Free CMMC-CCP Practice Test Questions 2026

Explanation:

The C3PAO (Certified Third-Party Assessment Organization) bears the initial and primary responsibility for identifying and managing conflicts of interest before an assessment begins. This responsibility is established in the CMMC Assessment Process (CAP) as a "preliminary proceeding" that must be completed prior to the assessment . The CAP explicitly requires C3PAOs to handle COI identification during Phase 1 (Plan and Prepare the Assessment) before any assessment activities commence .

Why other options are incorrect:

A. OSC – The Organization Seeking Certification is the client being assessed. While the OSC may disclose potential conflicts, they have no authority to manage the assessor's independence or enforce COI policies.

C. CMMC-AB (The Cyber AB) – The Accreditation Body sets COI rules and accredits C3PAOs but does not manage conflicts for individual assessments. This responsibility is delegated to authorized C3PAOs .

D. Lead Assessor – The Lead Assessor must attest to the absence of COI and work with the OSC to mitigate identified conflicts , but this occurs after the C3PAO has already performed initial identification and assignment. The Lead Assessor's responsibility is execution-level, not initial organizational responsibility.

References

32 CFR § 170.9(b)(2) – C3PAO compliance with COI policies

CMMC Assessment Process (CAP) – Phase 1 preliminary proceedings include COI identification; C3PAO responsibility

Explanation:

NIST Special Publication (SP) 800-171, titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is the definitive source document for CMMC Level 2 requirements. It was specifically created by NIST to provide federal agencies with a standardized set of recommended security requirements to protect the confidentiality of CUI when it resides on or traverses nonfederal information systems (such as those owned by Department of Defense contractors).

The 110 security practices evaluated at CMMC Level 2 are pulled directly from the requirements established in this publication.

Why Other Options Are Incorrect

A is incorrect: NIST SP 800-37 outlines the Risk Management Framework (RMF) for Information Systems and Organizations, which is a process used primarily by federal agencies to secure internal government systems.

B is incorrect: NIST SP 800-53 provides a massive catalog of Security and Privacy Controls for Information Systems and Organizations. While NIST SP 800-171 is derived from a subset of moderate-impact controls in SP 800-53, SP 800-53 itself is designed for federal environments.

C is incorrect: NIST SP 800-88 provides the Guidelines for Media Sanitization, which deals specifically with wiping, destroying, or declassifying data storage devices.

References

NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations), Title and Purpose statements.

32 CFR Part 170 (CMMC Final Rule): Establishes that CMMC Level 2 alignment is explicitly mapped against the security requirements of NIST SP 800-171.

Explanation:

For a CMMC Level 1 Self-Assessment, assets are categorized based on their relationship with Federal Contract Information (FCI). Unlike Level 2 (which uses five distinct asset categories including CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets), Level 1 follows a simpler scoping framework .

Why other options are incorrect:

A. CUI Asset – Incorrect.
CUI (Controlled Unclassified Information) assets are defined at Level 2, not Level 1 . Level 1 only concerns FCI protection. The scenario explicitly states this is a Level 1 Self-Assessment with no mention of CUI handling.

C. Specialized Asset – Incorrect.
Under Level 1 scoping rules, Specialized Assets (including IoT devices, OT, and test equipment) are explicitly excluded from the assessment scope . The regulation states: "Specialized Assets are not part of the Level 1 CMMC Assessment Scope and are not assessed against CMMC security requirements" . However, this exclusion applies only when the specialized asset can process FCI but is unable to be fully secured . The question does not indicate the testing equipment falls under this exception, and typical in-house test equipment used for contract fulfillment is treated as in-scope .

D. Contractor Risk Managed Asset – Incorrect.
Contractor Risk Managed Assets (CRMA) are a Level 2 asset category, not used in Level 1 scoping . CRMA refers to assets that can but are not intended to process CUI due to risk-based policies . This category does not apply to Level 1 assessments.

References

32 CFR § 170.19(b) – Level 1 scoping requirements; assets processing, storing, or transmitting FCI are in scope

CMMC Level 1 Scoping Guide – Defines In-Scope Assets for Level 1 Self-Assessments as those that process, store, or transmit FCI

Explanation

Under Chapter 33 of Title 44, United States Code (the Federal Records Act), the definition of "records" explicitly includes all recorded information, regardless of form or characteristics, made or received by a Federal agency in connection with the transaction of public business . NARA directives and the U.S. Code further specify that "recorded information includes all traditional forms of records, regardless of physical form or characteristics, including information created, manipulated, communicated, or stored in digital or electronic form" .

Why other options are incorrect:

A. All recorded digital documents – Incorrect.
This excludes paper records, maps, photographs, film, tape, and other physical documentary materials that are also subject to records disposition requirements .

B. All digital and recorded paper documents – Incorrect.
While this expands beyond digital, it still excludes other physical media such as film, tape, maps, and photographs, all of which fall under "recorded information, regardless of physical form" .

C. All digital documents and recorded media – Incorrect.
Although "recorded media" is broader, this option still excludes traditional paper records and other documentary materials that are not classified as "media" but are still subject to disposal policies .

References

44 U.S.C. § 3301(a) – Definition of records includes "all recorded information, regardless of form or characteristics"

44 U.S.C. § 3301(a)(2) – "Recorded information includes all traditional forms of records...including information created, manipulated, communicated, or stored in digital or electronic form"

Explanation:

Under CMMC 2.0, Federal Contract Information (FCI) protection is specifically aligned with CMMC Level 1. Level 1 requires implementation of the basic safeguarding requirements found in FAR 52.204-21 and applies exclusively to contractors who handle FCI but do not process, store, or transmit Controlled Unclassified Information (CUI).

CMMC Level 1 focuses on foundational cybersecurity practices, requiring annual self-assessment and senior official affirmation. Approximately 63% of the Defense Industrial Base will need Level 1 certification for contracts involving FCI only.

Why other options are incorrect:

B. Level 2 – Incorrect.
Level 2 is designed for contractors handling CUI, requiring 110 practices aligned with NIST SP 800-171 and typically a third-party C3PAO assessment.

C. Levels 2 and 3 – Incorrect.
Both Levels 2 and 3 address CUI protection, not FCI. Level 3 applies to the most critical national security programs handling high-value CUI.

D. Levels 1, 2, and 3 – Incorrect.
While the levels are cumulative in maturity, requiring Level 2 or 3 for FCI-only contracts would impose unnecessary compliance burdens. DoD policy explicitly states Level 1 is sufficient for FCI protection.

References

32 CFR § 170.5(c) – CMMC Program requirements apply to contracts handling FCI

CMMC Level 1 Assessment Guide – Defines FCI protection requirements

DFARS CMMC Final Rule (Sept 2025) – Level 1 for FCI, Level 2/3 for CUI

Explanation:

Under the CMMC Model, Level 1 (Foundational) includes 17 security practices derived directly from FAR 52.204-21, which addresses the basic safeguarding of Federal Contract Information (FCI). These 17 practices are organized across six domains: Access Control (4 practices), Identification and Authentication (2), Media Protection (1), Physical Protection (4), System and Communications Protection (2), and System and Information Integrity (4).

The source of confusion between "15" and "17" stems from how the FAR 52.204-21 requirements are counted. The FAR clause contains 15 basic safeguarding requirements, but when mapped to NIST SP 800-171 Rev 2 for assessment purposes, these requirements align with 17 distinct security practices. Both CMMC 1.0 and CMMC 2.0 specify 17 practices for Level 1.

Why other options are incorrect:

A. 15 practices – Incorrect.
While FAR 52.204-21 contains 15 basic safeguarding requirements, the CMMC Level 1 model expands these to 17 practices when mapped to NIST SP 800-171 Rev 2 for assessment and evidence collection.

C. 72 practices – Incorrect.
72 practices represent the cumulative total for Level 2 under CMMC 1.0 (17 from Level 1 + 55 new from Level 2). This is not the count for Level 1 alone.

D. 110 practices – Incorrect.
110 practices is the total for CMMC Level 2 under CMMC 2.0, aligned with all NIST SP 800-171 Rev 2 requirements. Level 1 only requires the foundational 17 practices.

References

CMMC Model v2.0 – Level 1 requires 17 practices from FAR 52.204-21

32 CFR § 170.15 – Level 1 self-assessment requirements NIST SP 800-171 Rev 2 – The 17 Level 1 practices map across 6 control families

Explanation:

Under CMMC Level 1, the self-assessment covers six domains that contain the 17 basic safeguarding practices derived from FAR 52.204-21 . The Level 1 domains are:

Access Control (AC) – 4 practices
Identification and Authentication (IA) – 2 practices
Media Protection (MP) – 1 practice
Physical Protection (PE) – 4 practices
System and Communications Protection (SC) – 2 practices
System and Information Integrity (SI) – 4 practices

Option C correctly lists three of these six domains: Access Control (AC), Physical Protection (PE), and Identification and Authentication (IA). All three are mandatory components of any Level 1 Self-Assessment .

Why other options are incorrect:

A. Access Control (AC), Risk Management (RM), and Media Protection (MP) – Incorrect.
Risk Management (RM) is not a Level 1 domain. RM appears at Level 2 and above under CMMC 2.0, not at the foundational Level 1 .

B. Risk Management (RM), Access Control (AC), and Physical Protection (PE) – Incorrect.
Risk Management (RM) is not included in Level 1. The Level 1 domains consist of AC, IA, MP, PE, SC, and SI only .

D. Risk Management (RM), Media Protection (MP), and Identification and Authentication (IA) – Incorrect.
Risk Management (RM) is not a Level 1 domain. While Media Protection (MP) and Identification and Authentication (IA) are valid Level 1 domains, RM is exclusively part of higher CMMC levels.

References

32 CFR § 170.14(c)(2) – CMMC Level 1 security requirements from 48 CFR 52.204-21(b)(1)(i) through (xv)

CMMC Level 1 Self-Assessment Guide (DoD) – Lists six domains: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity

Explanation:

The CMMC Code of Professional Conduct and the CMMC Assessment Process (CAP) require that any actual or apparent conflict of interest (COI) must be identified, disclosed, and managed appropriately. A former college roommate relationship could create an appearance of bias or favoritism, even if no actual bias exists.

Why other options are incorrect:

A. Do not inform the OSC and the C3PAO – Incorrect.
Concealing a potential conflict violates the CMMC Code of Professional Conduct (Objectivity and Conflicts of Interest principles). This could result in loss of certification and C3PAO sanctions.

B. Start the entire process over without the conflicted team member – Incorrect.
Restarting the assessment from scratch is unnecessary and costly. The conflict can be mitigated without discarding all prior work, provided the OSC and C3PAO agree.

C. Assume no conflict exists because time has passed – Incorrect.
Time alone does not automatically eliminate a potential conflict of interest. Any relationship that could create an appearance of bias (past personal relationship) must be disclosed, regardless of how long ago it occurred.

References

CMMC Code of Professional Conduct – Conflicts of Interest section: Requires disclosure of actual or apparent conflicts

CMMC Assessment Process (CAP) – Phase 1: Conflict of interest identification and mitigation documentation

Explanation:

In CMMC assessment methodology, there are three primary assessment methods defined in NIST SP 800-171A and used throughout the CMMC Assessment Process: Examine, Interview, and Test.

The Examine method is specifically defined as the process of "reviewing, inspecting, observing, studying, or analyzing assessment objects to gather evidence" . Assessment objects for examination include:

Specifications – Policies, plans, procedures, system designs, configurations
Mechanisms – Hardware, software, physical controls, technical implementations
Activities –
Logs, records, audit trails, monitoring data, user actions

The keyword in the question is "reviewing, inspecting, observing, studying, or analyzing" – these verbs directly match the official definition of the Examine method .

Why other options are incorrect:

A. Test – Incorrect.
The Test method involves "exercising assessment objects under specified conditions to compare actual with expected behavior" . Testing requires active execution (e.g., running scripts, attempting logins, scanning ports), not passive reviewing or observing.

B. Assess – Incorrect.
"Assess" is the overall activity (CMMC Assessment) but is not one of the three named assessment methods. The three specific methods are Examine, Interview, and Test .

D. Interview – Incorrect.
The Interview method involves "conducting discussions with individuals or groups to gather evidence" . Interviews focus on questioning personnel, not reviewing specifications, mechanisms, or activities.

References

NIST SP 800-171A (Assessing Security Requirements) – Section 2: Assessment Methods defines Examine, Interview, and Test

CMMC Assessment Process (CAP) – Assessment methods guide for evidence collection

Explanation

According to the official CMMC Assessment Process (CAP) guidelines and industry assessment best practices, interviews conducted during an assessment must maintain confidentiality and anonymity (non-attribution).

The goal of an interview is to verify how security practices are actually performed day-to-day, rather than how they look on paper. To get an honest, accurate representation of the environment, the assessment team must ensure that individual responses are not directly attributed to specific employees in the final documentation. This non-attributable approach eliminates the fear of workplace reprisal, encouraging subject-matter experts to speak openly about operational realities, potential gaps, or systemic issues.

Why Other Options Are Incorrect

A is incorrect:
While group interviews are sometimes used for efficiency, they are not a mandatory rule, and they often hinder candid feedback because employees may feel uncomfortable speaking openly in front of peers or managers.

B is incorrect:
While the factual data gathered during an interview informs the findings, raw interview recordings or word-for-word transcripts identifying the speaker are not included in the Final Recommended Findings report to protect anonymity.

D is incorrect:
The assessment team internally maps the gathered information to specific CMMC practices, but the information exchange itself during the interview should flow naturally without rigid, upfront constraints that might confuse the interviewee or shut down open dialogue.

References

The CMMC Assessment Process (CAP) – Phase 2: Assess Conformity (Conduct Interviews): Emphasizes establishing a constructive, non-punitive interview environment to ensure the integrity of testimonial evidence.

NIST SP 800-171A (Assessing Security Requirements): Outlines the "Interview" assessment method, emphasizing its role in obtaining a clear understanding and clarifying the implementation of security requirements through open professional dialogue.

Explanation

Validation of findings is an iterative process conducted throughout the assessment, typically during Daily Checkpoints. The purpose of presenting preliminary findings to the OSC is to ensure accuracy, fairness, and transparency before finalizing the assessment report.

Preliminary findings are important because they:
Allow the OSC to comment on the assessor's understanding of their implementation
Provide the OSC an opportunity to submit additional evidence if the preliminary finding appears incorrect or incomplete
Enable the OSC to clarify misunderstandings about their environment or processes
Support collaborative validation between the assessment team and the OSC

This iterative validation process ensures that final findings accurately reflect the OSC's implementation before the assessment concludes. If new evidence changes a preliminary finding, the assessment team can update it accordingly.

Why other options are incorrect:

B. It determines whether the OSC will be rated MET or NOT MET – Incorrect.
The rating is preliminary at this stage and can change based on OSC comments and additional evidence. Final determination occurs at the end of the assessment, not during preliminary findings presentation.

C. It confirms that the Assessment Team's findings are right and cannot be changed – Incorrect.
This directly contradicts the iterative nature of validation. Preliminary findings are explicitly not final and can be modified as new evidence emerges or clarifications are provided.

D. It corroborates the Assessment Team's understanding of the CMMC practices and controls – Incorrect.
While the assessment team must understand CMMC practices, the purpose of preliminary findings is to validate findings about the OSC's implementation, not to corroborate the team's understanding of the model itself.

References

Cmmc assessment process(cap)– Section on Daily Checkpoints and Preliminary Findings

nist 800-171– Iterative assessment and validation process