Free CMMC-CCP Practice Test Questions 2026

In scoping a CMMC Level 1 Self-Assessment, all of the computers and digital assets that handle FCI are identified. A file cabinet that contains paper FCI is also identified. What can this file cabinet BEST be determined to be?

A. In scope, because it is an asset that stores FCI

B. In scope, because it is part of the same physical location

C. Out of scope, because they are all only paper documents

D. Out of scope, because it does not process or transmit FCI

The Level 1 practice description in CMMC is Foundational. What is the Level 2 practice description?

A. Expert

B. Advanced

C. Optimizing

D. Continuously Improved

Which code or clause requires that a contractor is meeting the basic safeguarding requirements for FCI during a Level 1 Self-Assessment?

A. FAR 52.204-21 .

B. 22CFR 120-130

C. DFARS 252.204-7011

D. DFARS 252.204-7021

An assessment procedure consists of an assessment objective, potential assessment methods, and assessment objects. Which statement is part of an assessment objective?

A. Specifications and mechanisms

B. Examination, interviews, and testing

C. Determination statement related to the practice

D. Exercising assessment objects under specified conditions

A Lead Assessor is presenting an assessment kickoff and opening briefing. What topic MUST be included?

A. Gathering evidence

B. Review of the OSC's SSP

C. Overview of the assessment process

D. Examination of the artifacts for sufficiency

During a Level 2 Assessment, the OSC has provided an inventory list of all hardware. The list includes servers, workstations, and network devices. Why should this evidence be sufficient for making a scoring determination for AC.L2-3.1.19: Encrypt CUI on mobile devices and mobile computing platforms?

A. The inventory list does not specify mobile devices.

B. The interviewee attested to encrypting all data at rest.

C. The inventory list does not include Bring Your Own Devices.

D. The DoD has accepted an alternative safeguarding measure for mobile devices.

The Advanced Level in CMMC will contain Access Control {AC) practices from:

A. Level 1.

B. Level 3.

C. Levels 1 and 2.

D. Levels 1,2, and 3.

SC.L2-3 13.14: Control and monitor the use of VoIP technologies is marked as NOT APPLICABLE for an OSC's assessment. How does this affect the assessment scope?

A. Any existing telephone system is in scope even if it is not using VoIP technology.

B. An error has been made and the Lead Assessor should be contacted to correct the error.

C. VoIP technology is within scope, and it uses FlPS-validated encryption, so it does not need to be assessed. .

D. VoIP technology is not used within scope boundary, so no assessment procedures are specified for this practice.

How many domains does the CMMC Model consist of?

A. 14 domains

B. 43 domains

C. 72 domains

D. 110 domains

Which statement BEST describes the key references a Lead Assessor should refer to and use the:

A. DoD adequate security checklist for covered defense information.

B. CMMC Model Overview as it provides assessment methods and objects.

C. safeguarding requirements from FAR Clause 52.204-21 for a Level 2 Assessment.

D. published CMMC Assessment Guide practice descriptions for the desired certification level.

When an OSC requests an assessment by a C3PAO, who selects the Lead Assessor for the assessment?

A. OSC

B. C3PAO

C. C3PAO and OSC

D. OSC and Lead Assessor

An assessor is in Phase 3 of the CMMC Assessment Process. The assessor has delivered the final findings, submitted the assessment results package, and provided feedback to the C3PAO and CMMC-AB. What must the assessor still do?

A. Determine level recommendation

B. Archive all assessment artifacts

C. Determine final practice pass/fail results .

D. Archive or dispose of any assessment artifacts