Free CMMC-CCP Practice Test Questions 2026

Explanation:

The CMMC vulnerability scanning requirement is explicitly defined in practice RA.L2-3.11.2. The official security requirement states: "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified" . This directly corresponds to the two triggers specified in option A.

Why the other options are incorrect:

B. as defined by an accredited RPO
– Incorrect. Registered Practitioner Organizations (RPOs) provide consulting and readiness services but do not define mandatory scanning frequencies for CMMC compliance. The responsibility for defining scanning frequency belongs to the OSC based on risk assessment, not an RPO's accreditation .

C. every time a penetration test is performed
– Incorrect. Penetration testing is a distinct assessment activity separate from vulnerability scanning. While penetration tests may identify vulnerabilities, the RA.L2-3.11.2 requirement does not tie scanning frequency to penetration test timing . Vulnerability scanning is an ongoing, automated activity; penetration testing is typically point-in-time and manual.

D. on an ad hoc basis or as directed by the security manager
– Incorrect. This approach lacks the structured, defined frequency required by CMMC. The requirement explicitly demands both periodic scanning (which requires a documented, repeatable schedule) and scanning when new vulnerabilities are identified (an event-driven trigger) . Ad hoc scanning is insufficient to demonstrate a formal vulnerability management program.

References

RA.L2-3.11.2 Security Requirement (CMMC Level 2 Assessment Guide, DoD CIO) – "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified"

NIST SP 800-171 Rev 2 Requirement 3.11.2 – Establishes the periodic plus event-driven scanning requirement

Explanation:

The evidence provided—an incident monitoring report showing no security incidents—is inadequate because it is irrelevant to the CMMC practice being assessed. RA.L2-3.11.2 requires organizations to "scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified" . The assessment objectives for this practice are specific :

[a] frequency to scan is defined
[b,c] scans are performed with that frequency on systems and applications
[d,e] scans are performed when new vulnerabilities are identified

An incident monitoring report relates to Incident Response (IR domain), not Risk Assessment (RA domain). Incident monitoring detects actual security events (e.g., breaches, malware infections) after they occur. Vulnerability scanning proactively identifies potential weaknesses (e.g., missing patches, misconfigurations) before they are exploited . These are fundamentally different security activities

Why other options are incorrect:

B. adequate because it fits well for expected artifacts
– Incorrect. Incident reports are NOT the expected artifacts for RA.L2-3.11.2. The expected artifacts are vulnerability scan results, scanner configurations, and scan schedules .

C. adequate because no security incidents were reported
– Incorrect. The absence of incidents does not prove vulnerability scans are occurring. An organization could have no incidents while never performing a single vulnerability scan.

D. inadequate because the OSC's service provider should be interviewed
– Incorrect. While interviewing the service provider might provide relevant evidence, the primary reason the current evidence is inadequate is irrelevance, not lack of interview. Even with an interview, an incident report remains irrelevant to proving vulnerability scanning is performed .

References

MMC Level 2 Assessment Guide (DoD CIO) – RA.L2-3.11.2: Requires vulnerability scanning, not incident reporting

NIST SP 800-171 Rev 2 – Requirement 3.11.2 defines vulnerability scanning objectives

Explanation

The CMMC Assessment Guides for Levels 1 and 2 are the definitive source documents for finding the detailed assessment objectives for each CMMC practice. The CMMC Assessment Process document explains that the assessment guide "incorporates the Assessment procedures described in NIST SP 800-171A," where each assessment procedure consists of an assessment objective and a set of potential assessment methods and objects .

Why other options are incorrect:

A. CMMC Glossary
– Incorrect. The glossary defines terms used throughout CMMC documentation but does not contain the detailed assessment objectives or determination statements for individual practices.

B. CMMC Appendices
– Incorrect. While appendices may contain supplementary information, the assessment objectives for each practice are located within the main body of the Assessment Guide, not in separate appendices.

C. CMMC Assessment Process (CAP)
– Incorrect. The CAP describes the overall methodology for conducting assessments, including roles, phases, and workflows. It references the Assessment Guide for the specific practice objectives but does not itself contain the detailed assessment objectives for each practice .

References

CMMC Assessment Guide – Level 3 (Version 1.10) – "Assessment objectives are provided for each practice and process"

CMMC Assessment Process (CAP) v1.0 – "The CMMC Assessment Guide – Level 2 incorporates the Assessment procedures described in NIST SP 800-171A" `

Explanation:

Under the CMMC 2.0 framework, the prime contractor organization holds the ultimate responsibility for ensuring subcontractors have a valid CMMC Certification at the required level before awarding any subcontract that involves handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) . This responsibility is a contractual flowdown requirement codified in the DFARS CMMC Rule .

Why other options are incorrect:

A. CMMC-AB (The Cyber AB)
– Incorrect. The CMMC-AB (now The Cyber AB) is the accreditation body that accredits C3PAOs and certifies assessors . It does not have a role in verifying subcontractor compliance for specific contracts.

B. OUSD A&S (Office of the Under Secretary of Defense for Acquisition & Sustainment)
– Incorrect. OUSD A&S establishes CMMC policy and the DoD program office determines the required CMMC level for each contract . However, the DoD does not monitor subcontractor compliance day-to-day; that responsibility rests with the prime contractor.

C. DoD agency or client
– Incorrect. While DoD contracting officers verify prime contractor compliance in the Supplier Performance Risk System (SPRS) before award , they do not have the operational responsibility for monitoring subcontractor certification across multiple tiers of the supply chain.

References

32 CFR § 170.23(a) – CMMC requirements apply to prime contractors and subcontractors; prime contractors shall require subcontractors to comply

Explanation

The Media Protection (MP) domain explicitly references the requirements needed to handle physical or digital assets (media) containing CUI . Media Protection encompasses both digital media (e.g., hard drives, USB drives, backup tapes) and physical media (e.g., paper documents) throughout their lifecycle—including storage, access control, transport, marking, sanitization, and disposal .

Why other options are incorrect:

B. Physical Protection (PE)
– The PE domain focuses on physical security of facilities, limiting physical access to systems, escorting visitors, monitoring visitor activity, and managing physical access control devices. While PE addresses physical security of facilities, it does not specifically cover requirements for handling physical or digital media (e.g., USB drives, paper files) containing CUI .

C. System and Information Integrity (SI)
– The SI domain addresses flaw remediation, malicious code protection, system monitoring, security alerts, and integrity checks. It focuses on system operation integrity, not media handling or storage requirements .

D. System and Communications Protection (SC)
– The SC domain addresses network communications security, boundary protection, transmission confidentiality, and cryptographic mechanisms for data in transit. While SC covers protecting CUI during transmission over networks, it does not cover the requirements for handling physical or digital media (storage devices, paper documents, backups) containing CUI .

References

DoD CMMC 2.0 Scoping Guidance – Defines CUI Assets as those that process, store, or transmit CUI

CMMC Media Protection Domain Guide – MP domain provides requirements for protecting information on both digital and physical media

Explanation:

The basic safeguarding requirements for Federal Contract Information (FCI) during a CMMC Level 1 Self-Assessment are established by FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) . This clause contains the 15 foundational security practices that contractors handling FCI must implement, including access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity .

FAR 52.204-21 has been in effect since 2016 and serves as the statutory foundation for CMMC Level 1 requirements . Under the CMMC 2.0 framework, contractors that handle only FCI (and do not process, store, or transmit CUI) must achieve a MET result for all 15 requirements from this clause through an annual self-assessment .

Why other options are incorrect:

B. 22 CFR 120-130 (ITAR)
– This addresses export control of defense articles and services, not basic safeguarding requirements for FCI .

C. DFARS 252.204-7011
– This clause addresses validation of asserted restrictions on technical data, not basic FCI safeguarding .

D. DFARS 252.204-7021
– This clause formally requires CMMC certification for DoD contracts . While it works alongside FAR 52.204-21, it establishes the CMMC program requirements rather than the specific safeguarding practices for FCI.

References

FAR 52.204-21 – "Basic Safeguarding of Covered Contractor Information Systems"

CMMC Level 1 Self-Assessment Guide – Confirms Level 1 requirements derive from FAR 52.204-21

Explanation:

For a Level 2 assessment under CMMC 2.0, NIST SP 800-171 is the primary document that defines all 110 security requirements an organization must implement to protect Controlled Unclassified Information (CUI). The Department of Defense (DoD) explicitly requires Level 2 certification to be aligned with NIST SP 800-171, which serves as the technical baseline for all security controls assessed.

Why other options are incorrect:

A. NIST SP 800-53
– Incorrect. This standard applies to federal information systems under FISMA, not directly to defense contractors seeking CMMC certification. SP 800-53 is broader and not the baseline for CMMC Level 2 requirements.

B. NIST SP 800-88
– Incorrect. This publication addresses media sanitization (data disposal) only. While relevant for media protection practices, it is not the comprehensive framework for implementing all Level 2 security requirements.

D. NIST SP 800-172
– Incorrect. This standard contains enhanced security requirements beyond NIST SP 800-171 and applies only to CMMC Level 3 certification for organizations handling critical national security information. Level 2 does not require SP 800-172 controls.

References

NIST SP 800-171 Rev 2 – "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" – Baseline for CMMC Level 2 requirements

32 CFR § 170.19(c) – Defines CMMC Level 2 assessment scope requirements

Explanation

According to DoD Instruction 5200.48 and guidance from the DoD CUI Program, the absolute minimum required marking for any document containing Controlled Unclassified Information (CUI) is the acronym "CUI" placed at the top and bottom of every page .

Documents containing CUI must also include a CUI Designation Indicator Block on the first page or cover. However, the designation indicator block is a separate element that provides the "who, what, and why" of the CUI designation, not the banner line marking itself. The question asks specifically about the document marking—the visual indicator that appears on the pages of the document. The banner/footer marking ("CUI") is always required as the minimum visual identifier, while the designation block provides supplementary information .

Why other options are incorrect

B. "WCUI" must be placed in the header and footer.t
"WCUI" is not a recognized marking under the CUI program. The only authorized control marking acronym is "CUI" .

C. Portion marks must be placed on all sections, paragraphs, etc. known to contain CUI.t
This is incorrect for unclassified documents. Portion markings (e.g., (CUI)) are optional on unclassified CUI documents . They are only mandatory when CUI appears within a document that also contains classified information . Additionally, they represent an extra layer of detail beyond the required minimum.

D. A cover page must be placed to obscure content with "CUI" prominently placed. t
The CUI markings are placed directly in the header and footer of each page, not behind a separate cover sheet designed to obscure the content. The CUI Designation Indicator Block is placed on the first page, but it is an information block, not a physical covering.

References

DoDI 5200.48, Controlled Unclassified Information (CUI) – Requires all CUI to include the marking "CUI" on the top and bottom of every page .

DoD CUI Training Material – "Mandatory CUI markings for unclassified documents include: The acronym 'CUI' at the top and bottom of each page—The CUI designation indicator" .

Explanation:

The definition provided in the question—"prevention of damage to, protection of, and restoration of computers and electronic communications systems/services, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation"—is the official statutory definition of cybersecurity as codified in 44 U.S.C. § 3552(b) (FISMA) .

Under FISMA and NIST guidance, cybersecurity (also referred to as information security in some federal contexts) encompasses all five of the core security objectives listed in the question:

Availability – Ensuring timely and reliable access to systems and data
Integrity – Guarding against improper information modification or destruction
Authentication – Verifying the identity of users and systems
Confidentiality – Preserving authorized restrictions on access and disclosure
Nonrepudiation – Providing proof of the origin or delivery of data

The inclusion of restoration as an explicit element distinguishes cybersecurity from narrower definitions of information security that may focus only on protection without encompassing recovery and continuity.

Why the other options are incorrect:

B. Data security – Incorrect.
Data security focuses specifically on protecting data assets (at rest, in transit, in use) but does not explicitly encompass the "prevention of damage to, protection of, and restoration of computers and electronic communications systems" as a primary definition.

C. Network security – Incorrect.
Network security is a subset of cybersecurity focused specifically on protecting network infrastructure (routers, switches, firewalls) and network traffic. It does not inherently address system restoration or nonrepudiation.

D. Information security – Incorrect.
While closely related and often used interchangeably in private sector contexts, the statutory definition cited in the question is specifically the definition of cybersecurity under 44 U.S.C. § 3552(b). Information security (InfoSec) traditionally focuses on confidentiality, integrity, and availability but may not explicitly include authentication and nonrepudiation as core elements in its statutory definition.

References

44 U.S.C. § 3552(b) – Definition of "cybersecurity" and "information security" for federal information systems

NIST SP 800-53 Rev 5 – Security and privacy controls addressing availability, integrity, authentication, confidentiali

Explanation:

In CMMC assessment methodology, evidence is evaluated against two distinct criteria: adequacy and sufficiency .

Adequacy answers the question: "Does the Assessment Team have the right evidence?" It focuses on whether the evidence is appropriate, relevant, and of sufficient quality to demonstrate that the organization meets the specific CMMC practice requirements. Adequacy ensures the evidence directly addresses the assessment objectives for the practice being evaluated .

Sufficiency answers the question: "Does the Assessment Team have enough of the right evidence?" It focuses on the quantity and coverage of evidence—whether there is enough evidence to support a MET determination with confidence .

When the Lead Assessor asks "Do we have the right evidence?" they are specifically evaluating adequacy, not the quantity of evidence .

Why the other options are incorrect:

B. Objectivity criteria – Incorrect.
Objectivity refers to the assessor's impartiality and lack of bias, not the quality of evidence relative to assessment objectives .

C. Sufficiency criteria – Incorrect.
Sufficiency addresses quantity and coverage ("enough" evidence). The question asks about the right evidence—the qualitative aspect—which is adequacy, not sufficiency .

D. Subjectivity criteria – Incorrect.
Subjectivity is not an evidence evaluation criterion in CMMC assessments. Assessments strive to be objective and evidence-based, not subjective .

References

CMMC Assessment Process (CAP)– Evidence evaluation criteria: Adequacy and Sufficiency

ISACA CCP Exam Content Outline – Domain 4C: "Analyze the adequacy/sufficiency around the location/collection/quality/usage of evidence"

Explanation

In the CMMC Assessment Process, when two assessors on the Assessment Team disagree on whether a practice should be rated MET or NOT MET, the Lead Assessor is the designated authority to resolve the dispute and make the final determination on practice scoring . The Lead Assessor is a Certified CMMC Assessor (CCA) who oversees and manages the entire Assessment Team on behalf of the C3PAO .

Why other options are incorrect:

A. C3PAO
– While the C3PAO holds ultimate authority for practice scoring when disputes persist after the Lead Assessor’s decision, the question asks who the two assessors should consult first to determine the final interpretation. The Lead Assessor is the immediate authority on the Assessment Team .

B. CMMC-AB (The Cyber AB)
– The Accreditation Body manages the formal assessment appeals process, not day-to-day scoring disagreements during an active assessment . The Cyber AB’s role is to seek resolution of disagreements of assessment results after an assessment is complete, not during the assessment itself.

D. Quality Assurance Assessor (CQAP)
– The CMMC Quality Assurance Professional is responsible for ensuring Assessment documentation completeness and accuracy before eMASS submission, not for resolving scoring disputes between assessors . The CQAP verifies procedural integrity but does not have authority to determine practice scores.

References

CMMC Assessment Process (CAP) v1.0 – Section 2.2: "The Lead Assessor makes the final decision on preliminary recommended determination on all practices"

CMMC Assessment Process (CAP) v1.0 – Section 2.2: "For any practices where there is still a dispute between the Assessment Team and the OSC, the C3PAO holds the final interpretation authority"

Explanation

Under the CMMC 2.0 framework, ethics is defined as a shared responsibility between the CMMC-AB (The Cyber AB) and all members of the CMMC Ecosystem .

The Accreditation Body (The Cyber AB) is responsible for developing policies for Conflict of Interest (CoI), Code of Professional Conduct (CoPC), and Ethics that comply with ISO/IEC 17011:2017 and DoD requirements . These policies apply not only to the Accreditation Body but also to all other individuals, entities, and groups within the CMMC Ecosystem

Why the other options are incorrect:

A. DoD and CMMC-AB
– Incorrect. While the DoD reviews and approves The Cyber AB's ethics policies and conflict of interest policies, the DoD itself is not a member of the CMMC Ecosystem and does not share direct responsibility for day-to-day ethical conduct within the ecosystem . The DoD sets the framework, but ethics implementation is shared between the Accreditation Body and ecosystem members.

B. OSC and sponsors
– Incorrect. Organizations Seeking Certification (OSCs) and sponsors are not responsible for enforcing ethics policies within the CMMC Ecosystem. OSCs are clients of assessments, not parties to the ethics obligations imposed on credentialed individuals and accredited organizations.

D. members of the CMMC Ecosystem and Lead Assessors
– Incorrect. While both groups are subject to ethics policies, this option omits the CMMC-AB which is the governing body that establishes, maintains, and enforces the ethics framework. Lead Assessors are already included within "members of the CMMC Ecosystem," so this is redundant and incomplete.

References

CMMC Code of Professional Conduct v2.0 – Article III: Conflicts of Interest; "The Cyber AB will enforce the above rules and take action against any confirmed violations"

32 CFR § 170.8(b)(17)(ii)(G) – Requires the Accreditation Body to develop COI, CoPC, and Ethics policies applicable to the Accreditation Body and all ecosystem members