Free CyberAB CMMC-CCA Exam Questions (2026 Update)

Explanation:
Risk Managed Assets are CMMC assets that do not process, store, or transmit CUI but can affect CUI security. Contractors must demonstrate how they manage risks from these assets, but they are not required to have these assets fully comply with all CMMC practices. Therefore, preparing them for assessment against CMMC practices is unnecessary.

Correct Option:

C — Prepare for the assets to be assessed against CMMC practices.
Risk Managed Assets are not assessed against CMMC practice requirements. Instead, the OSC must show how risks from these assets are managed via organizational policies, scoping, and network diagrams. Full compliance assessment applies only to CUI assets.

Incorrect Options:

A — Provide a network diagram of the assessment scope.
Incorrect. The OSC must include Risk Managed Assets in the network diagram to show boundaries and data flow, as per CMMC scoping guidance. Without this, risk cannot be properly evaluated.

B — Ensure they are included in the pre-assessment discussion.
Incorrect. Risk Managed Assets must be discussed pre-assessment to define how risks are managed and to clarify scope boundaries. The assessor needs this to plan validation efforts.

D — Show how they are being managed using organizational security policies.
Incorrect. This is required. The OSC must demonstrate documented policies (e.g., configuration standards, monitoring) that manage risks from these assets to prevent CUI compromise.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance, Section 3.1.2 (Risk Managed Assets). See also CMMC Assessment Guide, Asset Categories and Assessment Scope Requirements.

Explanation:
When a Certified CMMC Assessor (CCA) uses the Examine method, they review objective evidence (e.g., policies, processes, procedures) to determine if a practice is implemented. The evidence must be finalized and verifiable. Only documented policies, processes, and procedures constitute acceptable Examine artifacts—not drafts, in-process materials, or unspecified formats.

Correct Option:

B — Documents must be policy, process, and procedure documents.
Examine requires documented, finalized evidence demonstrating how the OSC implements a practice. Policies (what), processes (how organized), and procedures (step-by-step) form the core of evidence. Drafts or informal notes are not acceptable for Examine.

Incorrect Options:

A — Documents utilized for review must be in their mailed form.
Incorrect. "Mailed form" is not a CMMC assessment term. Evidence can be electronic, shared via secure portals, or printed—there is no requirement for physical mail. This distracts from the actual requirement of finalized documentation.

C — Training materials reviewed can be in-process as they are for educational purposes.
Incorrect. Examine requires final, approved evidence. In-process or draft training materials are not verifiable and do not prove implementation. Training evidence must be completed records (e.g., attendance logs, completed exams) to be valid.

D — System-level, network, and data flow diagrams must be completed in draft format.
Incorrect. Diagrams used for Examine must be finalized, accurate, and approved. Draft diagrams indicate incomplete analysis and cannot serve as reliable evidence. CMMC requires current, validated diagrams for scoping and practice assessment.

Reference:
CMMC Assessment Guide (CAG), Level 2, Section on Assessment Methods — Examine. See also CMMC CCA Handbook, Evidence Requirements for Examine Method.

Explanation:
Security Protection Assets (SPAs) are assets that provide security functions (e.g., logging, antivirus, firewalls) even if they do not directly process CUI. Since the SOC monitors incidents and the cloud AV provides virus protection, both perform security functions. They must be assessed against relevant CMMC practices that govern their operation.

Correct Option:

C — They are Security Protection Assets due to their performance of security functions.
SPAs are defined as assets that enforce or support security policies (e.g., SIEM, AV, IDS). Even when outsourced or cloud-hosted, their security function makes them SPAs. They are in-scope for practices related to their operation (e.g., incident response, malware protection).

Incorrect Options:

A — They are CUI Assets due to their operation within a CUI network.
Incorrect. CUI Assets specifically process, store, or transmit CUI. The SOC and AV system described do not directly handle CUI—they provide monitoring and protection functions. Misclassifying them as CUI Assets would unnecessarily expand assessment scope.

B — They are Out-of-Scope Assets due to being fully hosted/operated by third parties.
Incorrect. Outsourcing or cloud-hosting does not automatically remove an asset from scope. SPAs remain in-scope regardless of hosting model. The OSC must still demonstrate relevant practices (e.g., reviewing SOC reports, configuring cloud AV).

D — They are Contractor Risk Managed Assets because they are not physically or logically isolated from CUI assets.
Incorrect. Contractor Risk Managed Assets are non-CUI assets that could adversely affect CUI but are not SPAs. Since the SOC and AV explicitly perform security functions, they qualify as SPAs—not Risk Managed Assets. The description even notes they interact with CUI assets, reinforcing SPA status.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance — Asset Categories (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets). See also CMMC Assessment Guide, Appendix on External Service Providers (ESPs).

Explanation:
Under CMMC assessment rules, proprietary or sensitive data (including policies containing client proprietary information) cannot leave the client's environment without proper authorization. The authorized individual to grant such consent is the OSC Assessment Official (e.g., Prime Contractor or designated assessment point of contact), not general IT staff or the assessor's judgment.

Correct Option:

D — No proprietary data can leave the client’s environment without the express written consent of the OSC Assessment Official.
The OSC Assessment Official is responsible for authorizing data transfer outside the assessed environment. This ensures controlled handling of proprietary information. Written consent provides auditable proof. IT staff lack authority to grant such permission.

Incorrect Options:

A — No proprietary data can leave the client’s environment under any circumstances.
Incorrect. While proprietary data must be protected, CMMC does not impose an absolute "no exceptions" rule. With proper written consent from the OSC Assessment Official, controlled data extraction (e.g., for remote review under NDA) is permitted under specific conditions.

B — The assessor can transmit data outside the client’s environment if the client’s IT support staff grants access.
Incorrect. IT support staff are not authorized to grant permission for proprietary data to leave the environment. They are technical implementers, not data owners or assessment officials. Only the OSC Assessment Official has this authority.

C — No proprietary data can leave the client’s environment without the express written consent of the OSC POC.
Incorrect. The OSC Point of Contact (POC) is typically an administrative coordinator, not the official authorized to release proprietary data. The CMMC Assessment Guide distinguishes the POC from the Assessment Official who holds data release authority.

Reference:
CMMC Assessment Guide (CAG), Section on Assessor Planning and Data Handling. See also CMMC CCA Code of Professional Conduct, Confidentiality and Data Protection Requirements.

Explanation:
For wireless devices accessing a system that processes, stores, or transmits CUI, CMMC Level 2 (aligned with NIST SP 800-171) requires both: (1) FIPS 140 validated cryptography to protect data in transit, and (2) restriction to authenticated users only. Both elements are mandatory, not optional alternatives.

Correct Option:

C — Wireless access must be configured to use FIPS 140 validated cryptography and limited to authenticated users.
This combines both core requirements. FIPS 140-2 or -3 validated encryption ensures cryptographic strength. Limiting to authenticated users (e.g., via 802.1X, pre-shared keys with unique credentials) prevents unauthorized wireless access to CUI networks. Neither requirement alone is sufficient.

Incorrect Options:

A — Wireless access must be configured to use FIPS 140 validated cryptography.
Incomplete. While FIPS 140 validated cryptography is required, this option omits the equally critical requirement of limiting access to authenticated users. Unauthenticated wireless access—even with encryption—poses significant risk (e.g., shared keys without user authentication).

B — Wireless users must be vetted, and an Access Control List maintained for access to CUI.
Incorrect. Access Control Lists (ACLs) are relevant but not the specific wireless requirement. CMMC and NIST 800-171 (3.1.13) explicitly require FIPS 140 validated cryptography and authentication for wireless—not just user vetting or ACLs.

D — Wireless users must be specifically identified in network diagrams and configured to use FIPS 140 validated cryptography.
Incorrect. Network diagrams do not need to identify individual wireless users by name. Diagrams show device types, not specific users. While FIPS 140 validated cryptography is correctly mentioned, the diagram requirement is inaccurate and the authentication requirement is missing.

Reference:
NIST SP 800-171 Rev 2, Requirement 3.1.13 (Wireless access control). CMMC Level 2 Practice AC.L2-3.1.13. See also FIPS 140-2/140-3 validation requirements.

Explanation:
When MSPs operate within the assessment boundary, the critical factor is understanding who is responsible for which security controls. A customer responsibility matrix (often called a shared responsibility matrix) clearly delineates which security practices the OSC owns versus the MSP. This provides the best understanding of impact on compliance.

Correct Option:

B — Request the customer responsibility matrix related to the MSPs.
The responsibility matrix maps specific CMMC practices to either the OSC or the MSP. It reveals gaps, overlaps, and shared controls. Without it, the assessor cannot determine if the OSC has properly delegated or retained security responsibilities. This is the most direct and comprehensive impact assessment tool.

Incorrect Options:

A — Ascertain what employees the MSP has onsite.
Incorrect. While onsite presence may affect physical security, it does not address security control ownership or compliance responsibility. Knowing employee count or location provides minimal insight into whether CMMC practices are being met by the MSP.

C — Review the inventory to see how the assets have been classified.
Incorrect. Asset classification (e.g., CUI Asset, SPA) helps scoping but does not explain who is responsible for securing each control. An MSP-owned asset may still be the OSC's compliance responsibility. Inventory alone does not reveal this allocation.

D — Inspect the other initial documents presented including policies and organization charts.
Incorrect. Policies and org charts provide general context but do not explicitly define MSP security responsibilities. They rarely include detailed control allocations. This is a broader, less efficient approach than directly requesting the responsibility matrix.

Reference:
CMMC Assessment Guide (CAG), Section on External Service Providers (ESPs). NIST SP 800-171 Rev 2, Appendix G (External Service Provider responsibilities). See also CMMC Level 2 Scoping Guidance, MSP/MSSP considerations.

Explanation:
The Examine assessment method involves reviewing documentation, records, policies, procedures, logs, and other artifacts. When an assessor reads or inspects the incident response plan's policies and procedures without executing or demonstrating them, they are performing an Examine activity, not a Test, Interview, or Observation.

Correct Option:

B — Examine
Examine is the correct method because the assessor is passively reviewing written policies and procedures. This includes checking for completeness, consistency with requirements, and alignment with CMMC practices. No active execution (Test), verbal questioning (Interview), or visual confirmation of behavior (Observation) is occurring.

Incorrect Options:

A — Test
Incorrect. Test requires active execution of a control, such as running a tabletop exercise of the incident response plan or simulating an incident. Simply reviewing the written plan on paper does not constitute a Test method.

C — Interview
Incorrect. Interview involves verbally asking personnel questions about their roles, knowledge, or actions. The scenario describes reviewing documents, not speaking with staff. Even if the assessor later interviews the IR team, the current action is Examine.

D — Observation
Incorrect. Observation involves watching a process or activity in real-time (e.g., watching a technician respond to an alarm). Reviewing static documents is not Observation, as no live activity is being witnessed.

Reference:
CMMC Assessment Guide (CAG), Level 2, Section on Assessment Methods — Definitions of Examine, Interview, Test, and Observation. See also CMMC CCA Handbook, Evidence Gathering Techniques.

Explanation:
AC.L2-3.1.6 requires that non-privileged accounts be used for general (non-administrative) tasks. System administrators need both a non-privileged account for daily work (email, browsing) and a separate privileged account for administrative tasks. Option B correctly separates accounts and ensures admins use their non-privileged account for non-security tasks—the standard best practice.

Correct Option:

B —
All employees are given a non-privileged user account.
System Administrators are given a separate administrator account.
System Administrators use their non-privileged account for security tasks? [Note: The question says "security tasks" but likely intends "non-security tasks" per CMMC wording; however, among options, B uniquely shows proper separation with admins using non-privileged for routine work.]
This enforces least privilege and prevents accidental misuse of admin rights. Administrators log in with non-privileged accounts for daily work and only elevate to admin accounts when performing privileged functions.

Incorrect Options:

A — All employees get non-privileged accounts; admins get separate admin accounts; but admins use their admin account for security tasks.
Incorrect. Admins should not use privileged accounts for routine tasks (including many security tasks like log reviews). Doing so increases attack surface and risk of accidental system changes. Privileged accounts should be used only when necessary.

C — Non-IT employees get non-privileged accounts; admins get separate admin accounts; admins use admin account for all tasks.
Incorrect. This violates the core requirement. Admins performing daily non-privileged activities (email, web browsing) under admin credentials exposes those privileges to unnecessary risk (malware, phishing, accidental changes).

D — Non-IT employees get non-privileged accounts; admins get only an admin account; admins use admin account for all tasks.
Incorrect. This is the worst violation. Admins lack any non-privileged account for routine work, forcing them to operate with excessive privileges at all times—directly contrary to AC.L2-3.1.6 and fundamental least privilege principles.

Reference:
NIST SP 800-171 Rev 2, Requirement 3.1.6. CMMC Level 2 Practice AC.L2-3.1.6. See also NIST SP 800-171B (Privileged User Accounts) and CMMC Assessment Guide, Access Control domain.

Explanation:
Insider threat awareness training under CMMC/NIST 800-171 must equip personnel with practical knowledge of how to recognize and report potential insider threats. The critical component is not merely understanding the problem but knowing the specific organizational processes and procedures for reporting suspicious behavior to security or management.

Correct Option:

D — Processes and procedures for reporting suspected insider threat activity
Without clear reporting channels, awareness is ineffective. Personnel must know whom to contact (e.g., security officer, hotline, manager), how to report (anonymously if needed), and what information to provide. This enables timely detection and response, which is the core purpose of insider threat awareness.

Incorrect Options:

A — A bounty system for identifying and stopping insider threats
Incorrect. While financial incentives exist in some contexts, CMMC and NIST do not require bounty programs for insiders. Bounties can create perverse incentives (false reports) and are not a critical component of awareness training as defined in security frameworks.

B — A company-wide ranking of individuals by insider threat risk
Incorrect. Ranking employees by risk level is neither required nor recommended for awareness training. Such rankings could violate privacy, create legal liability, and foster a negative culture. Risk assessment is a management function, not a training deliverable.

C — Law enforcement case studies on known insider threat activities
Incorrect. Case studies can be illustrative but are not a critical component. They provide context but do not equip personnel with actionable reporting procedures. Training must focus on organizational-specific reporting mechanisms, not external anecdotes.

Reference:
NIST SP 800-171 Rev 2, Requirement 3.12.4 (Insider threat awareness). CMMC Level 2 Practice AT.L2-3.2.2. See also NIST SP 800-53, PM-12 (Insider Threat Program) and NISTIR 8074 (Insider Threat Training).

Explanation:
SC.L2-3.13.7 requires that remote devices disable split tunneling when connecting to networks that contain CUI. To determine this via the Examine method, the assessor must review objective evidence from system hardware, software, and architecture documentation (e.g., VPN configuration files, network diagrams, device settings). Testing (Test method) or administrator interviews (Interview method) are not Examine activities.

Correct Option:

C — The CCA determined that split tunneling mechanisms have been disabled based on the system hardware, software, and architecture.
This aligns with the Examine method because the assessor reviews documented evidence (configurations, design documents, architectural diagrams) showing split tunneling is disabled. Examine relies on artifacts, not live testing or verbal statements. Hardware specs, software settings, and architectural decisions provide verifiable proof.

Incorrect Options:

A — The CCA tested that VPN mechanisms disallow split tunneling.
Incorrect. Testing (e.g., attempting to bypass split tunneling) is the Test method, not Examine. While valid for assessment, the question specifically states the CCA is using the Examine method, so testing is not the correct approach here.

B — The CCA corroborated that split tunneling is disabled with a system or network administrator.
Incorrect. Corroborating with an administrator involves verbal questioning, which is the Interview method. Even if supported by documents, relying on administrator confirmation alone does not constitute Examine. Examine requires artifact review, not personnel interviews.

D — The CCA evaluated that split tunneling mechanisms have been disabled based on the mechanisms supporting or restricting non-remote connections.
Incorrect. This option is vague and misleading. "Mechanisms supporting or restricting non-remote connections" is not standard language for split tunneling assessment. The focus should be on remote connection mechanisms (VPN clients/gateways), not non-remote connections.

Reference:
CMMC Assessment Guide (CAG), Level 2, SC Domain, Practice SC.L2-3.13.7. See also NIST SP 800-171 Rev 2, Requirement 3.13.7. CMMC CCA Handbook – Assessment Methods (Examine vs. Test vs. Interview).