to implement AES-256 encryption must be validated against the FIPS 140-2 or FIPS 140-3 standards

D. The encryption algorithm must be mathematically complex and resistant to brute-force attacks

You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance. CMMC practice PE.L2-3.10.6 – Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance. When assessing a contractor's implementation of CMMC practice PE.L2-3.10.6 – Alternative Work Sites, which of the following would be the least effective method for gathering information?

A. Using Full Disk Encryption (FDE) or container-based encryption to encrypt CUI when stored or transmitted from or to alternate work sites

B. Employing technologically savvy guards to man the alternate worksite

C. Deploying a patch management and anti-malware solution for every laptop or desktop on the alternate worksite

D. Requiring remote staff connecting to their internal networks to use a VPN that prevents split tunneling and requires multifactor authentication to verify remote users are who they claim to be

When assessing an OSC’s implementation of the System and Information Integrity (SI) practices, you examine their system and information integrity policy. You find that they have documented procedures addressing system monitoring tools and techniques, along with a monitoring strategy. The OSC has implemented a user behavior analytics tool to detect abnormal behavior anddeviations from normal patterns. To ensure that only authorized users access the system, the OSC uses robust access controls and regularly audits security and system logs for unusual activities. Interviewing the network administration team, you learn they use a network monitoring tool to track inbound and outbound network traffic and identify any distinctive patterns that may suggest unauthorized use. You also learn that they use an IDS to identify suspicious activities, which are aggregated and analyzed using a state-of-the-art SIEM. The scenario mentions that the OSC uses a network monitoring tool to track inbound and outbound traffic and identify unusual patterns. However, it does not provide details on the tool's specific techniques or methods. Which of the following techniques would be most relevant for the assessor to inquire about during the assessment?

A. Anomaly-based detection techniques

B. Signature-based detection techniques

C. Both signature-based and anomaly-based detection techniques

D. Deep packet inspection techniques