Free CMMC-CCA Practice Test Questions 2026

You have been sent to assess an OSC’s implementation of CMMC practices, one of which is AC.L2-3.1.11 – Session Termination. In assessing the contractor's implementation of AC.L2-3.1.11, you’ll likely need to examine the following specifications, EXCEPT?

A. Mechanisms for implementing user session termination

B. The access control policy

C. The session termination policy

D. System security plan

When assessing a contractor’s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. How would you score the contractor’s implementation of AU.L2-3.3.6 – Reduction & Reporting?

A. Partially Met

B. Not Applicable

C. Not Met

D. Met

When assessing a contractor’s implementation of CMMC practices, you examine its System Security Plan (SSP) to identify its documented measures for audit reduction and reporting. They have a dedicated section in their SSP addressing the Audit and Accountability requirements. You proceed to interview their information security personnel, who informed you that the contractor has a dedicated Security Operations Center (SOC) and uses Splunk to reduce and report audit logs. What key features regarding the deployment of Splunk for AU.L2-3.3.6 – Reduction & Reporting would you be interested in assessing?

A. Ensure that Splunk is configured with appropriate RBAC to restrict access to log data, reports,and dashboards, ensuring that only authorized personnel can view or modify audit logs

B. Ensure Splunk can retain audit records for a protracted amount of time

C. Ensure that Splunk employs various filter rules for reducing audit logs to eliminate nonessential data and processes to analyze large volumes of log files or audit information, identifying anomalies and summarizing the data in a format more meaningful to analysts, thus generating customized reports

D. Ensure Splunk can support compliance dashboards that provide real-time visibility into CMMC compliance status

An OSC can use either of the following strategies to meet the requirements of CMMC practice MP.L2-3.8.8 – Shared Media, EXCEPT?

A. Permitting unrestricted use of portable storage devices after users complete security awareness training

B. Ensuring every portable storage device is assigned an owner, project, or department with an identifiable label or registered in a central database

C. Implementing strong access controls that only allow registered devices to connect to the system

D. Implementing a strict usage policy that allows for the use of owned portable or owned storage devices

While examining a contractor's audit and accountability policy, you realize they have documented types of events to be logged and defined content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activities. After the logs are analyzed, the results are fed into a system that automatically generates audit records stored for 30 days. However, mechanisms implementing system audit logging are lacking after several tests because they produce audit logs that are too limited. You find that generated logs cannot be independently used to identify the event they resulted from because the defined content specified therein is too limited. Additionally, you realize the logs are retained for 24 hours before they are automatically deleted. All of the following are required to satisfy AU.L2-3.3.1 – System Auditing assessment objectives [b] and [d], EXCEPT?

A. Process identifiers

B. Failure or success indications

C. Timestamps

D. File permissions

You have been hired to assess an OSC's implementation of secure password storage and transmission mechanisms. The OSC uses a popular identity and access management (IAM) solution from a reputable vendor to manage user authentication across their systems. During the assessment, you examine the IAM solution's configuration and documentation, which indicate that passwords are hashed using industry-standard algorithms like SHA-256 or bcrypt before being stored in the system's database. Additionally, the IAM solution leverages TLS encryption for all communications, ensuring that passwords are transmitted securely over the network. Based on the information provided, how would you assess the OSC's compliance with CMMC practice IA.L2-3.5.10 – Cryptographically-Protected Passwords, which requires organizations to store and transmit only cryptographically protected passwords?

A. Not Met (-5 points)

B. Met (+5 points)

C. Met (+1 point)

D. Not Met (-1 point)

During your assessment of Defcon's (a contractor) implementation of CMMC Level 2 practices, you notice that their system for displaying security and privacy notices is insufficient. The banners currently in use lack detailed information about Controlled Unclassified Information (CUI) handling requirements and associated legal implications. Additionally, the banners are not consistently displayed across all contractor systems and workstations. Moreover, the banners on login pages disappear automatically after less than 5 seconds, providing insufficient time for users to read and acknowledge the content. Which of the following is NOT a feature Defcon's updated privacy and security notices should have?

A. A warning about unauthorized use being subject to civil and criminal penalties

B. A general statement about monitoring and recording of system usage

C. Display duration set to less than 5 seconds before automatically disappearing

D. Specific information about the presence of CUI and associated handling requirements

A Defense Contractor is preparing for their upcoming CMMC Level 2 assessment. One of the key controls they need to address is CMMC practice MP.L2-3.8.5 – Media Accountability, which deals with maintaining accountability for media containing CUI during transport outside of controlled areas. The organization regularly needs to transport physical media, such as hard drives and backup tapes, between their primary data center and an off-site storage facility. In the past, they have simply used standard packaging and commercial shipping services to move this media. Which of the following is NOT an assessment method for MP.L2-3.8.5 – Media Accountability?

A. Testing mechanisms supporting or implementing media storage and media protection

B. Examining designated controlled areas

C. Interviewing organizational processes for storing media

D. Examining procedures addressing media storage and access control policy

A CCA is offered a significant discount on cybersecurity software from a vendor whose productthey will be evaluating during a CMMC assessment. How should the CCA handle this situation according to the CoPC’s conflict of interest principle?

A. Inform the vendor that they can accept such offers only after the CMMC assessment is done.

B. Accept the discount and disclose it to the C3PAO for transparency.

C. Decline the discount to avoid any appearance of a conflict.

D. Recommend the software to the OSC during the assessment, highlighting its value proposition.

You are the Lead Assessor for a CMMC Level 2 assessment. During the assessment, the OSC provides evidence that a practice is inherited from a cloud service provider (CSP). The CSP has a FedRAMP Moderate authorization, and the OSC argues that this should automatically satisfy the practice’s requirements. How should you respond?

A. Accept the FedRAMP authorization as sufficient evidence and score the practice as "MET."

B. Inform the OSC that FedRAMP authorization does not automatically satisfy CMMC requirements and request specific evidence from the CSP demonstrating compliance with the practice’s objectives.

C. Reject the evidence outright, as external certifications are not allowed under CMMC.

D. Consult with the Cyber AB to determine if FedRAMP can be accepted as equivalent to CMMC requirements.

An OSC has provided its System Security Plan (SSP) as evidence for several CMMC practices related to system security. During your examination of the SSP, you discover a section outlining procedures for user access controls. However, upon further review, you find no mention of procedures for managing privileged accounts, which is a critical aspect of secure system access. If the OSC provides a separate document outlining privileged account management procedures, and upon review, these procedures appear sufficient, how should the Lead Assessor proceed with the SSP as evidence?

A. Request that the OSC formally incorporate the privileged account management procedures into the SSP for consistency.

B. Accept both the SSP and the separate document as evidence and proceed with the assessment.

C. Deduct points from the overall assessment score due to the initial oversight in the SSP.

D. Mark the related user access control practice as "Not Met" due to the initial deficiency in the SSP.

You are a CCA with an active and good standing on the Cyber AB Marketplace. An OSC has contracted your C3PAO for a prospective CMMC Assessment. The OSC provides signal processing services for the DoD. You assisted the OSC in preparing for the upcoming CMMC assessment by conducting an initial evaluation of their implementation practices. With your background in cybersecurity and extensive experience, your C3PAO and Lead Assessor have selected you to join the Assessment Team. Based on this scenario, which of the following is the most important factor for the C3PAO to consider when assigning assessors to the Assessment Team?

A. The Assessor’s active status and good standing as a CMMC Certified Assessor or Professional, verified on the Cyber AB Marketplace, are important factors.

B. The Assessor’s hourly rate, especially for independent assessors.

C. The Assessor’s professional reputation within the CMMC ecosystem.

D. The Assessor’s specialization with the OSC’s lines of business or industry sub-sector.