Free CMMC-CCP Practice Test Questions 2026

Explanation

The Limited Practice Deficiency Correction (LPDC) program is a specific provision in the CMMC Assessment Process (CAP) that allows Organizations Seeking Certification (OSCs) to correct minor, non-material deficiencies in certain practices after the main assessment is complete . This process occurs during Phase 3 – Report Recommended Assessment Results.

Why the other options are incorrect:

B. POA&M (Plan of Action and Milestones)
– Incorrect. While POA&Ms are also used for remediation, they address a broader category of deficiencies and have a longer time horizon (180 days) . The question specifically asks about the Limited Practice Deficiency Correction process, where the correction window is very short (5 business days) . Once evidence of correction is submitted and verified, the practice is scored MET, not left as a POA&M item.

C. NOT MET
– Incorrect. This is the initial score assigned to the practice when it is placed on the Limited Practice Deficiency Correction program . However, the scenario specifies that the team is "reviewing evidence to address Limited Practice Deficiency Corrections," and that "the evidence shows the deficiencies have been corrected." Once correction is verified, the status is changed to MET .

D. NOT APPLICABLE (N/A)
– Incorrect. This score is reserved for security requirements that do not apply to the OSC's environment (e.g., an organization with no publicly accessible systems) . It has no relation to the process of correcting identified deficiencies.

References

CMMC Assessment Process (CAP) v1.0 – Section 3.2.1 ("Limited Practice Deficiency Correction Evaluation"): Explicitly states that upon verification of corrections, the score changes from NOT MET to MET .

32 CFR § 170.24(b)(1) – Defines "Met" as "All applicable objectives for the security requirement are satisfied based on evidence"

Explanation

CMMC scoping is fundamentally defined by how an asset interacts with Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). The CMMC scoping guidance consistently defines the CUI environment as encompassing systems, applications, and services that focus on where CUI is stored, processed, and transmitted. These three activities are the recognized triggers that bring an asset into the assessment scope:

Storage – Retaining CUI on media (e.g., hard drives, cloud storage, backup tapes)
Processing – Performing operations on CUI (e.g., opening, modifying, calculating, analyzing)
Transmission – Moving CUI between systems or entities (e.g., email, API calls, file transfer)

If an asset performs any of these three activities with CUI, it is considered a CUI Asset and must be included in the CMMC Assessment Scope.

Why other options are incorrect:

A. received and transferred
– Incorrect. "Received" and "transferred" are activities that fall under the broader definition of transmission but do not fully capture storage and processing. The full scope includes storage and processing, not just movement of data.

C. entered, edited, manipulated, printed, and viewed
– Incorrect. These are specific examples of processing activities. While processing is part of the scope, this option omits storage and transmission. Additionally, not all assets that process CUI (e.g., viewing) may automatically be in scope depending on technical implementation.

D. located on electronic media, on system component memory, and on paper
– Incorrect. This describes physical or digital locations where CUI may reside, not the functional activities (store, process, transmit) that define scoping. An asset may store CUI without processing or transmitting it, and it is still in scope due to the storage activity.

References

CMMC Level 2 Scoping Guide (OSD A&S) – "CUI Assets are assets that process, store, or transmit CUI"

32 CFR § 170.19(c)(1) – Defines CUI Assets as assets that "process, store, or transmit CUI"

Explanation

A Non-disclosure Agreement (NDA) is a legally binding contract specifically designed to protect sensitive and confidential information from being disclosed or made available by the recipient of that information to unauthorized third parties. Under a CMMC assessment context, assessors and assessment organizations are typically required to sign an NDA with the OSC (Organization Seeking Certification) before accessing the OSC's sensitive systems and data.

Why other options are incorrect:

A. Legal agreement
– A "legal agreement" is a broad, generic term that could encompass many types of contracts, but it is not the specific term for a contract designed to protect sensitive information from disclosure. While NDAs are a type of legal agreement, the question asks for the specific document name.

B. CMMC agreement
– This is not a standard term or document in the CMMC ecosystem. The CMMC Assessment Process refers to specific agreements such as the CMMC Assessment Contract, but not a "CMMC agreement" that generally protects confidentiality.

C. Assessment agreement
– This refers to the contract between the C3PAO and the OSC that establishes the business terms, schedule, and scope of the assessment. While it may contain confidentiality clauses, it is not the specific legal document primarily designed for protecting sensitive information from disclosure.

References

CMMC Code of Professional Conduct – Confidentiality obligations for assessors

CMMC Assessment Process (CAP) – Phase 1: Preliminary proceedings requiring NDA or confidentiality agreement

Explanation

Under the CMMC model, a practice is formally defined as an activity or set of activities performed to meet defined CMMC objectives. Each practice represents a specific security requirement derived from NIST SP 800-171 (for Level 2) or FAR 52.204-21 (for Level 1). Practices are grouped under domains (e.g., Access Control, Incident Response) and have associated assessment objectives that assessors use to determine compliance.

Each practice includes:
A unique identifier (e.g., AC.L1-3.1.1)
A security requirement statement (e.g., "Limit system access to authorized users")
Assessment objectives that define what must be demonstrated
Potential assessment methods and objects

Why other options are incorrect:

A. A business transaction – Incorrect. A practice in CMMC is a security control or requirement, not a business transaction.

B. A condition arrived at by experience or exercise – Incorrect. This describes general "practice" in the sense of repetition or habit, not the CMMC-specific definition of a security practice.

C. A series of changes taking place in a defined manner – Incorrect. This describes a process or procedure, not a CMMC practice.

References

CMMC Model v2.0 – Defines practices as security requirements derived from NIST SP 800-171 and FAR 52.204-21

CMMC Level 2 Assessment Guide – Lists each practice with security requirement statement and assessment objectives

Explanation:

Under CMMC Level 1 scoping rules, a smart thermostat connected to the internet on the OSC's WiFi network is classified as a Specialized Asset. This classification applies because the thermostat is an Internet of Things (IoT) device—it can process, store, or transmit Federal Contract Information (FCI) but is unable to be fully secured using traditional IT security controls .

Why other options are incorrect:

A. FCI Asset
– Incorrect. "FCI Asset" is not a defined asset category in CMMC Level 1. The regulation uses the term "In-Scope Assets" for assets that process, store, or transmit FCI . The thermostat is a Specialized Asset, not an asset that would be assessed.

B. CUI Asset
– Incorrect. CUI Assets are defined at CMMC Level 2 for handling Controlled Unclassified Information. This is a Level 1 assessment with FCI, not CUI .

C. In-scope Asset
– Incorrect. An asset is "In-Scope" for Level 1 only if it processes, stores, or transmits FCI and is not a Specialized Asset . The smart thermostat can process FCI (since it is on the same WiFi network as FCI), but as a Specialized Asset, it is explicitly excluded from the Level 1 assessment scope .

References

32 CFR § 170.19(b)(2)(ii)– Defines Specialized Assets as including IoT devices; states these assets are not part of the Level 1 CMMC Assessment Scope and are not assessed against CMMC security requirements

CMMC Level 1 Scoping Guide – Lists IoT devices (including smart thermostats) as examples of Specialized Assets

Explanation:

When planning a CMMC Level 2 assessment, conflicts of interest are formally identified during the planning and preparation phase, before any assessment activities begin. This is clearly established as a required "preliminary proceeding" that must be completed prior to the actual assessment process .

Why the other options are incorrect:

A. Analyze requirements
– This focuses on understanding the assessment objectives and applicable CMMC practices. Conflict identification is not part of requirements analysis but is a separate preliminary proceeding completed in parallel with plan development .

C. Verify readiness to conduct assessment
– This occurs after conflict checks are already completed. Readiness verification confirms the OSC has prepared required documentation (SSP, network diagrams, asset inventory) and that there are no "showstoppers" preventing the assessment from proceeding. Conflict identification is a precondition that must be satisfied before reaching this stage .

D. Generate final recommended assessment results
– This is Phase 3 of the CAP, occurring after the assessment has been fully conducted. By this point, the assessment is complete, and the team is compiling findings and presenting results to the OSC. Conflict identification would have been addressed and resolved early in Phase 1 .

References

CMMC Assessment Process (CAP) v1.0 – Phase 1: "Plan and Prepare the Assessment" includes subsection "1.6.4 Identify and Manage Conflicts of Interest (COI)"

32 CFR § 170.8(b)(17)(ii)(G) – Conflict of interest policies for CMMC Ecosystem members, including the one-year cooling off period

Explanation:

In this scenario, the document is clearly marked as containing CUI. The OSC's secure facility does not provide any secure storage (no locked cabinet, no locked desk). The shared printer and designated space are accessible to others. The primary security obligation is to protect CUI from unauthorized access at all times.

Leaving the CUI document in an unsecured shared space—whether on the desk or in an unlocked drawer—would violate MP.L2-3.8.1 (protect system media containing CUI) and PE.L2-3.10.3 (control physical access). Taking the document home for evening review is permissible only if the assessor maintains positive control over the CUI (i.e., it remains in their physical possession and is stored securely at the destination). However, the question asks for the NEXT step to protect the document at the end of the day. Removing it from the unsecured facility and keeping it under personal control is the only safe option among the choices.

Why other options are incorrect:

B. Leave it on the desk – Direct violation. Unauthorized personnel (cleaning staff, other tenants) could access the CUI.

C. Put it in the unlocked desk drawer – Provides no real security in a shared space; still violates physical protection requirements.

D. Take a picture with personal phone– Introducing a personal device creates a new data spillage risk, and storing CUI on an unapproved personal phone violates multiple CMMC practices (media protection, access control).

References

NIST SP 800-171, 3.8.1 – Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

CMMC MP.L2-3.8.1 – Same requirement.

Explanation:

The receptionist's actions—failing to check credentials and failing to escort the assessment team—directly violate the physical security requirement to escort visitors and monitor visitor activity. Under CMMC, visitors (individuals without permanent physical access authorization credentials) must be escorted by an employee at all times while on the property . The official CMMC Level 2 Assessment Guide explicitly states: "Do not allow visitors, even those people you know well, to walk around your facility without an escort. Make sure that all non-employees wear special visitor badges and/or are escorted by an employee at all times while on the property" .

The assessment objectives for PE.L2-3.10.3 (and its Level 1 counterpart PE.L1-3.10.3) require determining whether:
[a] visitors are escorted; and
[b] visitor activity is monitored .

In this scenario, the receptionist failed on both counts—no escort was provided, and no verification (checking credentials) was performed.

Why the other options are incorrect:

B. PE.L1-3.10.5 (Control physical access devices)
– This practice addresses managing physical access devices such as locks, badge readers, and keys. The receptionist's failure involves visitor escort and credential checking, not access device management.

C. PS.L2-3.9.1 (Screen individuals)
– This practice applies to screening personnel before authorizing access to systems containing CUI, which typically involves background checks for employees. It does not apply to escorting short-term visitors during an assessment.

D. PS.L2-3.9.2 (Protect systems during personnel actions)
– This practice addresses protecting systems during employee terminations and transfers, which is irrelevant to visitor escort procedures.

References

CMMC Level 2 Assessment Guide (DoD CIO) – PE.L2-3.10.3: Escort visitors and monitor visitor activity; "Do not allow visitors...to walk around your facility without an escort"

DIB SCC CyberAssist – PE.L1-3.10.3: "Make sure that all non-employees...are escorted by an employee at all times while on the property"

Explanation:

The Host Unit is required to document where Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are located for a CMMC Assessment in three specific locations: the System Security Plan (SSP), the asset inventory, and the network diagram.

Why other options are incorrect

B. Within the hardware inventory, data flow diagram, and in the network diagram
– Incorrect. While a data flow diagram is a helpful supplementary document for understanding how CUI moves through an organization, it is not one of the three mandatory documentation locations specified in the CMMC Level 2 Scoping Guidance. The required documents are the asset inventory (not specifically "hardware inventory"), the SSP, and the network diagram.

C. Within the asset inventory, in the proposal response, and in the network diagram
– Incorrect. The proposal response is a contract artifact unrelated to CMMC assessment documentation requirements. CMMC requires documentation of CUI and FCI locations in the SSP, asset inventory, and network diagram, not in business proposal documents.

D. In the network diagram, in the SSP, within the base inventory, and in the proposal response
– Incorrect. This option includes the proposal response (unrelated to CMMC documentation) and "base inventory" (not a defined term in CMMC scoping). It also adds a fourth location when only three are required. The correct three are the SSP, asset inventory, and network diagram.

References

CMMC Level 2 Scoping Guidance (OSD A&S) – Table 1 explicitly lists documentation requirements for each asset category: "Document in the asset inventory," "Document in the System Security Plan (SSP)," and "Document in the network diagram of the CMMC Assessment Scope"

University of Hawaii CMMC Level 2 Guide – Confirms required documentation includes "An asset inventory listing all asset categories," "A network diagram of the CMMC Assessment Scope," and "A System Security Plan (SSP) that documents the treatment of all in-scope assets"

Explanation:

A Licensed Training Provider (LTP), now more commonly referred to as an Approved Training Provider (ATP), is an organization authorized by the CMMC Accreditation Body (The Cyber AB) to deliver official CMMC training courses . These organizations are specifically licensed to market, advertise, and deliver CMMC Certified Training using content based on learning objectives and exams approved by the CMMC-AB .

The key function of an LTP is to instruct using a curriculum that has been formally approved by the CMMC-AB. LTPs are distinct from Licensed Partner Publishers (LPPs), who create the training materials. LTPs take those approved materials and deliver them to students in a classroom or virtual setting, utilizing CMMC-AB Certified Instructors to teach the courses . As such, "instructing an approved curriculum" is the core function that defines an LTP's role in the CMMC ecosystem.

Why the other options are incorrect:

A. Creates DoD-licensed training
– Incorrect. The Department of Defense (DoD) does not directly license this training. The license is issued by The Cyber AB (CMMC-AB). Furthermore, the creation of training materials is the function of a Licensed Partner Publisher (LPP), not an LTP . LTPs deliver, not create, the curriculum.

C. May market itself as a CMMC-AB Licensed Provider for testing
– Incorrect. While LTPs are licensed providers, their scope is training delivery, not certification testing. Certification exams are administered separately, and a provider is not specifically "licensed for testing" as described in this option.

D. Delivers training using some CMMC body of knowledge objectives
– Incorrect. The training delivered by LTPs is based on the specific, approved CMMC-AB Learning Objectives and a curriculum that has been fully vetted and approved by the AB . They are not permitted to pick and choose "some" objectives; they must adhere to the official approved curriculum.

References

CMMC-AB Market Research Document (2020) – Defines LTP as an organization that markets, advertises, and delivers CMMC Certified Training using content licensed from LPPs and based on learning objectives and exams from the CMMC-AB .

Secureframe Glossary – Defines Approved Training Provider (ATP, formerly LTP) as an organization authorized by CAICO to develop and deliver official CMMC training courses .

Explanation:

The team member responsible for maintaining the antivirus program cannot articulate how it works or provide details about its deployment and maintenance. This is insufficient because the purpose of an interview is to gather evidence from individuals with direct knowledge of how a practice is implemented in daily operations . The CMMC assessment objectives for malicious code protection (SI.L1-3.14.2) require determining whether malicious code protection is implemented at appropriate locations and whether the protection mechanism is properly configured and managed . The team member responsible for maintaining the program must be able to explain deployment, configuration, scanning schedules, and update procedures.

Why other options are incorrect:

A. Yes, the antivirus program is available, so it is sufficient
– Availability alone does not demonstrate effective implementation. The assessor must verify that the antivirus program is properly deployed, configured, and maintained.

B. Yes, antivirus programs are automated to run independently
– Automation does not eliminate the need for knowledgeable personnel. Even automated systems require oversight, configuration, and troubleshooting.

C. No, the team member must know how the antivirus program is deployed and maintained
– While this is true, option D more directly captures the insufficiency: the team member's interview answers are insufficient. A team member who cannot explain how the antivirus program works cannot provide adequate evidence.

References

CMMC Assessment Process (CAP) – Interview method: conducts discussions with individuals or groups to gather evidence about security control implementation

SI.L1-3.14.2 (CMMC Level 1 Self-Assessment Guide)– Assessment objectives include verifying that malicious code protection mechanisms are implemented and configured

Explanation:

To determine if the evidence provided is sufficient for scoring AC.L2-3.1.19, an assessor must evaluate both adequacy (is it the right type of evidence?) and sufficiency (is there enough evidence?).

The inventory list provided only includes servers, workstations, and network devices. It does not include mobile devices (e.g., smartphones, tablets, laptops). This is a critical gap, as the first assessment objective for AC.L2-3.1.19 requires an assessor to “[a] determine if mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.”

Why the other options are incorrect:

B. The interviewee attested to encrypting all data at rest
. – Incorrect. An attestation or verbal assurance is insufficient without the technical evidence of configuration, inventory, or testing, as required by the "Examine" and "Test" methods.

C. The inventory list does not include Bring Your Own Devices.
– Incorrect. While BYODs are part of the scope, the more fundamental issue here is the lack of any mobile assets in the inventory. The question specifically cites missing servers/workstations, not BYOD.

D. The DoD has accepted an alternative safeguarding measure for mobile devices.
– Incorrect. There is no general DoD exception to the requirement to encrypt CUI on mobile devices. This option is a distractor with no basis in the regulation.

References

CMMC Level 2 Assessment Guide (DoD CIO) – AC.L2-3.1.19 assessment objectives: specifically requires identification of mobile devices and platforms.

NIST SP 800-171A – Assessment methods and evidence requirements for determining "MET".