Free CyberAB CMMC-CCA Exam Questions (2026 Update)

Explanation:
For an asset to be considered out-of-scope, it must be unable to process, store, or transmit CUI—either because it is physically/logically separated from CUI assets (e.g., air-gapped network, separate VLAN with no routing) or inherently incapable (e.g., label printer with no persistent storage). The Lead Assessor verifies these conditions against the asset inventory.

Correct Option:

C — Assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI assets, or they are inherently unable to do so.
This correctly states the out-of-scope criteria. Physical/logical separation ensures no CUI flow. Inherent inability (e.g., device lacks storage or network connectivity) also qualifies. The assessor reviews network diagrams, configurations, and device capabilities to confirm these conditions for each claimed out-of-scope asset.

Incorrect Options:

A — All assets in an OSC’s inventory fall within the scope.
Incorrect. Not all assets are automatically in-scope. CMMC allows out-of-scope assets if they meet separation or inherent inability criteria. Claiming all assets are in-scope ignores legitimate scoping exclusions and would unnecessarily expand assessment scope.

B — None of the assets in an OSC’s inventory fall within the scope.
Incorrect. This is false. Assets that process, store, or transmit CUI (CUI Assets) are always in-scope. Security Protection Assets are also in-scope. Many or most assets in an inventory typically fall within scope for a CMMC assessment.

D — Out-of-Scope Assets can process, store, or transmit CUI because they do not need to be physically or logically separated.
Incorrect. This is the opposite of the correct definition. If an asset can process, store, or transmit CUI, it cannot be out-of-scope. Out-of-scope assets must be incapable of doing so. No exception exists for lack of separation.

Reference:
CMMC Model v2.0, Level 2 Scoping Guidance – Out-of-Scope Assets definition and criteria. CMMC Assessment Guide – Asset Categorization and Scope Determination.

Explanation:
Logical separation uses software or configuration controls to isolate network traffic or resources, not physical hardware separation. Role-Based Access Control (RBAC) within an Identity and Access Management (IAM) tool logically separates users and systems by enforcing permissions based on roles, ensuring CUI assets are accessed only by authorized subjects—a key logical separation technique.

Correct Option:

C — Role-based access control within a properly implemented identity and access management tool
RBAC logically separates access by assigning permissions to roles rather than individuals. Within an IAM tool, this enforces separation between CUI and non-CUI systems/users without physical network changes. This is a logical separation technique and falls within scope for practices like AC.L2-3.1.1 and SC.L2-3.13.13.

Incorrect Options:

A — Data loss alerting configured at the edge of the network containing CUI assets
Incorrect. Data loss alerting (DLP alerts) is a monitoring and detection technique, not a separation technique. It identifies potential data exfiltration but does not logically or physically separate networks or assets. This addresses SI.L2-3.14.6, not network separation.

B — Access limitation based on badge access assigned to employees based on role
Incorrect. Badge access is a physical access control (PE.L2-3.10.3, PE.L2-3.10.4), not a logical separation technique. It controls physical entry to rooms/buildings, not network-level or system-level separation. Physical controls are assessed separately and do not constitute logical network separation.

D — A proxy-configured firewall that prevents data from flowing along the physical connection path
Incorrect. While a proxy firewall can provide separation, the description focuses on preventing data flow along a physical path. This mixes physical and logical concepts. A correctly configured firewall for logical separation would enforce rules based on IP, port, or protocol—not primarily "physical connection path." This option is poorly defined and misrepresents logical separation.

Reference:
CMMC Level 2 Practice SC.L2-3.13.13 (Separate subnetworks). NIST SP 800-171 Requirement 3.13.13. CMMC Assessment Guide – Logical vs. Physical Separation. NIST SP 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Explanation:
When a legacy or mission-critical system cannot support software-based MFA (e.g., OTP tokens, smart cards), a physical second factor may suffice. Badge access to the room housing the mission system serves as "something you have" (the badge) combined with "something you know" (password), meeting MFA intent even if the system itself cannot enforce logical MFA.

Correct Option:

C — Badge access to the mission system room
Physical badge access (proximity card, smart badge) provides a second authentication factor (something you have) when the system cannot support logical MFA. The OSC must demonstrate that physical access to the system console or server room is required before privileged access is granted, compensating for the technical limitation.

Incorrect Options:

A — VPN access to the mission system
Incorrect. VPN access typically uses a password (something you know) plus potentially another factor. However, VPN alone is not a second factor applied to the mission system itself. VPN authenticates network access, not privileged access to the system. The system's own privileged accounts remain without MFA.

B — User access logs on the mission system
Incorrect. Access logs are audit records (AU domain), not an authentication factor. Logs record activity after the fact; they do not prevent unauthorized access at login. Logs cannot serve as "something you have," "something you are," or "somewhere you are."

D — Remote access logs on the mission system
Incorrect. Same issue as option B. Remote access logs document who accessed and when, but they are not an authentication mechanism. They provide no real-time second factor at login. Logs are evidence for review, not a compensating control for missing MFA.

Reference:
CMMC Level 2 Practice IA.L2-3.5.3 (Multifactor authentication) – allowable exceptions. NIST SP 800-171 Requirement 3.5.3. NIST SP 800-171B (Privileged user MFA). CMMC Assessment Guide – Compensating Controls for MFA on Legacy Systems.

Explanation:
SI.L2-3.14.7 requires the OSC to identify unauthorized use of the system. The OSC has configured a cloud-based SIEM to monitor all aspects of the vendor's cloud environment where CUI resides. With the SSP defining authorized use and referencing identification procedures, the practice is MET—provided the SIEM covers the in-scope cloud assets and the vendor's FedRAMP MODERATE authorization is accepted.

Correct Option:

D — MET because the cloud SIEM is configured to monitor all of the vendor’s cloud environment.
The SIEM monitors the entire cloud environment used for CUI (identity, email, storage, office suite). This enables identification of unauthorized use. FedRAMP MODERATE provides an acceptable baseline for the underlying cloud infrastructure. The OSC's SSP documents the practice. Therefore, the practice is MET.

Incorrect Options:

A — NOT MET because logs from physical infrastructure are not captured by the SIEM.
Incorrect. Under FedRAMP MODERATE, physical infrastructure logs are the CSP's responsibility. The OSC inherits those controls. The OSC is not required to capture physical infrastructure logs directly. CMMC allows inheritance of CSP-managed controls for cloud environments.

B — NOT MET because locally installable applications from a cloud-native environment are not allowed.
Incorrect. There is no CMMC prohibition against locally installable applications from a cloud vendor. The assessment focuses on SIEM monitoring and identification of unauthorized use. Local applications are permitted if properly secured and scoped.

C — MET because being cloud-native is a great way to contain risk to a vendor’s environment.
Incorrect. This reasoning is flawed. Being cloud-native does not automatically make any practice MET. The scoring must be based on evidence (SIEM configuration, SSP documentation, authorized use definition), not generic advantages of cloud-native architecture.

Reference:
CMMC Level 2 Practice SI.L2-3.14.7 (Identify unauthorized use). FedRAMP MODERATE authorization recognition in CMMC. CMMC Assessment Guide – Inherited Controls from CSPs. NIST SP 800-171 Requirement 3.14.7.

Explanation:
To validate restrictions on privileged account use (AC.L2-3.1.6), the assessor has already interviewed users and reviewed policy/procedures. Next, the assessor should examine system architecture documentation (e.g., user role definitions, group memberships, permission assignments) to objectively verify which accounts exist, their privileges, and whether privileged accounts are appropriately limited.

Correct Option:

A — Examine the system architecture of the OSC to identify privileged accounts
Examining system architecture (AD/LDAP groups, sudoers, role definitions) provides objective evidence of privileged account existence and configuration. This complements interviews by confirming that only authorized privileged accounts exist and that non-privileged accounts cannot perform privileged functions. Architecture review is a standard Examine method.

Incorrect Options:

B — Test the processes for non-privileged accounts to perform privileged functions
Incorrect. Testing whether non-privileged accounts can perform privileged functions is a Test method that could disrupt operations or violate policy. More importantly, the assessor should first validate that privileged accounts are properly restricted before attempting negative testing. This option is logically premature.

C — Examine the procedure assigning privileged roles to non-privileged functions
Incorrect. Privileged roles should not be assigned to non-privileged functions. Examining such a procedure would be irrelevant because it contradicts least privilege. This option misstates the control objective. The assessor needs to examine privileged account assignments, not "non-privileged functions."

D — Test the processes for privileged accounts with privileged users
Incorrect. This is vague and likely redundant. The assessor already interviewed privileged users. Testing "processes for privileged accounts with privileged users" is unclear—does this mean re-authentication testing? Privileged command auditing? Without specificity, this is not a standard validation step and may duplicate interview findings.

Reference:
CMMC Level 2 Practice AC.L2-3.1.6 (Non-privileged account use). NIST SP 800-171 Requirement 3.1.6. CMMC Assessment Guide – Combining Interview and Examine methods. NIST SP 800-53 AC-6 (Least Privilege).

Explanation:
After collecting and examining evidence, the assessor's next logical step is to determine and record initial practice scores based on that evidence. Final scores come later after analysis, validation, and potential additional evidence collection. The assessment plan is developed before evidence collection. Final/delivered results occur at the end of the assessment.

Correct Option:

D — Determine and record initial practice scores.
Once evidence is collected and examined, the assessor must evaluate each practice against CMMC Level 2 requirements and assign an initial MET/NOT MET score. These initial scores are documented, subject to review, and may be adjusted as the assessment continues. This is the direct next step after evidence examination.

Incorrect Options:

A — Develop an assessment plan.
Incorrect. The assessment plan is created during the Planning Phase before any evidence collection begins. Developing a plan after collecting evidence is out of sequence. The plan guides what evidence to collect; it does not follow collection.

B — Deliver recommended assessment results.
Incorrect. Delivery of results occurs at the conclusion of the assessment, after scoring, quality review, and finalization. Doing this immediately after evidence collection skips critical steps (scoring, validation, reconciliation). This is premature.

C — Generate final recommended assessment results.
Incorrect. Final results are generated at the end of the assessment lifecycle, after initial scoring, potential re-examination, and quality assurance processes. The assessor cannot produce final results immediately after evidence collection without completing scoring and validation.

Reference:
CMMC Assessment Guide – Assessment Phases (Planning → Evidence Collection → Scoring → Final Reporting). CMMC CCA Handbook – Scoring Methodology and Workflow.

Explanation:
Managing a system baseline directly relates to Configuration Management (CM). A hardware and software list is an asset inventory, but the management of the baseline—tracking changes, maintaining approved configurations, documenting deviations—falls under CM.L2-3.4.1 and CM.L2-3.4.2. Configuration management processes ensure the baseline remains controlled and up to date.

Correct Option:

C — Configuration management
Configuration management is the practice of establishing, maintaining, and controlling system baselines (hardware, software, firmware configurations). Having a hardware/software list is the starting point; configuration management processes (change control, version tracking, approval workflows) provide evidence that the baseline is actively managed, not just documented.

Incorrect Options:

A — Media protection
Incorrect. Media protection (MP domain) addresses sanitization, marking, storage, and transport of media containing CUI. It does not relate to managing system baselines. A hardware/software list is not evidence of media protection.

B — Physical protection
Incorrect. Physical protection (PE domain) covers physical access controls, visitor escorting, and facility security. Managing hardware/software baselines has no direct relationship to physical protection, except perhaps for physical security of asset storage—but that is not the "best" evidence for baseline management.

D — Identification and authentication policy
Incorrect. Identification and authentication (IA domain) deals with user and device identity verification, passwords, MFA, and replay resistance. While related to system access, it is not the primary evidence for managing system baselines. The question explicitly asks about managing the hardware/software baseline.

Reference:
CMMC Level 2 Practice CM.L2-3.4.1 (System baselines) and CM.L2-3.4.2 (Control system configuration changes). NIST SP 800-171 Requirements 3.4.1 and 3.4.2. CMMC Assessment Guide – CM domain evidence examples.

Explanation:
For an interview to be valid, the assessor must question personnel who actually implement, perform, or support the practices being assessed. These individuals possess firsthand operational knowledge. Interviewing managers or uninformed staff yields unreliable evidence. The CMMC Assessment Guide explicitly requires that interview subjects be those with direct responsibility for the practice.

Correct Option:

C — Asked to those who implement, perform, or support the practices
This is the core requirement for interview validity. The assessor must identify and question the personnel who execute or support the security practice daily (e.g., system administrators, incident responders, access control managers). Their responses provide accurate evidence of implementation, unlike secondhand or managerial accounts.

Incorrect Options:

A — Yes/no questions
Incorrect. Interview questions are not restricted to yes/no format. Open-ended questions (e.g., "Walk me through how you handle incident reporting") often yield richer evidence. The assessor uses professional judgment to structure questions appropriately; yes-only is an artificial restriction.

B — Asked by any member of the OSC’s team
Incorrect. The OSC team does not ask interview questions. The assessor asks questions; OSC personnel provide answers. This option appears to confuse roles. The assessor controls the interview process, not the OSC.

D — Asked with multiple people simultaneously to limit the number of interviews needed
Incorrect. Group interviews may be convenient but are not a requirement, and they can be problematic (witness contamination, reluctance to speak candidly). The CMMC Assessment Guide does not mandate simultaneous interviews. Individual interviews are often preferred for accuracy and candor.

Reference:
CMMC Assessment Guide (CAG) – Interview Method: Subject Selection Criteria. CMMC CCA Handbook – Conducting Effective Interviews. NIST SP 800-171A (Assessment Procedures) – Interview objectives.

Explanation:
If the CUI and non-CUI networks share a single Internet connection, the network boundary and associated security controls (firewalls, routers, intrusion detection) exist in a shared infrastructure component. That component resides in or affects the non-CUI building/area, making it potentially in-scope. The assessor must verify that isolation is truly maintained at the shared gateway.

Correct Option:

C — If network diagrams indicate the commercial and federal sectors share a single Internet connection
A shared Internet connection means CUI traffic and non-CUI traffic pass through common perimeter devices (e.g., same firewall, router, ISP link). Those devices and their configurations are security protection assets (SPAs) and must be assessed. The assessor may need access to the building housing those devices, even if not originally scoped.

Incorrect Options:

A — If the assessor sees personnel carrying locked cases into the other building
Incorrect. Locked cases alone do not indicate CUI flow or security control presence. Personnel could be transporting non-CUI materials or personal items. Without evidence that CUI is involved or that security controls reside in that building, this does not justify expanding assessment scope.

B — If the OSC has an underground passageway connecting the CUI building to a non-CUI building
Incorrect. A physical passageway does not automatically create a logical network connection or CUI flow. If the passageway is physically secured (locked doors, guards, access control), CUI may still be isolated. The assessor should ask about security of the passageway but not automatically request access to the other building.

D — If Human Resources that supports both commercial and federal sectors sits in the other building
Incorrect. HR supporting both sectors does not imply CUI access or processing. HR personnel may handle personnel data but not necessarily CUI. Unless HR systems actually process, store, or transmit CUI, or provide security protections for CUI, this alone does not justify expanding scope.

Reference:
CMMC Scoping Guidance – Shared Infrastructure and Boundary Devices. CMMC Assessment Guide – Determining Scope Based on Data Flow and Shared Services. NIST SP 800-171 Requirement 3.13.13 (Separate subnetworks).

Explanation:
While responsibility matrices allocate security tasks between OSC and ESP, the OSC retains ultimate responsibility for meeting CMMC requirements. If the ESP fails to implement a control, the OSC is still accountable to the government. This is the most important principle in ESP relationships—outsourcing does not transfer compliance liability away from the OSC.

Correct Option:

D — Only the OSC is being assessed for compliance, and while the ESP may have a lot of responsibilities in the matrix, the OSC is ultimately responsible for meeting the requirements as specified by government mandates.
This is correct. The CMMC assessment evaluates the OSC's compliance posture. The OSC cannot delegate away its legal and contractual obligations. If an ESP fails to perform, the OSC is non-compliant. The OSC must ensure ESPs meet required controls through contracts, monitoring, and evidence collection.

Incorrect Options:

A — The ESP is technically not part of the DIB and has no responsibility to be CMMC compliant in its own right.
Incorrect. Some ESPs are part of the Defense Industrial Base (DIB) and may require their own CMMC certification depending on their handling of CUI. Stating they have "no responsibility" is false. Even if not certified, they still have security obligations under the OSC's contract.

B — The CMMC Assessment Team will factor in any documentation provided by the ESP when evaluating the OSC for compliance.
Incorrect. While documentation is considered, this is not the "most important" thing to remember. The team also requires evidence that controls are actually implemented, not just documentation. Importance lies with OSC accountability, not documentation consideration.

C — The relationship of an OSC with an ESP is a partnership and the CMMC Assessment will evaluate the ESP at the same time as the OSC.
Incorrect. The CMMC assessment does not evaluate the ESP directly. The ESP is not a certified entity under the OSC's assessment. The assessor evaluates the OSC's compliance, which may include reviewing ESP-provided evidence (e.g., FedRAMP packages, SOC reports), but the ESP itself is not assessed.

Reference:
CMMC Model v2.0 – External Service Provider (ESP) requirements. CMMC Assessment Guide – OSC Responsibility for ESPs. DFARS 252.204-7012 (Contractor responsibility). NIST SP 800-171 Appendix G (External Service Providers).