Free CMMC-CCP Practice Test Questions 2026

Explanation:

Before final recommended assessment results can be generated, the CMMC Quality Assurance Professional (CQAP) must verify the Assessment documentation to ensure accuracy and completeness. This is a mandatory quality control step that occurs after the Lead Assessor develops the Findings Brief and Assessment Results documents but before the final recommended results are generated and submitted to eMASS .

The CMMC Assessment Process (CAP) explicitly requires: "The CMMC Quality Assurance Professional (CQAP) shall verify Assessment documentation, prior to eMASS upload, to ensure the accuracy and completeness of the Assessment Results Package" . Additionally, "The Final Report must be submitted to the CQAP for review no later than ten (10) business days from the Final Findings Briefing" . The CQAP's review serves as the final internal quality check before results are finalized.

Why the other options are incorrect:

A. An updated Assessment Plan:
The Assessment Plan is finalized during Phase 1 (Plan and Prepare). While it serves as a reference throughout the engagement, it does not require updating or inclusion with final recommended results .

B. Recorded and final updated Daily Checkpoint:
Daily Checkpoints are working meetings conducted during Phase 2 (Assessment Execution) to track progress and resolve issues. These are internal coordination tools, not formal artifacts required in final results submission .

C. Fully executed CMMC Assessment contract:
The assessment contract between C3PAO and OSC is executed during Phase 1 before any assessment activities begin. While required for the engagement, it is not submitted as part of the final recommended assessment results package .

References

CMMC Assessment Process (CAP) – Section 3.2.2: CQAP verification of Assessment documentation prior to eMASS upload

CMMC Assessment Process (CAP) – Section 3.2.3: Assessment artifacts required for eMASS submission

Explanation:

The CMMC Assessors and Instructor Certification Organization (CAICO) is the entity specifically established and designated by federal regulation to manage the training, testing, authorization, and certification of CMMC assessors and instructors. The regulatory framework codified at 32 CFR § 170.10(a) explicitly states: "The CAICO is responsible for training, testing, authorizing, certifying, and recertifying CMMC assessors, instructors, and related professionals. Only the CAICO may make decisions relating to examination certifications, including the granting, maintaining, recertifying, expanding, and reducing the scope of certification, and suspending or withdrawing certification".

As of December 2025, the global professional association ISACA was authorized as the exclusive CAICO for the CMMC program, and as of April 2026, full transition of CAICO services to ISACA was completed. ISACA now administers credential programs for CMMC Certified Professional (CCP), CMMC Certified Assessor (CCA), Lead CCA, and CMMC Certified Instructor (CCI). The Cyber AB (formerly CMMC-AB) remains the official accreditation body for CMMC but has transferred the specific CAICO credentialing authority to ISACA.

Why the other options are incorrect:

A. DoD OUSD:
The Office of the Under Secretary of Defense establishes CMMC policy and program requirements but does not manage day-to-day training, testing, and certification of individual assessors and instructors. This operational responsibility is delegated to the CAICO by regulation.

B. DIB Collaborative Information Sharing Environment:
This is an information sharing and analysis organization focused on threat intelligence sharing across the Defense Industrial Base. It has no role in certifying CMMC assessors or instructors.

C. Committee on National Security Systems Instructions:
CNSS issues national security directives and guidance for classified national security systems, not unclassified CMMC assessor certifications. This is outside the CMMC ecosystem's governance structure.

References

32 CFR § 170.10(a)– Establishes CAICO as solely responsible for training, testing, authorizing, certifying, and recertifying CMMC assessors, instructors, and related professionals

ISACA Official Announcement (December 2025) – Confirms ISACA authorized as exclusive CAICO for CMMC program

Explanation:

The requirement for defense contractors to report cyber incidents affecting Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) within 72 hours of discovery is mandated by DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting). This requirement applies when a cyber incident affects a covered contractor information system and the Covered Defense Information (CDI) residing therein

Why the other options are incorrect:

A. 24 hours:
While 24-hour notification may exist under other frameworks (e.g., certain data breach laws or specific agency requirements), DFARS 252.204-7012 explicitly requires a 72-hour window. 24 hours is too short for the DFARS/CDI reporting context.

B. 48 hours:
This is an intermediate timeframe not specified in DFARS 252.204-7012. The regulation clearly establishes 72 hours as the reporting deadline.

D. 96 hours:
This exceeds the required 72-hour window. Reporting after 96 hours would constitute non-compliance with DFARS 252.204-7012 and could result in contract consequences.

References

DFARS 252.204-7012(b)(2)(i) – Requires reporting cyber incidents affecting covered contractor information systems or CDI "within 72 hours of discovery"

32 CFR Part 170 (CMMC Program) – Incorporates DFARS incident reporting requirements for Level 2 compliance

Explanation:

According to the CMMC Level 2 Assessment Guide, a Plan of Action and Milestones (POA&M) is a key document that describes how any unimplemented security requirements will be met and how planned mitigations will be implemented. The official guidance specifies that when you write a plan of action, you define the clear goal or objective of the plan. The plan may include ownership of who is accountable for ensuring the plan's performance, specific steps or milestones that are clear and actionable, assigned responsibility for each step or milestone, milestones to measure plan progress, and completion dates.

Budget requirements are not listed as a mandatory or standard component of a POA&M in the CMMC context. While some commercial frameworks or FedRAMP may include cost information, the CMMC POA&M focuses on the technical and operational aspects of remediation rather than detailed financial budgeting. The POA&M is designed to track what needs to be fixed, who will fix it, and by when—not how much it will cost.

Why the other options are incorrect:

A. Completion dates:
Completion dates are a core component of a POA&M. The document must include target completion dates for each remediation item, and under CMMC, all POA&M items must be closed within 180 days.

B. Milestones to measure progress:
Milestones are essential to a POA&M. The guidance explicitly includes "milestones to measure plan progress" as an element that may be included in the action plan.

C. Ownership of who is accountable for ensuring plan performance:
Accountability and assigned responsibility are fundamental to a POA&M. The document must identify responsible personnel for each remediation action.

References

CMMC Level 2 Assessment Guide (CA.L2-3.12.2) – Lists ownership, milestones, assigned responsibility, and completion dates as elements that may be included in a plan of action

32 CFR § 170.21 – Conditional CMMC status and POA&M requirements

Explanation:

DFARS clause 252.204-7012(b)(2)(ii)(D) explicitly requires that when a contractor uses an external cloud service provider to store, process, or transmit Covered Defense Information (CDI) or Controlled Unclassified Information (CUI), the cloud service provider must meet security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline .

Why the other options are incorrect:

A. FedRAMP Low:
Incorrect. FedRAMP Low is insufficient for CUI or CDI protection. The DFARS clause explicitly requires the Moderate baseline, not Low.

C. FedRAMP High:
Incorrect. While FedRAMP High exceeds the Moderate baseline and would satisfy the requirement, the question asks for the minimum baseline required. The DFARS clause specifies "Moderate baseline," not High.

D. FedRAMP Secure:
Incorrect. "FedRAMP Secure" is not a recognized baseline within the FedRAMP program. The official FedRAMP impact levels are Low, Moderate, and High.

References

DFARS 252.204-7012(b)(2)(ii)(D) – Cloud service provider must meet security requirements equivalent to FedRAMP Moderate baseline

CMMC Final Rule (32 CFR Part 170) – Explicitly permits use of FedRAMP Moderate (or higher) cloud environments

Explanation:

Evidence sufficiency refers to whether the amount and quality of collected evidence is adequate to support a compliance determination. The CMMC Level 2 Assessment Guide outlines key measures for determining sufficiency, including whether evidence covers the sampled organization, aligns with the target CMML Level scope, and corresponds to the evidence collection approach. A fundamental principle of CMMC assessments is that ISO certifications have no reciprocity with CMMC requirements. The official accreditation body for CMMC (The Cyber AB) explicitly states that there is no reciprocity with other cybersecurity standards, including ISO 27001 . All contractors must follow the same CMMC certification process with no exceptions . Having an ISO certification does not exempt an organization from providing evidence for CMMC practices, as CMMC requires specific proof that each of the 110 NIST SP 800-171 controls is effectively implemented .

Why the other options are incorrect:

A. Evidence covers the sampled organization:
This IS a valid sufficiency measure. Evidence must pertain specifically to the organization being assessed, not generic templates or examples from other entities.

C. Evidence covers the model scope of the Assessment (Target CMMC Level):
This IS a valid sufficiency measure. For a Level 2 assessment, evidence must demonstrate implementation of all applicable NIST SP 800-171 controls within the defined assessment scope .

D. Evidence corresponds to the sampled organization in the evidence collection approach:
This IS a valid sufficiency measure. Evidence must match the sampling methodology used during the assessment planning phase.

References

The Cyber AB Official Guidance: "There is no reciprocity with other cybersecurity standards — including ISO 27001... All contractors, whether US-based or international, must follow the same certification process, with no exceptions"

Explanation:

The CMMC-AB Code of Professional Conduct (CoPC) is built upon a defined set of ethical principles that govern all credentialed individuals and accredited entities in the CMMC ecosystem. These guiding principles form the foundation for assessor and practitioner behavior throughout the assessment lifecycle.

Why the other options are incorrect:

A. Objectivity, classification, and information accuracy:
"Classification" is not a listed principle in the CoPC; the correct principle is Confidentiality. The CMMC ecosystem addresses classified information through separate frameworks like the National Industrial Security Program (NISP), not the CoPC.

C. Responsibility, classification, and information accuracy:
"Responsibility" is not explicitly listed as a guiding principle in the CCP Blueprint; the CoPC instead uses Professionalism and Objectivity to address duty of care. "Classification" remains incorrect as the proper principle is Confidentiality.

D. Responsibility, confidentiality, and information integrity:
While Confidentiality and Information Integrity are correct, "Responsibility" is not one of the named guiding principles. Objectivity is the correct third principle, as it specifically addresses impartiality and conflict-of-interest avoidance, which are distinct from general responsibility.

References

CMMC CCP Blueprint – Domain 2 explicitly lists eight Guiding Principles including Professionalism, Objectivity, Confidentiality, Proper use of methods, Information integrity, Conflicts of interest, Respect for intellectual property, and Lawful and ethical practices

CMMC Code of Professional Conduct (CoPC) – Section on Guiding Principles details confidentiality obligations requiring protection of customer and government data

Explanation:

The key distinction in CMMC scoping is how an asset interacts with FCI or CUI. The email system in this scenario is being used to send FCI data from the defense contractor to a subcontractor. This action constitutes transmission of FCI under the CMMC asset categorization framework .

Why the other options are incorrect:

A. manage FCI
– "Manage" is not a defined CMMC asset interaction term. The official categories are Process, Store, and Transmit. Management is an activity that may involve processing, storing, or transmitting, but it is not itself a separate category .

B. process FCI
– Processing involves performing operations on data such as opening, editing, calculating, or analyzing. Simply sending an email without opening or manipulating the content is transmission, not processing. Processing would occur if the contractor modified the FCI before sending, but the question states they "share" the data, implying no processing action.

D. generate FCI
– "Generate" is not an official CMMC asset interaction category. Generating or creating FCI is an activity that results in information existing, but the specific action described in the question is transmission, not creation.

References

NIST SP 800-171 Rev 3 – Defines "processing" as any operation performed on data, "storage" as retaining data, and "transmission" as moving data between systems

CMMC Level 2 Scoping Guide – Asset interactions categorized as Process, Store, or Transmit CUI/FCI

Explanation:

The Examine assessment method is specifically defined as the process of "reviewing, inspecting, observing, studying, or analyzing assessment objects to gather evidence". In the context of CMMC assessments, artifacts include policies, procedures, security plans, system configuration files, audit logs, and other documented evidence. The Examine method is the primary technique for analyzing these artifacts to determine if security practices are implemented as required.

Why the other options are incorrect:

A. Test
– The Test method involves actively exercising assessment objects under specified conditions to compare actual with expected behavior. Examples include running vulnerability scans or attempting to bypass access controls. Unlike Examine, Test requires active interaction with systems, not passive artifact analysis.

C. Behavior
– "Behavior" is not one of the three defined CMMC assessment methods. The official methods are Examine, Interview, and Test. Behavior might refer to observations during testing or interviews but is not itself a standalone method.

D. Interview
– The Interview method involves conducting discussions with individuals or groups to gather evidence. While interviews can clarify artifacts, they do not analyze the artifacts themselves. Interview relies on verbal testimony, whereas Examine relies on tangible, recorded evidence.

References

NIST SP 800-171A – Section 2 defines Examine as analyzing assessment objects (specifications, mechanisms, activities)

CMMC Level 2 Assessment Guide – Assessment Methods section identifies Examine as the method for reviewing artifacts

Explanation:

Under the CMMC 2.0 framework, a contractor handling Controlled Unclassified Information (CUI) must achieve certification at Level 2 as the minimum requirement to receive a contract award . This is clearly defined in the DoD's final rule implementing the CMMC program.

Why the other options are incorrect:

A. Level 1:
Incorrect. Level 1 addresses only Federal Contract Information (FCI), not CUI. Level 1 requires only 17 basic practices from FAR 52.204-21 and does not meet the higher safeguarding standards required for CUI .

C. Level 3:
Incorrect. While Level 3 meets or exceeds CUI protection requirements, it is not the minimum level. Level 3 applies to organizations handling particularly sensitive CUI or supporting critical national security programs. The DoD estimates only about 2% of the Defense Industrial Base requires Level 3 certification .

D. Any level:
Incorrect. Contractors cannot use any level arbitrarily. The required CMMC level is specified in each solicitation based on the type of data handled. FCI requires Level 1; CUI requires Level 2 or higher .

References

32 CFR Part 170 and DFARS Final Rule (September 2025) – Establishes CMMC Level 2 as requirement for solicitations involving CUI

CMMC 2.0 Model – Level 2 aligned with NIST SP 800-171 (110 controls) for CUI protection

DoD CMMC Implementation Guidance – Phased rollout: Level 1 for FCI, Level 2 for CUI (self or C3PAO), Level 3 for high-value CUI

Explanation

The CMMC Model structure contains 3 cybersecurity levels, a change from the previous 5-level framework under CMMC 1.0 . This streamlined structure is one of the defining features of CMMC 2.0, which became effective through the final rule (32 CFR Part 170) in December 2024 .

Why the other options are incorrect:

A. 2 Levels:
Incorrect. While some contractors may only need Level 1 or Level 2, the CMMC Model officially has three distinct levels. Option A undercounts the full structure.

C. 5 Levels:
Incorrect. Five levels were part of the original CMMC 1.0 framework, but CMMC 2.0 streamlined this structure to three levels. Levels 2 and 4 from the previous model were eliminated as transitional tiers .

D. 4 Levels:
Incorrect. The CMMC Model has never had four levels. The framework transitioned directly from five levels (CMMC 1.0) to three levels (CMMC 2.0) .

References

CMMC 2.0 Final Rule (32 CFR Part 170) – Establishes three CMMC levels for DoD contractors

NIST SP 800-171 Rev 2 – 110 controls required for Level 2 compliance

Explanation

The CMMC Level 2 scoping requirements specify four asset categories that fall within the assessment scope and must be documented in the asset inventory, System Security Plan (SSP), and network diagram. According to 32 CFR § 170.19(c) and the official CMMC Level 2 Scoping Guidance, these categories are :

Why the other options are incorrect:

A. CUI Assets – Incorrect.
This option is incomplete. While CUI Assets must be documented, the documentation requirement extends to Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets as well.

B. CUI and Security Protection Asset categories – Incorrect.
This option omits Contractor Risk Managed Assets and Specialized Assets, both of which also require documentation in the inventory, SSP, and network diagram .

D. Contractor Risk Managed Assets and Specialized Assets – Incorrect.
This option is incomplete and omits CUI Assets and Security Protection Assets, which are the core in-scope categories requiring full assessment .

References

32 CFR § 170.19(c) – Table 3 defines four in-scope asset categories and their documentation requirements

CMMC Level 2 Scoping Guidance (OSD A&S) – Lists CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets as requiring documentation in inventory, SSP, and network diagram