Last Updated On : 20-May-2026
Certified CMMC Assessor (CCA) Exam
Total 343 Questions
Topic 2: CMMC Assessment Process (CAP)
During a CMMC Level 2 assessment, the OSC’s Assessment Official asks the Lead Assessor if they can exclude a small subsidiary from the assessment scope because it only handles a minimal amount of CUI. The subsidiary’s systems are networked with the main OSC environment. What should the Lead Assessor do?
A. Agree to exclude the subsidiary since it handles minimal CUI.
B. Request the OSC to include the subsidiary in the scope due to its networked connection and CUI handling, and adjust the assessment accordingly.
C. Proceed with the original scope and ignore the subsidiary’s systems.
D. Terminate the assessment until the OSC resolves the subsidiary’s inclusion internally.
You are a CCA on an Assessment Team. During a daily checkpoint meeting, the OSC PoC complains that the assessment process is taking too long and asks if some practices can be skipped to speed things up. How should you respond?
A. Explain that all practices must be assessed as required by the CMMC Assessment Process and cannot be skipped.
B. Agree to skip non-critical practices to accommodate the OSC’s timeline.
C. Suggest that the OSC discuss the issue with the Lead Assessor to negotiate a reduced scope.
D. Recommend that the OSC hire additional staff to expedite evidence collection.
During the on-site assessment, the assessment team thoroughly evaluated an OSC’s systems, policies, procedures, and practices against the 110 CMMC Level 2 practices. Initially, they found several deficient areas where practices were not fully met. The OSC took advantage of the Limited Practice Deficiency Correction program, which allowed them to provide additional evidence and implement corrections for certain deficient practices during the assessment period. What status should the Lead Assessor recommend for CMMC Level 2 Certification if an OSC has 85 out of 110 practices scored as ‘MET’ after applying the Limited Practice Deficiency Correction program?
A. The Lead Assessor will recommend the OSC receive a final finding of “Not Achieved” for CMMC Level 2 Certification. The OSC will be required to correct deficiencies and reapply for CMMC L2 Certification.
B. Defer the recommendation until the OSC has fully remediated all ‘NOT MET’ practices through a Plan of Action and Milestones (POA&M).
C. Recommend ‘CMMC Level 2 Conditional Certification’ with a requirement to correct the remaining deficiencies within a specified timeframe.
D. Recommend ‘CMMC Level 2 Certification’ without any conditions.
A C3PAO Assessment Team is conducting a CMMC Level 2 assessment. During the assessment, the OSC provides evidence that a practice is partially implemented, with plans to complete it within a month. The practice is not eligible for the Limited Practice Deficiency Correction Program. How should the Lead Assessor score this practice?
A. Score it as "MET" since the OSC has a plan to complete it soon.
B. Score it as "NOT MET" since it is not fully implemented and is ineligible for deficiency correction.
C. Score it as "PARTIALLY MET" and include it in a POA&M.
D. Defer scoring until the OSC completes the implementation.
A CMMC assessment for an OSC finds it has fully implemented 87 out of 110 practices. Unfortunately, the Assessment Team determines that the POA&M Closeout Assessment option cannot be used. Consequently, the OSC will not be recommended for certification. However, the OSC assessment official humbly requests the Lead Assessor to adjust the findings to allow for POA&M closeout and mark a five-point practice as implemented. How should the Lead Assessor respond?
A. Politely decline the request and cite ethical reasons of violating the CoPC.
B. Negotiate with the OSC to implement additional practices and reassess the POA&M Closeout Assessment option.
C. Report the request to the Cyber AB and recommend disciplinary action against the OSC assessment official.
D. Agree to the request and tweak the findings.
After thoroughly evaluating the evidence gathered, the Assessment Team has generated their preliminary findings and recommendations for the OSC’s target CMMC level. However, before finalizing the results, they need to validate their findings through a review process. Once the Preliminary Recommended Findings have been generated and validated, the Assessment Team needs to properly record them in the appropriate document or system. Where should the Assessment Team enter or record the preliminary recommended findings after generating and validating them?
A. In the CMMC Assessment Results Template.
B. Daily Checkpoint Log
C. In the CMMC Assessment Findings Brief.
D. CMMC Assessment In-Brief Template
You are the Lead Assessor for a CMMC Level 2 assessment. The OSC has implemented a practice using a manual process instead of an automated tool, as described in their SSP. The manual process meets the practice’s objectives. How should you evaluate this evidence?
A. Score the practice as "MET" since the manual process meets the objectives.
B. Document the deviation from the SSP as an evidence gap and assess based on the manual process’s effectiveness.
C. Score the practice as "NOT MET" due to the deviation from the SSP.
D. Request the OSC to implement the automated tool as described in the SSP.
A CCA is part of an Assessment Team conducting a CMMC Level 2 assessment. During an interview, an OSC employee admits that a critical security practice is not implemented because “it’s too expensive.” The CCA responds by suggesting a low-cost alternative solution to implement the practice. What should the CCA have done instead?
A. Noted the employee’s statement and continued the interview without offering any suggestions.
B. Reported the employee’s statement to the OSC management immediately.
C. Encouraged the employee to discuss the issue with their supervisor after the interview.
D. Paused the interview to consult with the Lead Assessor about the practice’s cost implications.
During a CMMC assessment, a CCA took home some documents from the OSC’s facility without their knowledge. The documents contained confidential, proprietary information (jet engine designs). After a few days, the OSC realized the documents were missing. Upon realizing the mistake, the CCA returned the document and informed the Lead Assessor. One year later, the information appeared online. The OSC believes the CCA duplicated the information and kept a copy for themselves. Angered by the situation, the OSC sues the CCA for IP theft. Under the CoPC, what action should the CCA take?
A. Plead guilty to receive a reduced fine.
B. None; they should only defend themselves in court.
C. Inform the Cyber AB within 30 days.
D. Ask their C3PAO for legal assistance.
An OSC plans to undergo a CMMC Level 2 assessment with your C3PAO firm. As the Lead Assessor, you are collaborating with the OSC to develop the evidence collection approach for Phase 1. The OSC proposes conducting most interviews virtually due to geographically dispersed employees. You are responsible for defining the evidence collection methods for artifacts, interviews, tests or demonstrations, and information requests. Additionally, you must determine how virtual data collection will be managed, including security protocols for CUI and FCI. Which of the following is the most appropriate approach for artifact collection in this scenario?
A. Use a combination of virtual document sharing and a limited on-site visit.
B. Conduct an on-site visit to review paper and electronic artifacts.
C. Request the OSC to upload all relevant documents to a secure cloud storage platform.
D. Rely solely on information requests sent via email to relevant OSC personnel.
| Page 16 out of 35 Pages |
| 789101112131415161718192021222324 |
| CMMC-CCA Practice Test Home |
Choosing the right preparation material is critical for passing the Certified CMMC Assessor (CCA) Exam exam. Here’s how our CMMC-CCA practice test is designed to bridge the gap between knowledge and a passing score.