Free CyberAB CMMC-CCA Exam Questions (2026 Update)

Explanation:
Documents with very recent approval dates raise a question of whether they are actually implemented or merely "paper compliance." To validate sufficiency, the assessor must determine if personnel are following the new procedures. Interviewing OSC team members who should be using the procedure provides direct evidence of implementation, not just document existence.

Correct Option:

C — Interview OSC team members who should be using the procedure.
Interviews with operational staff reveal whether they are aware of the new procedure, have been trained, and are following it in practice. This distinguishes between recently approved documentation and actual behavioral change. It also identifies gaps between documented policy and real-world execution.

Incorrect Options:

A — Examine the documents to determine if they are complete.
Insufficient. Document completeness (format, sections, approval signatures) does not prove implementation. A complete, recently approved document may still not be followed. Examination alone cannot validate sufficiency of evidence where recency suggests possible last-minute creation.

B — Examine if the procedure in question replaced another document.
Insufficient. Knowing that a document replaced a prior version provides historical context but does not validate whether the new procedure is actually being used. This is a document management check, not an implementation validation step.

D — Interview people who hold leadership roles named in the documents.
Incorrect. Leadership interviews confirm intent and approval but not day-to-day implementation. Non-leadership personnel (system administrators, incident responders, users) are the ones who must follow procedures. Leaders may be unaware of actual compliance gaps on the ground.

Reference:
CMMC Assessment Guide (CAG) – Evidence Sufficiency and Validation. CMMC CCA Handbook – Combining Examine and Interview Methods. See also NIST SP 800-171A (Assessment Procedures) – Objective 1 vs. Objective 2 evidence.

Explanation:
For an asset to be considered out-of-scope in a CMMC assessment, it must neither process, store, nor transmit CUI and must not provide security protections to CUI assets. If an asset provides security protections (e.g., firewall, IDS, authentication server), it becomes a Security Protection Asset (SPA) and is in-scope regardless of CUI handling.

Correct Option:

B — Do not provide security protections for CUI assets.
Out-of-scope assets must meet two conditions: (1) they do not process, store, or transmit CUI, and (2) they do not provide security protections to CUI assets. If an asset performs security functions (logging, access control, monitoring), it is a Security Protection Asset and remains in-scope even without direct CUI handling.

Incorrect Options:

A — Provide security protections to CUI assets.
Incorrect. Assets that provide security protections to CUI assets are Security Protection Assets (SPAs) and are explicitly in-scope for assessment. This describes the opposite of an out-of-scope asset. SPAs must be assessed against relevant practices.

C — Can, but are not intended to, process, store, or transmit CUI.
Incorrect. Assets that can process CUI but are not intended to (i.e., no CUI flows to them) may still be Contractor Risk Managed Assets (CRMA) or potentially out-of-scope if properly isolated. However, the key differentiator for out-of-scope is also not providing security protections. This option omits that critical condition.

D — Are not required to be physically or logically separated from CUI assets.
Incorrect. Out-of-scope assets must be physically or logically separated from CUI assets. If an asset can reach or be reached by CUI assets without controls, it cannot be out-of-scope. Lack of separation would make it a CRMA or SPA, not out-of-scope.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Out-of-Scope Assets definition. CMMC Assessment Guide – Asset Categorization Criteria (CUI Assets, SPAs, CRMAs, Out-of-Scope).

Explanation:
Visitor access controls (PE.L2-3.10.3 and PE.L2-3.10.4) involve physical security processes such as visitor check-in, badge issuance, escorting, logging, and return of badges. The front-desk receptionist typically performs or directly oversees these daily visitor management functions and can best describe actual implementation, exceptions, and any deviations from policy.

Correct Option:

B — Front-desk Receptionist
The receptionist is usually the first point of contact for visitors and directly executes visitor access procedures (e.g., logging entry/exit, issuing badges, notifying escorts, collecting badges). This role provides firsthand operational knowledge of how visitor controls function in practice, making them the most appropriate interview subject.

Incorrect Options:

A — System Administrator
Incorrect. System administrators focus on logical access (accounts, passwords, permissions), not physical visitor controls. While they may manage physical access systems (e.g., badge databases), they rarely execute daily visitor processes. Their knowledge is technical/systemic rather than procedural/operational.

C — Administrative Assistant
Incorrect. Administrative assistants may handle some visitor coordination but typically not primary visitor access control execution unless specifically assigned. The front-desk receptionist is the dedicated role for this function. The assistant's knowledge may be inconsistent or secondary.

D — Senior Architecture Partner
Incorrect. Senior leadership (partners) typically do not perform visitor access control duties. They set policy direction but cannot speak to day-to-day implementation, exceptions, or staff adherence. Interviewing senior leadership for operational physical security questions is inefficient and unlikely to yield accurate evidence.

Reference:
CMMC Level 2 Practice PE.L2-3.10.3 (Escort visitors) and PE.L2-3.10.4 (Visitor access logs). CMMC Assessment Guide – Selecting Interview Subjects Based on Control Ownership.

Explanation:
For remote third-party maintenance personnel, CMMC requires that remote access sessions be terminated automatically based on defined criteria (e.g., after task completion, after inactivity timeout, at scheduled times). This aligns with MA.L2-3.7.5, which requires non-local maintenance sessions to be terminated when no longer needed. Automated termination ensures no lingering access.

Correct Option:

D — Remote access to systems used by the third party for maintenance functions is terminated automatically based on a defined set of criteria.
This directly addresses MA.L2-3.7.5 requirement. Defined criteria (e.g., session timeout, task completion, end of workday) must be documented and enforced automatically. Manual termination is insufficient. This prevents unauthorized extended access after maintenance is complete.

Incorrect Options:

A — Only third-party personnel can perform system maintenance functions.
Incorrect. The organization's own personnel can also perform maintenance. CMMC does not restrict maintenance exclusively to third parties. This option is overly restrictive and irrelevant to the requirement for remote third-party maintenance controls.

B — Third-party personnel need to be identified and monitored while performing maintenance.
Incorrect. While identification and monitoring are good practices, they are not the primary assurance required for remote third-party maintenance. The specific CMMC requirement (MA.L2-3.7.5) focuses on terminating remote sessions, not just monitoring or identifying personnel.

C — The number of third-party personnel who can access the organization’s systems concurrently is limited.
Incorrect. Concurrent access limits are not explicitly required by CMMC for third-party maintenance. While capacity planning may impose limits, this is not a control requirement. The core requirement remains termination of remote sessions after maintenance.

Reference:
CMMC Level 2 Practice MA.L2-3.7.5 (Non-local maintenance session termination). NIST SP 800-171 Rev 2, Requirement 3.7.5. See also CMMC Assessment Guide, Maintenance domain – Remote maintenance controls.

Explanation:
For cloud and hybrid environments, the Cloud Service Provider's (CSP) Customer Responsibility Matrix clearly delineates which security controls are managed by the CSP versus the OSC. This directly informs the Lead Assessor about constraints—what the OSC is responsible for assessing versus what is inherited or must be verified via third-party assessments (e.g., FedRAMP).

Correct Option:

D — Cloud Service Provider’s Customer Responsibility Matrix
The responsibility matrix is essential for scoping a hybrid assessment. It shows which CMMC practices the OSC must fully implement, which are shared, and which are solely the CSP's responsibility. Without this, the assessor cannot determine the OSC's compliance boundaries or constraints in the cloud environment.

Incorrect Options:

A — Subnetworks list
Incorrect. A subnetworks list helps understand network segmentation but does not address cloud-specific constraints or division of responsibilities between OSC and CSP. Subnets alone reveal nothing about CSP security controls or OSC obligations.

B — System inventory
Incorrect. System inventory identifies assets but does not clarify CSP/OSC responsibility boundaries. An asset listed as "cloud VM" without a responsibility matrix leaves unknown who secures the hypervisor, physical host, or network. Inventory is necessary but insufficient for hybrid constraints.

C — Company-owned hardware list
Incorrect. This only applies to on-premises assets. In a hybrid environment, many critical assets reside in the cloud and are not company-owned. This list ignores cloud constraints entirely and provides no information about CSP-managed controls.

Reference:
CMMC Scoping Guidance – Cloud and Hybrid Environment Considerations. FedRAMP Shared Responsibility Model. CMMC Assessment Guide – External Service Provider (ESP) requirements. NIST SP 800-171 Appendix G (External Service Providers).

Explanation:
For a Specialized Asset (OT equipment with unsupported OS), the OSC must provide evidence that planned mitigations (network isolation, additional security measures) are actually implemented, not just documented as plans. The Lead Assessor needs proof that isolation is completed before or during the assessment, plus evidence for all applicable CMMC practices that the OSC claims are met.

Correct Option:

D — Evidence that the network isolation is completed by the end of the assessment as well as supporting evidence for all other applicable CMMC practices.
Plans and diagrams are insufficient. The OSC must demonstrate implementation. Network isolation must be completed (not just planned) by assessment end. Additionally, all other CMMC practices applicable to this Specialized Asset (e.g., access controls, audit, configuration management) require supporting evidence.

Incorrect Options:

A — Installation and configuration documentation for the OT to ensure it was correctly built.
Insufficient. While configuration documentation may be part of evidence, the critical missing element is proof that isolation and additional security measures are implemented. Installation docs alone do not verify network isolation or risk management execution.

B — Wording in the scoping document detailing how the OT adheres to all other applicable CMMC practices.
Incorrect. Wording (text in a document) is not evidence of implementation. The OSC already provided a plan. More descriptive wording does not prove execution. Assessors need objective evidence (configurations, logs, interviews), not additional narrative.

C — Wording in the SSP detailing how the OT is managed using the OSC’s risk-based security policies.
Incorrect. The SSP already documents plans. Additional wording does not close the gap between planning and implementation. Evidence of actual management (e.g., patching logs, access reviews, monitoring) is required, not more policy language.

Reference:
CMMC Scoping Guidance – Specialized Assets (OT, legacy systems). CMMC Assessment Guide – Evidence Requirements for Specialized Assets. NIST SP 800-171 Requirement 3.11.3 (Plan of action).

Explanation:
CM.L2-3.4.1 requires establishing and documenting system baselines (configurations, software, hardware). A complete baseline includes not only what is standard but also any authorized deviations from that standard for specific end-user computers (e.g., exceptions for engineering software, legacy app compatibility). Without documenting deviations, the OSC cannot demonstrate controlled baseline management.

Correct Option:

C — Documentation of any authorized deviations from the system baselines for end-user computers.
Deviations from the baseline must be documented, authorized, and reviewed. This ensures that non-standard configurations are not security gaps or compliance violations. The evidence provided (inventories, installation plan) shows baseline intent but lacks proof that exceptions are formally managed.

Incorrect Options:

A — Documentation of the physical safeguards protecting the “gold” baseline images.
Incorrect. Physical protection of baseline images relates to media protection (MP.L2-3.8.3) or physical security (PE), not to CM.L2-3.4.1 itself. While good practice, it is not required for establishing system baselines. This option addresses a different practice.

B — Documentation of a formal baseline review integrated with a system development lifecycle.
Incorrect. Baseline review frequency and SDLC integration are not explicit requirements of CM.L2-3.4.1. The practice focuses on establishing and maintaining baselines, not necessarily tying them to a formal SDLC. This is an enhancement, not a mandatory documentation element.

D — Documentation of a formal chain of custody for new hardware on which baselines will be installed.
Incorrect. Chain of custody for hardware relates to asset management or physical security, not to baseline establishment. The baseline practice does not require tracking hardware provenance. This option describes a control not mandated by CM.L2-3.4.1.

Reference:
CMMC Level 2 Practice CM.L2-3.4.1 (Establish and document system baselines). NIST SP 800-171 Rev 2, Requirement 3.4.1. NIST SP 800-128 (Configuration Management – baseline deviations). CMMC Assessment Guide, CM domain.

Explanation:
The OSC is responsible for defining and documenting the assessment scope based on CMMC scoping guidance (CUI flow, asset categorization, network boundaries). The assessor cannot generate this document for the OSC, as that would constitute consulting and create a conflict of interest. The OSC must provide it before the assessment can proceed.

Correct Option:

B — The CCA tells the OSC they must provide the document before the assessment can begin.
The OSC owns the scope definition. The CCA's role is to verify the accuracy of the OSC's scoping, not to create it. Without a documented scope from the OSC, the assessment cannot proceed because boundaries, assets, and applicable practices are undefined. The assessor instructs the OSC to produce this prerequisite document.

Incorrect Options:

A — The Assessment Team is supposed to generate the document before moving forward.
Incorrect. Assessors cannot generate scoping documents for the OSC. Doing so violates separation of duties and the prohibition against consulting. The OSC must define its own scope based on its systems, CUI flows, and asset inventory.

C — The OSC and the Lead Assessor jointly create the document at the beginning of the assessment.
Incorrect. Joint creation blurs responsibility and may bias the assessment. The OSC creates the scope document independently; the assessor reviews and validates it. Collaboration on creation is not permitted as it places the assessor in a consulting role.

D — The Lead Assessor can regulate the assessment and create/adjust the document moving forward.
Incorrect. The Lead Assessor does not regulate by creating OSC documentation. While the assessor may identify discrepancies in the OSC's scope, adjusting or creating the scope document for the OSC is prohibited. The OSC must correct and resubmit its own document.

Reference:
CMMC Assessment Guide – Scoping Document Ownership and OSC Responsibilities. CMMC CCA Code of Professional Conduct – Prohibition on Preparing OSC Documentation. CMMC Scoping Guidance v2.0.

Explanation:
The Incident Reporting practice (IR.L2-3.6.2) requires organizations to track, document, and report incidents to designated officials (e.g., management, CISO, or appropriate external entities). The core validation is ensuring incidents are actually tracked and documented—not just reported verbally. Documentation provides auditable evidence of incident handling and reporting compliance.

Correct Option:

A — Incidents are tracked and documented
Tracking and documentation are fundamental to IR.L2-3.6.2. The CCA must verify that the OSC has a process to record incident details (date, time, description, impact, response actions, reporting status). Without documentation, there is no objective evidence that incidents are being properly reported or managed.

Incorrect Options:

B — Incident sources are configured and tuned
Incorrect. Configuring and tuning incident sources (e.g., SIEM, IDS alerts) relates to IR.L2-3.6.1 (incident detection capabilities) or SI.L2-3.14.6 (monitoring). This is not a requirement for the Incident Reporting practice (IR.L2-3.6.2). The question specifically asks about reporting, not detection.

C — Law enforcement officials are automatically notified during an incident
Incorrect. Automatic notification to law enforcement is not a CMMC requirement. Reporting to law enforcement may be required under specific legal obligations (e.g., data breach laws) but is not mandated by IR.L2-3.6.2. Reporting is typically to internal management or designated external points of contact (e.g., CISA for certain incidents).

D — Forensic investigations are performed to determine the impact of the incident
Incorrect. Forensic investigations are not always required for every incident and are not part of the Incident Reporting practice. Forensic analysis falls under IR.L2-3.6.4 (incident response testing) or advanced incident handling. The basic reporting practice does not mandate forensics.

Reference:
CMMC Level 2 Practice IR.L2-3.6.2 (Incident reporting). NIST SP 800-171 Rev 2, Requirement 3.6.2. NIST SP 800-61 (Incident Handling Guide – tracking and documentation). CMMC Assessment Guide, IR domain.

Explanation:
To determine if the OSC limits connections to external information systems (SC.L2-3.13.1), the assessor needs a complete and precise definition of all external connections—their purpose, frequency, data types, and security controls. The OSC provided vague statements ("sporadically," "isolated exceptions," "small amount of business") without fully defining the extent, which is insufficient.

Correct Option:

B — No, the OSC did not fully define the extent external connections are used.
The OSC's response lacks specificity. "Sporadic," "isolated exceptions," and "small amount" are not measurable or verifiable. The assessor cannot determine if external connections are properly limited without a complete inventory of cloud services, their business purposes, data flows (including CUI), and applicable security controls.

Incorrect Options:

A — No, the OSC stated most of its business is on-premises.
Incorrect. The fact that most business is on-premises does not address the insufficiency. The problem is undefined extent of external connections, not the proportion of on-premises versus cloud. An undefined small number of external connections still cannot be assessed for limitation controls.

C — Yes, the OSC confirmed that external connections occur.
Incorrect. Confirming that external connections exist does not satisfy the requirement to determine if they are limited. The practice requires assessment of controls that restrict and manage external connections. Simply knowing they occur provides no basis to evaluate limitation.

D — Yes, the OSC confirmed that external connections occur for system backups.
Incorrect. Even if backups are one purpose, the OSC admits "isolated exceptions" for other cloud use. These exceptions are undefined. The assessor cannot determine limitation without knowing all external connection types, including exceptions. Partial information is insufficient.

Reference:
CMMC Level 2 Practice SC.L2-3.13.1 (Limit connections to external information systems). NIST SP 800-171 Rev 2, Requirement 3.13.1. CMMC Assessment Guide – External Connection Scoping and Documentation Requirements.