Free CMMC-CCP Practice Test Questions 2026

In scoping a CMMC Level 1 Self-Assessment, it is determined that an ESP employee has access to FCI. What is the ESP employee considered?

A. In scope

B. Out of scope

C. OSC point of contact

D. Assessment Team Member

Contractor scoping requirements for a CMMC Level 2 Assessment to document the asset in an inventory, in the SSP and on the network diagram apply to:

A. GUI Assets.

B. CUI and Security Protection Asset categories.

C. all asset categories except for the Out-of-scope Assets.

D. Contractor Risk Managed Assets and Specialized Assets.

Which term describes the process of granting or denying specific requests to obtain and use information, related information processing services, and enter specific physical facilities?

A. Access control

B. Physical access control

C. Mandatory access control

D. Discretionary access control

A contractor provides services and data to the DoD. The transactions that occur to handle FCI take place over the contractor's business network, but the work is performed on contractor-owned systems, which must be configured based on government requirements and are used to support a contract. What type of Specialized Asset are these systems?

A. loT

B. Restricted IS

C. Test equipment

D. Government property

While determining the scope for a company's CMMC Level 1 Self-Assessment, the contract administrator includes the hosting providers that manage their IT infrastructure. Which asset type BEST describes the third-party organization?

A. ESPs

B. People

C. Facilities

D. Technology

When scoping the organizational system, the scope of applicability for the cybersecurity CUI practices applies to the components of:

A. federal systems that process, store, or transmit CUI.

B. nonfederal systems that process, store, or transmit CUI.

C. federal systems that process, store, or transmit CUI. or that provide protection for the system components.

D. nonfederal systems that process, store, or transmit CUI. or that provide protection for the system components.

During the planning phase of the Assessment Process. C3PAO staff are reviewing the various entities associated with an OSC that has requested a CMMC Level 2 Assessment. Which term describes the people, processes, and technology external to the HQ Organization that participate in the assessment but will not receive a CMMC Level unless an enterprise Assessment is conducted?

A. Host Unit

B. Organization

C. Coordinating Unit

D. Supporting Organization/Unit

What is DFARS clause 252.204-7012 required for?

A. All DoD solicitations and contracts

B. Solicitations and contracts that use FAR part 12 procedures

C. Procurements solely for the acquisition of commercial off-the-shelf

D. Commercial off-the-shelf sold in the marketplace without modifications

Which example represents a Specialized Asset?

A. SOCs

B. Hosted VPN services

C. Consultants who provide cybersecurity services

D. All property owned or leased by the government

How does the CMMC define a practice?

A. A business transaction

B. A condition arrived at by experience or exercise

C. A series of changes taking place in a defined manner

D. An activity or activities performed to meet defined CMMC objectives

What is the primary intent of the verify evidence and record gaps activity?

A. Map test and demonstration responses to CMMC practices.

B. Conduct interviews to test process implementation knowledge.

C. Determine the one-to-one relationship between a practice and an assessment object.

D. Identify and describe differences between what the Assessment Team required and the evidence collected.

An employee is the primary system administrator for an OSC. The employee will be a core part of the assessment, as they perform most of the duties in managing and maintaining the systems. What would the employee be BEST categorized as?

A. Analyzer

B. Inspector

C. Applicable staff

D. Demonstration staff