Free CyberAB CMMC-CCA Exam Questions (2026 Update)

Explanation:
Before making any scoring determination, the assessor must first gather facts. The technician may have authorized unescorted access (e.g., background check, badge, written approval). Jumping to a NOT MET score or demanding removal without understanding the OSC's visitor policy would be premature and unprofessional. The correct next step is to inquire with the OSC.

Correct Option:

D — Ask the OSC if the printer technician has authorized access
The assessor must verify whether the technician is properly authorized per the OSC's visitor escort policy (PE.L2-3.10.3). The OSC may have a process allowing certain vendors unescorted access after vetting. Asking the OSC provides necessary context before any scoring decision.

Incorrect Options:

A — Make a note and score the practice as MET
Incorrect. Scoring as MET without investigation is inappropriate. The assessor does not yet know if an escort violation occurred. The technician could be unauthorized, making the practice NOT MET. Premature scoring violates assessment rigor.

B — Ask the printer technician to leave immediately
Incorrect. Assessors have no authority to remove personnel from the OSC's facility. Directing the technician to leave exceeds the assessor's role and could interfere with legitimate authorized work. The OSC manages its own physical security.

C — Make a note and score the practice as NOT MET
Incorrect. Scoring as NOT MET without confirmation is premature and potentially incorrect. The technician may have proper unescorted authorization under the OSC's policy. Assessors must verify before concluding non-compliance.

Reference:
CMMC Assessment Guide (CAG), Section on Assessor Conduct and Professionalism. CMMC Level 2 Practice PE.L2-3.10.3 (Escort visitors). See also CMMC CCA Handbook, Evidence Gathering and Verification Principles.

Explanation:
To confirm that an OSC has identified all users, processes acting on behalf of users, and devices, the strongest evidence is a combination of system accounts/devices lists (showing what has been identified) and audit logs/records (showing actual activity, which can reveal unlisted users or devices). This provides both inventory and operational verification.

Correct Option:

A — Lists of system accounts and devices and system audit logs and records
Lists provide a static inventory of identified users and devices. Audit logs provide dynamic evidence of who and what is actually accessing the system. Comparing logs against lists reveals discrepancies (e.g., unknown accounts, ghost devices), making this the strongest evidence combination for completeness.

Incorrect Options:

B — System design documentation and other relevant documents or records
Incorrect. Design documentation describes intended architecture, not actual identification of users/devices. It does not prove that all current users, processes, or devices have been identified. Design documents often become outdated and miss operational realities.

C — Procedures addressing user and system identification and authentication and SSP
Incorrect. Procedures and the System Security Plan (SSP) document planned or required practices. They do not provide evidence that identification has actually been completed or that all users/devices are captured. These are policy-level, not verification-level, artifacts.

D — Identification and authentication policy and system configuration settings and associated documentation
Incorrect. Policy states what should happen; configuration settings show how systems enforce identification. Neither proves that all users (including authorized but not yet provisioned, or terminated but still active) or all devices have been identified. Operational evidence is missing.

Reference:
CMMC Level 2 Practice IA.L2-3.5.1 (Identify system users, processes acting on behalf of users, and devices). NIST SP 800-171 Rev 2, Requirement 3.5.1. See also CMMC Assessment Guide, Identification and Authentication domain, Evidence Types.

Explanation:
Hosting a public-facing web server in the same network segment as internal systems processing CUI creates unacceptable risk. A DMZ (demilitarized zone) provides a separate, isolated network layer where the web server resides. This allows external users to access the website while preventing direct access to the internal LAN, following network segmentation best practices for CMMC.

Correct Option:

B — Configure a DMZ for an additional layer of security to the OSC’s LAN to host the publicly accessible server
A DMZ is the standard architectural pattern for publicly accessible servers. It uses firewalls to control traffic: external → DMZ (allowed), DMZ → internal (restricted), internal → DMZ (as needed). This protects CUI assets from a compromised web server and aligns with CMMC AC.L2-3.1.12 (monitor/control remote access) and SC.L2-3.13.13 (separate subnetworks).

Incorrect Options:

A — Relocate the server to a different office location to protect the OSC’s LAN
Incorrect. Physical relocation alone does not provide network segmentation. The server would still need network access and could be connected via VPN or WAN, creating similar risks. A different office without DMZ architecture still exposes the internal network if connected.

C — Configure a firewall rule to only allow internal traffic to communicate with the server
Incorrect. This does the opposite of what is needed. The web server must accept external (customer) traffic, not just internal traffic. Restricting to internal traffic only would make the website inaccessible to online customers. This rule misinterprets the requirement.

D — Configure the server to protect against object reuse and residual information via shared system resources
Incorrect. Object reuse protection (NIST 800-171 3.8.6) addresses memory/data remnants between processes/users. While a valid security control, it does nothing to protect the LAN from a publicly accessible server. This addresses an unrelated practice and ignores network architecture requirements.

Reference:
NIST SP 800-171 Rev 2, Requirement 3.13.13 (Separate subnetworks). CMMC Level 2 Practice SC.L2-3.13.13. See also CMMC Scoping Guidance – DMZ architecture for publicly accessible systems.

Explanation:
CUI assets are defined as assets that process, store, or transmit CUI. In this scenario, CUI is stored at HQ and used by staff at HQ and Site A. Site B does not store, process, or transmit CUI—it only has VPN connectivity to HQ, which alone does not make it a CUI asset unless CUI actually flows to or through it.

Correct Option:

A — and Site A contain CUI assets and Site B is out of scope.
HQ contains the CUI storage (CUI asset). Site A staff actively use CUI, so Site A likely has CUI assets (workstations, perhaps local storage or transmission). Site B has no CUI activity described; VPN connectivity alone does not bring CUI assets into scope. Therefore, Site B can be scoped out if properly isolated.

Incorrect Options:

B — and Site A and Site B contain CUI assets since all have access to CUI.
Incorrect. VPN connectivity to HQ does not automatically mean Site B has or accesses CUI. The scenario states CUI is used at HQ and Site A only. Unless CUI is transmitted to or stored at Site B, Site B assets are not CUI assets. "Access" via VPN would need to be demonstrated.

C — contain CUI assets and Site A and Site B contain only Certification in Risk Management Assurance.
Incorrect. "Certification in Risk Management Assurance" is not a CMMC asset category. This appears to be a distractor term. The correct categories are CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Out-of-Scope Assets.

D — and Site A contain CUI assets and Site B contains only Certification in Risk Assurance.
Incorrect. Same issue as option C—"Certification in Risk Assurance" is not a valid CMMC asset classification. Site B, if it truly has no CUI flow, would be an Out-of-Scope Asset or possibly Contractor Risk Managed Asset, not a fictional certification category.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Asset Categories (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Out-of-Scope Assets). See also CMMC Assessment Guide, Determining Assessment Scope Based on CUI Flow.

Explanation:
A replay attack occurs when an adversary captures and retransmits valid authentication data (e.g., a password hash). Replay-resistant mechanisms ensure that captured authentication exchanges cannot be reused. Transport Layer Security (TLS) provides replay resistance through sequence numbers, timestamps, and unique session keys, preventing an attacker from replaying captured TLS handshake or application data.

Correct Option:

C — Requiring Transport Layer Security (TLS)
TLS includes anti-replay features: each TLS record contains a sequence number, and replay attempts are detected and rejected. TLS also uses unique session keys per connection. While TLS alone is not full authentication, it protects authentication exchanges in transit, making it a valid replay-resistant mechanism for network-based authentication.

Incorrect Options:

A — Encrypted messages
Incorrect. Encryption alone does not prevent replay. An attacker can capture an encrypted authentication message (e.g., an encrypted password) and replay it exactly as captured. Without timestamps, nonces, or sequence numbers, the receiving system cannot distinguish a replay from a legitimate message.

B — Biometric techniques
Incorrect. Biometrics (fingerprints, retina scans) authenticate identity but are not inherently replay-resistant. A captured biometric template or authentication response can be replayed if the system does not implement additional anti-replay measures (e.g., liveness detection, challenge-response). Biometrics alone do not guarantee replay resistance.

D — MFA devices to protect access for local users
Incorrect. Multi-factor authentication (MFA) devices improve authentication strength but are not automatically replay-resistant. A one-time password (OTP) from a hardware token is replay-resistant because it changes per use. However, "MFA devices" broadly (e.g., smart cards, biometric USB keys) may still be vulnerable to replay without proper protocol design (e.g., challenge-response).

Reference:
CMMC Level 2 Practice IA.L2-3.5.3 (Replay-resistant authentication mechanisms). NIST SP 800-171 Rev 2, Requirement 3.5.3. See also NIST SP 800-63B (Authentication and Lifecycle Management), TLS 1.3 RFC 8446 (Anti-replay features).

Explanation:
To validate whether systems containing CUI are separated from other departments' systems on the local network, the CCA must assess mechanisms that logically segment a single physical network. VLANs are the standard technology for creating isolated broadcast domains within a local network, allowing CUI systems to be separated from non-CUI systems without requiring separate physical switches.

Correct Option:

C — Virtual Local Area Network (VLAN)
VLANs partition a single physical LAN into multiple logical networks. The CCA would assess VLAN configurations (e.g., port assignments, trunking, access control lists between VLANs) to confirm that CUI systems are isolated from other departments' systems. VLANs directly address the "local network" separation requirement.

Incorrect Options:

A — Area Network (WAN)
Incorrect. A Wide Area Network connects geographically dispersed locations (e.g., HQ to remote office). It is not a local network separation mechanism. Assessing WAN would evaluate cross-site connectivity, not separation of CUI systems from other departments within the same facility.

B — Virtual Private Network (VPN)
Incorrect. VPNs provide encrypted tunnels over untrusted networks (e.g., internet) for remote access or site-to-site connectivity. VPNs are not used to separate systems within the same local network. VPN assessment would address remote access security, not internal departmental separation.

D — Network Address Translation (NAT)
Incorrect. NAT translates IP addresses between private and public networks, primarily for internet routing and conservation of IPv4 addresses. NAT does not provide logical separation of systems within a local network. It does not prevent direct communication between departments on the same subnet.

Reference:
CMMC Level 2 Practice SC.L2-3.13.13 (Separate subnetworks for publicly accessible systems). NIST SP 800-171 Rev 2, Requirement 3.13.13. See also CMMC Assessment Guide, System and Communications Protection domain – VLANs for internal network segmentation.

Explanation:
CMMC assessors are prohibited from accessing or verifying whether physically separated assets (e.g., assets in locked cages, separate buildings, or isolated networks) contain CUI if doing so would violate legal, privacy, or security boundaries or exceed assessment scope. Assessors rely on OSC declarations and scoping documentation rather than physically inspecting every separated asset.

Correct Option:

B — Determining if physically separated assets contain CUI
The CCA cannot independently determine or verify the presence of CUI on physically separated assets without proper authorization or if those assets are legitimately out-of-scope. CUI identification is the OSC’s responsibility via self-declaration and asset inventory. Assessors do not perform invasive searches of physically separated areas without explicit written consent and scope definition.

Incorrect Options:

A — Verifying key internal system boundaries
Incorrect. CCAs are required to verify internal system boundaries (e.g., between CUI and non-CUI networks) as part of scoping and practice assessment. This includes reviewing firewalls, VLANs, DMZs, and access control lists. Verification is permitted and necessary.

C — Ensuring the external system boundary is fully defined
Incorrect. Ensuring the external boundary (e.g., internet gateway, perimeter firewalls, remote access points) is fully defined is a standard and required assessment activity. The CCA reviews documentation, diagrams, and configurations to confirm boundary completeness.

D — Examining whether communications are monitored at the external system boundary
Incorrect. Examining monitoring at the external boundary (e.g., intrusion detection, log collection, traffic analysis) is a permitted and expected assessment method for practices like SI.L2-3.14.6 (Monitor security alerts) and AU.L2-3.3.1 (Audit log creation). This is a standard examine activity.

Reference:
CMMC CCA Code of Professional Conduct – Section on Scope Limitations and Prohibited Activities. CMMC Assessment Guide – Assessor Roles and Responsibilities. See also CMMC Scoping Guidance – OSC Declaration of CUI Locations.

Explanation:
When sensitive/proprietary CUI is involved during virtual data collection, both parties share responsibility. The assessor must document risks/mitigations as part of professional conduct and assessment planning, while the client must also document their expectations and protections. Collaboration ensures mutual understanding of handling, storage, transmission, and destruction requirements for collected CUI evidence.

Correct Option:

D — The client and assessor should record the risks and mitigations to protect the CUI categories handled.
Both parties must jointly agree on and document how CUI will be protected during virtual data collection (e.g., encrypted transmission, secure storage, access controls, data retention/deletion). This shared documentation becomes part of the assessment plan and protects both parties legally and operationally.

Incorrect Options:

A — The Client is responsible for safeguarding the data during collection, not the assessor.
Incorrect. Once CUI is transmitted to the assessor (e.g., via secure portal, email, or shared drive), the assessor assumes responsibility for safeguarding it per CMMC CCA Code of Conduct, federal contracts, and possibly NDAs. Responsibility is shared, not solely the client's.

B — The assessor is responsible for safeguarding the data during collection, not the client.
Incorrect. The client retains responsibility for CUI within their environment even during collection. The assessor cannot unilaterally assume all responsibility. Both parties have obligations—client for secure transmission and access provisioning, assessor for secure handling post-receipt.

C — The assessor should record the risks and mitigations to protect the CUI categories handled.
Incomplete. While the assessor documents risks/mitigations, excluding the client from this process is insufficient. The client must participate in identifying risks specific to their CUI and agree to mitigations. One-sided documentation lacks mutual accountability and may miss client-specific concerns.

Reference:
CMMC CCA Code of Professional Conduct – Section on Data Protection and Confidentiality. CMMC Assessment Guide – Planning Phase, Virtual Assessment Considerations. See also DFARS 252.204-7012 (Safeguarding CUI) and NIST SP 800-171.

Explanation:
The Lead Assessor's role during readiness verification is to confirm that the OSC is prepared for the assessment—not to advise on whether the OSC can achieve a different CMMC Level. Determining if the OSC can "better meet" another level (e.g., Level 3 instead of Level 2) is outside assessment scope and constitutes consulting, which is prohibited for CCAs.

Correct Option:

C — Whether the OSC can better meet the targeted CMMC Level
Assessors must not provide consulting, gap analysis, or recommendations on changing target levels. The OSC self-selects the target level. The Lead Assessor verifies readiness for that selected level only. Advising on "better meeting" another level violates CMMC separation of duties and assessor ethics.

Incorrect Options:

A — That risks have been identified
Incorrect. Confirming that the OSC has identified risks (e.g., via risk assessment documentation) is required for readiness. Without risk identification, the OSC cannot demonstrate many CMMC practices. The Lead Assessor verifies existence, not quality, during readiness.

B — That necessary logistics have been arranged
Incorrect. Logistics (e.g., scheduling, facility access, interview availability, evidence sharing mechanisms) must be confirmed before the assessment begins. Failure to arrange logistics delays or invalidates the assessment. This is a standard pre-assessment confirmation task.

D — That evidence is available and accessible for the targeted CMMC Level
Incorrect. The Lead Assessor must confirm that the OSC has prepared and can provide the required evidence (policies, procedures, logs, configurations) for the targeted level. Without accessible evidence, the assessment cannot proceed. This is a core readiness verification step.

Reference:
CMMC CCA Code of Professional Conduct – Prohibition on Consulting. CMMC Assessment Guide – Pre-Assessment Readiness Verification. See also CMMC Ecosystem – Separation of Assessor and Consultant Roles.

Explanation:
Contractor Risk Managed Assets (CRMA) are assets that do not process, store, or transmit CUI but can adversely affect CUI assets. The OSC must demonstrate they are managed using the organization’s own risk-based security policies and procedures, not vendor or generic industry practices. This ensures accountability and alignment with the OSC's documented security posture.

Correct Option:

C — Document in asset inventory; show management using the organization’s risk-based security policies and procedures; include in network diagram.
This is correct because CRMA status requires demonstration that the OSC applies its own risk management framework (e.g., configuration standards, patching, access controls) to these assets. Organizational policies provide auditable, repeatable control. Network diagrams and inventory documentation enable scoping and boundary verification.

Incorrect Options:

A — Document in asset inventory and include in network diagram only.
Incomplete. Simply documenting and diagramming CRMA is insufficient. The OSC must also demonstrate how these assets are managed using risk-based practices. Without showing management methods, the assessor cannot verify that risks from these assets are controlled.

B — Show management using vendor-recommended risk-based security practices.
Incorrect. Vendor recommendations are not authoritative for CMMC CRMA compliance. The OSC must apply its own organizational policies and procedures. Vendor guidance may inform but cannot replace OSC-defined, documented, and implemented risk management practices.

D — Show management using industry risk-based security best practices + include in network diagram.
Incorrect. Industry best practices (e.g., CIS benchmarks) are useful but do not substitute for the OSC’s organizational policies and procedures. CMMC requires the OSC to govern CRMA through its own documented risk management processes, not generic external standards alone.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Contractor Risk Managed Assets (CRMA). CMMC Assessment Guide – Asset Categorization and CRMA Requirements.