Free CMMC-CCP Practice Test Questions 2026

Explanation

The Interview assessment method is specifically defined as the process of "conducting discussions with individuals or groups to gather evidence" . In the context of CMMC assessments, the Interview method is used to:

Gather information from subject matter experts (SMEs)
Facilitate understanding of how security practices are implemented
Achieve clarification on processes, roles, and responsibilities
Corroborate evidence obtained through examination or testing

Interviews are typically conducted with personnel who have direct knowledge of the security practice being assessed, such as system administrators, security managers, or process owners. The questions focus on "how" the practice is implemented in daily operations.

Why other options are incorrect:

A. Test – Incorrect.
The Test method involves "exercising assessment objects under specified conditions to compare actual with expected behavior" . Testing is active (e.g., running scripts, attempting logins) and does not involve discussions with SMEs.

B. Examine – Incorrect.
The Examine method involves "reviewing, inspecting, observing, studying, or analyzing assessment objects" such as policies, procedures, logs, and configuration files . Examination is document- or observation-focused, not conversation-based.

D. Assessment – Incorrect.
"Assessment" is the overall activity (CMMC Assessment) but is not one of the three named assessment methods. The specific methods are Examine, Interview, and Test .

References

NIST SP 800-171A – Section 2: Assessment Methods defines Interview as discussions with individuals or groups

CMMC Assessment Process (CAP) – Assessment methods guidance

CMMC Level 2 Assessment Guide – Interview method for evidence collection

Explanation:

Registered Practitioner Organizations (RPOs) are consultative entities officially registered with The Cyber AB (formerly CMMC-AB) that provide advisory and security support services to organizations preparing for CMMC certification . The official Cyber AB website explicitly states that RPOs "deliver a non-certified advisory service" and "do not conduct Certified CMMC Assessments" .

An RPO's core function is consulting — guiding Organizations Seeking Certification (OSC) through the certification process by interpreting requirements, conducting gap analyses, readiness assessments, remediation assistance, and implementation support . While RPOs may also offer training and education, these services are ancillary to their primary consultative role. Edwards Performance Solutions, a dual RPO and C3PAO, describes its RPO consulting services as including scoping, gap analysis, documentation, assessment preparation, and ongoing compliance support .

Why other options are incorrect:

A. Training services – Incorrect.
Training is a secondary offering many RPOs provide, but it is not their most comprehensive service. Training focuses on knowledge transfer, whereas consulting encompasses end-to-end compliance guidance including strategy, implementation, and remediation . Also, Licensed Training Providers (LTPs), not RPOs, are specifically authorized to deliver official CMMC training courses .

B. Education services – Incorrect.
Education falls under training and is similarly ancillary. The Cyber AB's Approved Partner Publisher (APP) and Approved Training Provider (ATP) designations specifically address education, not RPO status .

D. Assessment services – Incorrect.
RPOs cannot conduct certified CMMC assessments. Official sources repeatedly state that RPOs "do not conduct Certified CMMC Assessments" and that formal assessment responsibility "is limited to C3PAOs or government agencies" . Only C3PAOs (Certified Third-Party Assessment Organizations) are authorized to perform official CMMC Level 2 and Level 3 assessments .

References

Cyber AB Official Website– RPOs "deliver a non-certified advisory service" and "do not conduct Certified CMMC Assessments"

Continuum GRC – RPO responsibilities include gap analysis, readiness assessments, remediation assistance, and implementation support; RPOs do not provide assessment services

Explanation

The practice requiring organizations to "restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services" is CM.L2-3.4.7, which falls under the Configuration Management (CM) domain.

This practice is directly tied to the "principle of least functionality," where systems are configured to provide only essential capabilities. The CM domain explicitly addresses how organizations establish and maintain secure configurations across their systems, including baseline configurations, change management, and the control of nonessential functionality.

Why other options are incorrect:

A. Access Control (AC)
– The AC domain focuses on managing access to systems and data, including information flow control, separation of duties, least privilege, and limiting unsuccessful logins. AC does not address restricting nonessential programs or disabling unused services.

B. Media Protection (MP)
– The MP domain covers safeguarding physical media (e.g., removable media) and controlling its use on system components. MP.L2-3.8.7 specifically controls the use of removable media, not nonessential programs or functions.

C. Asset Management (AM)
– The AM domain focuses on identifying and inventorying system components. AM.2.002 requires organizations to "Inventory the components of organizational systems". Asset Management deals with knowing what assets exist, not configuring which programs and services are allowed to run on them.

References
CMMC Level 2 Assessment Guide – CM.L2-3.4.7
NIST SP 800-171 Rev 2 – Requirement 3.4.7
CMMC Practice CM.L2-3.4.7 – Assessment objectives

Explanation:

The foundation f any CMMC implementation is compliance with the authoritative sources that define the requirements. When network administrators disagree on configuration decisions, the proper resolution is to consult the official standards and guidance documents that form the basis of CMMC—specifically the CMMC Assessment Guides and NIST SP 800-171.

These documents provide clear, objective criteria for security controls. Relying on them ensures that decisions are based on compliance requirements rather than personal opinions, organizational hierarchy, or arbitrary choices. Consulting authoritative sources also creates defensible evidence for assessors that the organization made good-faith, standards-based implementation decisions.

Why other options are incorrect:

A. Consult with the CEO of the company
– The CEO is unlikely to have the technical expertise to resolve configuration disputes. Furthermore, compliance is based on objective standards, not executive preference. The CEO may be consulted for policy or resource decisions, but not for technical implementation details.

C. Go with the least stringent controls
– Choosing less restrictive controls simply because they are easier to implement is likely to result in non-compliance. CMMC requires specific security configurations; picking the weaker option risks failing the assessment.

D. Go with the most stringent controls
– While more security is generally better, implementing overly restrictive controls can hinder business operations unnecessarily. Compliance requires meeting the standard, not exceeding it arbitrarily. The correct approach is to meet the standard precisely, not guess.

References

CMMC Level 1 & 2 Assessment Guides – Authoritative source for assessment objectives and evidence requirements

NIST SP 800-171 Rev 2 – Baseline security requirements for CUI protection (CMMC Level 2)

32 CFR Part 170 – Codifies CMMC requirements in federal regulation

Explanation

The National Archives and Records Administration (NARA) serves as the Executive Agent for the Controlled Unclassified Information (CUI) Program and maintains the official CUI Registry, which contains all authoritative data classifications of CUI . Executive Order 13556 explicitly designated NARA as the Executive Agent responsible for overseeing the CUI Program and implementing government-wide standards .

Why other options are incorrect:

B. CMMC-AB (The Cyber AB)
– The Cyber AB is the accreditation body responsible for the CMMC ecosystem, including accrediting C3PAOs and maintaining the CMMC Marketplace. It does not define or maintain CUI data classifications. The Cyber AB's role is implementing assessment standards, not defining the underlying CUI categories.

C. DoD Contractors FAQ
– An FAQ document, regardless of its source, is an informational resource that may summarize or explain CUI requirements but is not the authoritative source for data classifications. Only the official CUI Registry maintained by NARA carries legal authority for CUI categories.

D. OSC's privacy policies
– An Organization Seeking Certification's internal privacy policies have no authority over government-defined CUI classifications. Privacy policies describe how an organization handles data internally but cannot define what constitutes CUI under federal law.

References

Executive Order 13556 – Controlled Unclassified Information; designates NARA as Executive Agent

32 CFR Part 2002 – NARA's final rule establishing uniform CUI policy across federal agencies

Explanation

The CMMC assessment process leverages NIST Special Publication 800-171A, titled "Assessing Security Requirements for Controlled Unclassified Information," as the definitive guide for assessment procedures and methods .

While NIST SP 800-171 defines the "what"—the 110 security requirements organizations must implement for CUI protection—NIST SP 800-171A defines the "how" . It details over 320 specific assessment objectives and outlines the three primary assessment methods used in CMMC evaluations: Examine, Interview, and Test

Why other options are incorrect:

A. NIST SP 800-53
– This publication provides security and privacy controls for federal information systems and organizations, primarily for FISMA compliance. It is not the assessment procedure document used for CMMC.

B. NIST SP 800-53A
– This is the assessment guide for SP 800-53 controls, used for federal agency assessments, not for CMMC contractor assessments.

C. NIST SP 800-171
– This defines the 110 security requirements (the "what" of compliance), not the assessment procedures (the "how"). It is the baseline standard, not the assessment methodology document.

References

NIST SP 800-171A – Section 2: Assessment Methods (Examine, Interview, Test)

CMMC Level 2 Assessment Guide – Assessment methodology and objectives

CMMC-CCP Exam Content Outline – Domain: Assessment Methods and Procedures

Explanation

CMMC scoping rules apply to all assets that process, store, or transmit protected government data. This rule is format-neutral; it applies equally to digital assets and physical assets.

Federal Contract Information (FCI) is defined as information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service. If a physical object—such as a file cabinet, storage locker, or security bin—contains printed paper documents that hold FCI, that physical object is actively storing FCI.

Therefore, it must be designated as In Scope for a CMMC Level 1 assessment. The assessor will evaluate this asset to ensure it meets basic physical safeguarding requirements, such as restricting physical access to authorized personnel (e.g., verifying that the cabinet is locked when unattended).

Why Other Options Are Incorrect

B is incorrect:
Being in the same physical location as an in-scope asset does not automatically pull an unrelated object into scope. An asset enters the CMMC Level 1 boundary because of its relationship to FCI (processing, storing, or transmitting it), not merely due to geographic proximity.

C is incorrect:
CMMC protections do not stop at digital boundaries. Paper-based FCI is subject to the exact same high-level regulatory protections under FAR Clause 52.204-21 as electronic files.

D is incorrect:
While a file cabinet does not "process" or "transmit" data, it does store data. Under the definition of the assessment boundary, satisfying any one of those three criteria (processing, storing, or transmitting) places the asset firmly in scope.

References

CMMC Scoping Guidance for Level 1: Explicitly outlines that assets that process, store, or transmit FCI are part of the Level 1 assessment boundary.

FAR Clause 52.204-21 (b)(1)(x): Requires contractors to limit physical access to organizational information systems and equipment to authorized individuals. A file cabinet storing paper FCI is classified as equipment protecting that data.

Explanation:

Under the official CMMC Assessment Process (CAP) rules for a Plan of Action and Milestones (POA&M) closeout assessment, the Lead Assessor retains the ultimate personal and professional accountability for verifying that the organization has successfully remediated its security gaps.

While other Assessment Team Members (such as Certified CMMC Assessors—CCAs) may assist in collecting, reviewing, and evaluating the newly provided objective evidence, the Lead Assessor is the only individual authorized to sign off on the final closeout results. They must personally verify that every single practice that failed during the initial assessment has now been adequately addressed, meets the CMMC assessment criteria, and is fully implemented before updating the final assessment report for the C3PAO.

Why Other Options Are Incorrect

A and C are incorrect:
The Organization Seeking Certification (OSC) and its corporate sponsor are responsible for implementing the remediations and providing the evidence, but they cannot legally audit or verify their own compliance.

B is incorrect:
While a Certified CMMC Assessor (CCA) can perform the underlying evaluation steps under the supervision of the Lead Assessor, the specific regulatory mandate to validate, approve, and finalize the overall closeout results rests strictly on the shoulders of the Lead Assessor leading the engagement.

References

The CMMC Assessment Process (CAP) – Phase 4:
Finalize Assessment (POA&M Closeout Assessment): Explicitly states that the Lead Assessor is responsible for reviewing the POA&M deficiencies and ensuring that all remaining practices have been validated as "Met."

32 CFR § 170.18 (CMMC Final Rule - Assessment Requirements):
Outlines the strict operational guidelines for POA&M closeouts, identifying the Lead Assessor as the technical authority who signs off on the final conformity assessment results.

Explanation

The verify evidence and record gaps activity is a core component of the CMMC assessment process. Its primary purpose is to compare the evidence provided by the OSC against the specific requirements of each CMMC practice and identify any discrepancies or deficiencies (gaps) where the evidence fails to meet the requirement.

Why other options are incorrect:

A. Map test and demonstration responses to CMMC practices
– This describes evidence mapping, which is part of correlating assessment results to practices, but it is not the primary intent of "verify evidence and record gaps." Mapping occurs earlier or in parallel.

B. Conduct interviews to test process implementation knowledge
– This describes the Interview assessment method, which is a separate evidence-gathering activity, not the gap verification and recording activity.

C. Determine the one-to-one relationship between a practice and an assessment object
– This describes evidence mapping or practice-object alignment, which is a planning or analysis activity, not the gap identification activity.

References

CMMC Assessment Process (CAP) – Phase 2: Verify evidence and record gaps

NIST SP 800-171A – Assessment objectives and evidence analysis

CMMC Level 2 Assessment Guide – Findings development and POA&M documentation

Explanation:

Under the CUI program established by Executive Order 13556 and implemented through 32 CFR Part 2002, legacy markings (such as FOUO – For Official Use Only) do not automatically convert to CUI markings. The requirement to re-mark or redact legacy documents is primarily triggered when information is shared outside of the organization.

Why other options are incorrect:

A. When under the control of the DoD – Incorrect.
Legacy materials under DoD control do not require immediate re-marking. Agencies may grant waivers for legacy materials while they remain under agency control. The requirement is triggered upon dissemination outside the agency, not while under DoD control.

B. When the document is considered secret – Incorrect.
The CUI program applies to unclassified information that requires safeguarding, not classified information. Secret documents fall under separate classification frameworks (e.g., Executive Order 13526) and are not governed by CUI marking requirements. The question specifically addresses CUI and DoD legacy markings, which by definition apply to unclassified information.

D. When a derivative document's original information is not CUI – Incorrect.
If the original information is not CUI, there is generally no requirement to re-mark or redact. The trigger for re-marking is when legacy information qualifies as CUI and is being reused or shared outside the organization. There is no requirement to re-mark non-CUI information.

References

DoD CUI Program FAQ – "Is FOUO a valid marking? No... If the same information is put in a new document or is shared outside the Department, it needs to be assessed to see if it meets the criteria for CUI and marked appropriately"

National Archives CUI Program Blog– "Agencies can waive the requirement to re-mark legacy information while the CUI is in their control... [Re-marking is required] when reusing and sharing the information with others outside of their agency"

Explanation

Assessment objectives are structured as determination statements that define what the assessor needs to confirm about an organization's implementation of a security practice. According to NIST SP 800-171A, each assessment objective begins with a phrase such as "[a determination that] the organization..." followed by the specific condition to be verified.

For example, for practice IA.L1-3.5.1 (Identify system users), the assessment objective is: "Determine if the organization identifies information system users, processes acting on behalf of users, or devices." This is a yes/no determination statement. Each assessment objective represents a specific, testable condition that contributes to determining whether a practice is MET or NOT MET.

Why other options are incorrect:

A. Specifications and mechanisms
– These are assessment objects, not parts of an assessment objective. Specifications include policies and procedures; mechanisms include hardware and software. They are what the assessor examines, not determination statements.

B. Examination, interviews, and testing
– These are the three assessment methods defined in NIST SP 800-171A, not parts of an assessment objective. Methods are "how" evidence is gathered; objectives define "what" is being determined.

D. Exercising assessment objects under specified conditions
– This describes the Test assessment method, specifically the process of active testing. It is not part of an assessment objective.

References

NIST SP 800-171A – Section 3: Assessment Objectives as determination statements

CMMC Level 2 Assessment Guide – Assessment objectives for each practice