Free CMMC-CCP Practice Test Questions 2026

Explanation:

The CMMC Model consists of 14 domains under CMMC 2.0 . These domains organize the cybersecurity practices and processes required at each CMMC level:

Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)
Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)

Why other options are incorrect:

B. 43 domains – Incorrect.
43 represents the number of capabilities within the CMMC Model, not domains. Capabilities are groupings of practices within domains .

C. 72 domains – Incorrect.
72 represents the cumulative number of practices at CMMC Level 2 under CMMC 1.0 (17 from Level 1 + 55 added at Level 2) .

D. 110 domains – Incorrect.
110 represents the number of practices required at CMMC Level 2 under CMMC 2.0, aligned with NIST SP 800-171. This is the count of individual security requirements, not domains .

References

CMMC 2.0 Model – 14 domains spanning all three levels

NIST SP 800-171 Rev 2 – The 14 CMMC domains align with NIST control families

Explanation

In CMMC assessment methodology, the Examine assessment method is formally defined as the process of "reviewing, inspecting, observing, studying, or analyzing assessment objects to gather evidence." The three types of assessment objects that can be examined are:

Specifications – Documentation such as policies, procedures, security plans, system designs, and configuration requirements

Mechanisms – Hardware, software, physical controls, and technical safeguards implemented within a system

Activities – Logs, records, audit trails, monitoring data, and observations of operational actions

The question specifically asks about the Examine assessment method, and "documents, mechanisms, or activities" correctly captures the three assessment object categories. This is a foundational concept in CMMC assessment methodology, directly drawn from NIST SP 800-171A guidance and consistently referenced throughout the CCP exam .

Why other options are incorrect:

B. specific hardware, software, or firmware safeguards – Incorrect.
This describes only mechanisms, one of the three examination objects. The Examine method encompasses documents and activities in addition to mechanisms.

C. policies, procedures, security plans, penetration tests, and security requirements – Incorrect.
This describes only specifications (documentation). Examination of activities and mechanisms is equally valid and often required.

D. observation of system backup operations, exercising a contingency plan, and monitoring network traffic – Incorrect.
These are examples of activities, which are only one of the three examination object types. Additionally, observation of real-time operations may cross into Test method territory depending on the circumstances.

References

NIST SP 800-171A – Section 2: Assessment Methods defines Examine, Interview, and Test; assessment objects include specifications, mechanisms, and activities

CMMC Assessment Process (CAP) – Phase 2 assessment methods documentation

Explanation

Developing the assessment plan is a collaborative effort during the planning phase of the CMMC Assessment Process (CAP). The Lead Assessor works directly with the Organization Seeking Certification (OSC) sponsor and stakeholders to map out the logistics, finalize dates, define technical scopes, and confirm the exact human and material resources required to execute the assessment. This plan establishes the formal roadmap for the entire assessment lifecycle.

Why Other Options Are Incorrect

A is incorrect:
Team selection and notification are prerequisite logistics that happen before the active development of the detailed assessment plan; the plan relies on an already established team to map out roles.

C is incorrect:
Conflict of Interest (COI) triage and resolution must be finalized during the initial engagement and team-vetted phase before a formal assessment plan is drafted, and it involves official C3PAO officers rather than just a project manager.

D is incorrect:
The evidence collection approach must be defined and agreed upon prior to beginning field operations. Waiting until the assessor arrives onsite to finalize the collection strategy would violate the readiness requirements of the CAP.

References

The CMMC Assessment Process (CAP), Phase 1: Prepare Assessment (Develop Assessment Plan): Details the explicit requirement for the Lead Assessor to collaborate with the OSC sponsor to determine the schedule, milestone gates, and required resources.

CMMC Certified Professional (CCP) Blueprint: Domain: CMMC Assessment Process Lifecycle (Phase 1 Planning and Preparation).

Explanation:

A Red team is defined as "a group of individuals authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture." Their primary role is to conduct operational network vulnerability evaluations (realistic adversarial simulations) and provide mitigation techniques to customers (the Blue team or organization) based on their findings.

Why other options are incorrect:

B. Blue team – Incorrect.
The Blue team is responsible for defending the enterprise's information systems, conducting incident response, and maintaining situational awareness. They do not emulate attackers; rather, they respond to and mitigate Red team activities.

C. White hat hackers – Incorrect.
While white hat hackers (ethical hackers) do perform vulnerability assessments, this term is broader and less specific. White hats may perform penetration tests but do not always operate in the structured, adversarial, continuous Red vs. Blue team exercise model. The term is also commonly associated with bug bounty programs rather than operational vulnerability evaluations with formal mitigation recommendations.

D. Penetration test team – Incorrect.
A penetration test team typically performs a point-in-time, scoped assessment to identify exploitable vulnerabilities. Unlike a Red team, a penetration test is usually narrower in scope, shorter in duration, and does not necessarily involve ongoing operational evaluation or full adversary emulation.

References

NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) – Defines Red team as adversarial emulation capability

NIST SP 800-53 Rev 5 – CA-8 and CA-8(1) regarding penetration testing and Red team exercises

Explanation:

NIST Special Publication 800-88 Revision 1 ("Guidelines for Media Sanitization") defines three distinct categories of data sanitization methods. These categories represent escalating levels of security assurance :

Clear applies logical techniques to sanitize data in all user-addressable storage locations, protecting against simple, non-invasive data recovery techniques. Clearing typically involves overwriting data using standard read/write commands or resetting a device to factory default state. Media can be reused after clearing .

Purge applies physical or logical techniques that render target data recovery infeasible even using state-of-the-art laboratory techniques. Methods include degaussing (for magnetic media), cryptographic erase, block erase, or advanced overwriting. Media can still be reused after purging .

Destroy renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for data storage. Methods include shredding, disintegrating, pulverizing, or incinerating the media .

Why other options are incorrect:

B. Clear, redact, destroy – "Redact" refers to editing documents to remove sensitive information before release, not a media sanitization method defined in NIST SP 800-88.

C. Clear, overwrite, purge – "Overwrite" is a specific technique used within the Clear and Purge categories, not a separate sanitization category.

D. Clear, overwrite, destroy – Same issue as option C; "overwrite" is a technique, not a category.

References

NIST SP 800-88 Rev. 1 (Guidelines for Media Sanitization) – Defines Clear, Purge, and Destroy as the three sanitization categories

NIST SP 800-88 Rev. 1, Section 2 – Sanitization definition and categories

Explanation:

During the scoping and planning phases of a CMMC Level 2 Assessment, defining the boundaries of the environment requires classifying the entities involved. The official CMMC Assessment Process (CAP) defines a Supporting Organization/Unit as external entities, business units, or corporate segments (such as corporate headquarters or a centralized corporate IT service desk outside the specific assessment boundary) that provide people, processes, or technology to support the target environment.

While these supporting units participate in the assessment because they handle shared management or security controls for the target system, they do not receive a standalone CMMC certification level themselves unless a full enterprise-wide assessment is explicitly conducted for that corporate entity.

Why Other Options Are Incorrect

A is incorrect: The Host Unit (or Assessment Home) describes the main organizational unit or specific facility enclave that is actively requesting and undergoing the assessment to receive its CMMC Level certification.

B is incorrect: Organization is too broad of a general term and refers to the entire legal entity rather than the specific external segments providing baseline dependencies.

C is incorrect: Coordinating Unit is not a formally defined scoping entity or term within the CMMC Assessment Process documentation.

References

The CMMC Assessment Process (CAP) – Appendix A:Scoping and Glossary Terms: Defines the roles of the Host Unit versus Supporting Organizations/Units during high-level and detailed scoping activities.

CMMC Certified Professional (CCP) Blueprint: Domain: CMMC Assessment Process Scoping Boundaries.

Explanation:

The CMMC Physical Protection practice PE.L2-3.10.3 states the security requirement directly as: "Escort visitors and monitor visitor activity" . The phrase "at all times" is not explicitly in the requirement text but is consistently emphasized in official guidance and assessment considerations.

Why other options are incorrect:

A. Visitors must not be escorted
– Directly contradicts the CMMC requirement. This would be a finding of NOT MET.

B. Visitors must be escorted in the corporate area, but not in the controlled environment
– Reverses the correct priority. Escort requirements apply specifically to controlled environments (areas with CUI/FCI). Corporate or public areas may have less stringent rules, but the controlled environment requires the highest level of access control.

C. Visitors must be escorted in the controlled environment, but not in the corporate area
– This is partially true but incomplete. The CMMC requirement does not explicitly exempt corporate/public areas from escort requirements; it focuses on areas where CUI or FCI is accessible. However, a Data Access Policy could reasonably apply different rules for different zones. Option D is more complete and aligns with the "at all times" guidance found in official assessment materials.

References

CMMC Level 2 Assessment Guide – PE.L2-3.10.3: Escort visitors and monitor visitor activity

NIST SP 800-171 – Requirement 3.10.3: Escort visitors and monitor visitor activity

Explanation

According to the official CMMC Assessment Process (CAP), the CMMC Third-Party Assessment Organization (C3PAO) acts as the final interpretation authority when determining whether recommended findings are "Met," "Not Met," or "Not Applicable."

While individual Assessment Team Members and the Lead Assessor gather objective evidence, conduct interviews, and formulate recommended findings during field operations, their determinations are subject to a rigorous internal quality assurance review by the C3PAO. If an Organization Seeking Certification (OSC) disputes a practice rating or finding issued by the field team, the CAP explicitly dictates that the C3PAO—as the accredited oversight entity for that engagement—holds the final authority to interpret the standard and approve or modify the scoring before results are officially uploaded into the DoD's eMASS system.

Why Other Options Are Incorrect

B is incorrect: The CMMC-AB (The Cyber AB) provides overall governance, manages the professional ecosystem, and acts as an appeals body if an OSC formally challenges a final certification decision. However, they do not manage or make interpretation calls on recommended findings during the live assessment process.

C is incorrect: The OSC Sponsor is the organization undergoing the evaluation. They can provide clarifying evidence during disputes, but they hold no authority over the final evaluation results.

D is incorrect: Assessment Team Members provide the field observations and recommendations, but they do not have final organizational authority; their findings must be verified and finalized through their parent C3PAO's quality control review process.

References

The CMMC Assessment Process (CAP) – Dispute Resolution and Quality Assurance Process: Outlines that for any disputed or contested practice findings during an assessment, the C3PAO holds the final interpretation authority.

32 CFR § 170.9 & § 170.17 (CMMC Final Rule): Details the explicit roles, operational responsibilities, and quality management requirements assigned directly to C3PAOs.

Explanation

The CMMC practice IA.L1-3.5.1 requires organizations to "Identify information system users, processes acting on behalf of users, or devices" . This is a foundational Level 1 control derived from FAR 52.204-21 and NIST SP 800-171 3.5.1 .

The official CMMC Level 1 Assessment Guide explicitly states that "individual identifiers are the user names associated with the system accounts assigned to those individuals" . This means that the primary evidence for compliance is a list of system accounts showing the unique user names assigned to each individual who accesses the system. Without unique user names, you cannot trace actions to specific individuals, which undermines accountability and auditability .

Why other options are incorrect:

A. Procedures for implementing access control lists – Incorrect.
ACL procedures describe how access rules are enforced, not who the users are. This documents the mechanism (how access is controlled) rather than the identity (who the users are) required by IA.L1-3.5.1.

B. List of unauthorized users – Incorrect.
A list of unauthorized users is not meaningful because unauthorized users should not have system accounts. The requirement focuses on identifying authorized users, processes, and devices with assigned unique identifiers .

D. Physical access policy about visitor badges/escorts – Incorrect.
This addresses Physical Protection (PE), specifically PE.L2-3.10.3 (escort visitors), not Identification and Authentication (IA). Physical visitor management is separate from digital system user identification .

References

CMMC Level 1 Self-Assessment Guide (DoD)– IA.L1-3.5.1: "Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals"

NIST SP 800-171 Rev 2 – 3.5.1: Identify system users, processes acting on behalf of users, and devices

Explanation:

Federal Contract Information (FCI) is defined in 32 CFR § 2002.4(y) and 48 CFR § 52.204-21 as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

The definition explicitly excludes:
Information provided by the Government to the public (e.g., public websites)
Simple transactional information (e.g., payment processing data)

FCI is distinct from CUI and requires only the basic safeguarding requirements of FAR 52.204-21 (CMMC Level 1), not the full NIST SP 800-171 controls required for CUI.

Why other options are incorrect:

A. CDI (Controlled Defense Information) – Incorrect.
CDI is a legacy DoD term from DFARS 252.204-7012, largely replaced by the broader "CUI" category. The question's definition does not match CDI.

B. CTI (Controlled Technical Information) – Incorrect.
CTI is a subset of CUI with technical data or computer software subject to controls. It does not encompass all contract information described in the question.

C. CUI (Controlled Unclassified Information) – Incorrect.
CUI requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies. Not all FCI rises to the level of CUI. The question's exclusion of simple transactional information and public information directly mirrors the FCI definition, not CUI.

References

32 CFR § 2002.4(y) – Definition of Federal Contract Information (FCI)
48 CFR § 52.204-21 – Basic safeguarding of contractor information systems (FCI definition)
32 CFR § 2002.4(h) – Definition of Controlled Unclassified Information (CUI)

Explanation

The 180-day timeline is a critical, non-negotiable compliance deadline for Conditional CMMC certification under Level 2 . The remediation window functions as the "close-out period," requiring an organization to finalize any corrections documented in a Plan of Action & Milestones (POA&M) and pass a follow-up assessment .

If an organization fails to close all required POA&M items and obtain a "Final" status within this period, the "Conditional" status expires, potentially impacting eligibility for contract award .

Why other options are incorrect:

A. 90 days – Incorrect.
This is shorter than the regulatory mandate. According to official guidance, the only exception to the 180-day rule is for "critical requirements" which must be fully implemented prior to certification and cannot be placed on a POA&M at all .

C. 270 days – Incorrect.
This extends beyond the maximum allowed window. If an organization cannot remediate within 180 days, they are not eligible for Conditional certification under the current CMMC 2.0 rules .

D. 360 days – Incorrect.
While the planning window for remediation often spans several months, the formal regulatory close-out period from the date of the assessment findings is strictly 180 days .

References

32 CFR § 170.21 – Conditional CMMC status, POA&M requirements and 180-day close-out window

CMMC Level 2 Assessment Guide – Assessment findings and POA&M remediation timelines

Explanation

The final step in the assessment planning phase is obtaining formal commitment from the OSC to proceed with the plan as documented . This step locks in the scope, schedule, and rules of engagement, creating a binding agreement between the OSC and the C3PAO . Obtaining this commitment involves a final review of the plan with the OSC and securing documented approval (e.g., a signed assessment agreement).

Why other options are incorrect:

A. Verify the readiness to conduct the assessment – Incorrect.
This occurs during the Phase 1 "Pre-assessment Activities" before the assessment plan is developed . You cannot finalize a plan without first knowing the OSC is ready.

B. Perform certification assessment readiness review – Incorrect.
The Readiness Review is a pre-scoping activity used to determine if the OSC can proceed . It logically comes before or during initial planning, not after finalizing the plan.

C. Update the assessment plan and schedule as needed – Incorrect.
This is an ongoing iterative task during planning; it happens before the final commitment . The plan is updated continuously as information is gathered, but the final step is to lock the plan with a commitment from the OSC.

References

Assessment Process (CAP) – Phase 1: Plan and Prepare; final step is obtaining commitment from the OSC

CMMC-CCP Exam Content Outline– Domain: Assessment Planning