Free CyberAB CMMC-CCA Exam Questions (2026 Update)

Explanation:
When data is suspected to be CUI but unmarked, the company must have a documented procedure to determine its proper handling. This aligns with CMMC practice AC.L2-3.1.22 (Control CUI posted on public systems) and NIST SP 800-171 requirements for marking and handling. The procedure ensures unmarked suspected CUI is not mishandled or improperly discarded.

Correct Option:

D — Have a procedure for proper handling of unlabeled data.
A documented procedure addresses how to identify, verify, protect, and either mark or escalate unlabeled suspected CUI. This prevents unauthorized disclosure or destruction. The procedure should include contacting the data originator, checking contract requirements, and applying CUI protections until resolved.

Incorrect Options:

A — Treat all data as CUI even if not marked.
Incorrect. Treating all data as CUI is operationally impractical and unnecessary. It overburdens systems with controls for non-CUI data and may violate efficiency or cost constraints. The OSC must discern CUI based on contracts, marking, or reasonable suspicion, not a blanket assumption.

B — If data are not marked, then they are not CUI.
Incorrect. This is dangerous and non-compliant. CUI may be unmarked due to error, oversight, or transmission chain failures. The OSC is still responsible for protecting known or reasonably suspected CUI regardless of marking. Ignoring unmarked CUI risks data breach and compliance failure.

C — Have a procedure for deleting unlabeled data.
Incorrect. Deleting suspected CUI without proper verification could destroy evidence, violate records retention requirements, or cause loss of mission-critical information. The appropriate response is to protect and verify, not automatically delete. Deletion is an extreme measure, not a default procedure.

Reference:
CMMC Level 2 Practice AC.L2-3.1.22 (Control CUI on public systems) and marking requirements. NIST SP 800-171 Requirement 3.1.22. 32 CFR Part 2002 (CUI Marking and Handling). CUI Registry (archives.gov/cui).

Explanation:
PE.L2-3.10.3 requires escorting visitors and maintaining observation of their activities. The escort sitting outside a small room with only one entry is acceptable provided the escort maintains continuous, unobstructed visual observation of the visitor's actions. The policy does not mandate physical presence in the same room if observation remains effective.

Correct Option:

D — Yes, so long as the visitor’s actions can still be viewed by the escort
The core requirement is observation and control, not literal physical co-location. If the escort can clearly see the visitor's activities (e.g., through an open doorway, window, or continuous line of sight) and can intervene if necessary, the practice aligns with the escort policy. The single entry ensures no undetected exit.

Incorrect Options:

A — No, the escort is not allowed to sit down
Incorrect. The escort policy does not address whether the escort sits or stands. Sitting does not impair observation. This is an irrelevant detail and has no bearing on compliance with PE.L2-3.10.3. The position (sitting vs. standing) does not determine effectiveness.

B — No, the escort must always be in the same room
Incorrect. The policy does not explicitly require the escort to be in the same physical room. It requires escorting and observation. The scenario describes effective observation from outside a small room with one entry. Being in the same room is not mandatory if observation is maintained.

C — Yes, since the visitor can only use a single entry
Incomplete. While a single entry aids control, the determinative factor is whether the escort can observe the visitor's actions. The answer "yes" is correct only if observation is maintained. This option's reasoning is incomplete and could be misleading if observation is blocked.

Reference:
CMMC Level 2 Practice PE.L2-3.10.3 (Escort visitors). NIST SP 800-171 Requirement 3.10.3. CMMC Assessment Guide – Physical Protection domain – Escort interpretation for small or confined spaces.

Explanation:
To assess physical controls at a colocation facility housing CUI assets, the CCA must perform both activities: (1) physically visit the facility to observe and test keycard logging, sign-in/out, cage security, and (2) review the OSC's internal process for managing access to cage keys (issuance, tracking, revocation). A service agreement review alone is insufficient.

Correct Option:

C — Physically visit the colocation facility to determine the effectiveness of controls and review the OSC’s process for maintaining access to the keys.
This combines required actions. Physical visit validates implemented controls (not just documented). Reviewing the OSC's key management process ensures only authorized personnel have cage access. Both are necessary for practices PE.L2-3.10.3 (visitor control) and PE.L2-3.10.5 (physical access control).

Incorrect Options:

A — Physically visit the colocation facility to determine the effectiveness of controls.
Incomplete. Physical visit addresses colocation facility controls but ignores the OSC's own key management process. Keys accessible to OSC-authorized personnel require documented control (who has keys, how issued, how revoked). This must be reviewed separately.

B — Evaluate the colocation facility security process as listed in the service agreement.
Insufficient. Service agreements document intended controls but do not prove actual implementation. The CCA must verify controls in operation. Additionally, key management is the OSC's responsibility, not the colocation facility's, and is not found in the service agreement.

D — Evaluate the colocation facility security process as listed in the service agreement and review the OSC’s process for maintaining access to the keys.
Insufficient. Reviewing the service agreement (documentation) is not equivalent to a physical visit. The CCA must observe keycard systems, sign-in logs, cage locks, and physical conditions. Remote review of agreements cannot verify operational effectiveness.

Reference:
CMMC Level 2 Practices PE.L2-3.10.3, PE.L2-3.10.5. NIST SP 800-171 Requirements 3.10.3, 3.10.5. CMMC Assessment Guide – Physical Protection domain – Colocation facility assessment requirements.

Explanation:
NIST SP 800-171 (3.13.8) and CMMC SC.L2-3.13.8 require cryptographic protection for CUI during transmission unless alternative physical safeguards are used. Valid alternatives include trusted couriers, locked transport cases, and physical access monitoring. Tamper protection technologies (e.g., tamper-evident seals) protect at rest or during storage, not during transmission, and are not a recognized substitute for transmission encryption.

Correct Option:

D — Tamper protection technologies
Tamper protection (tamper-evident tape, anti-tamper switches) detects unauthorized physical access but does not prevent disclosure during transmission. The data is still exposed when transmitted without encryption. This is not an accepted alternative to cryptographic mechanisms for transmission according to NIST or CMMC guidance.

Incorrect Options:

A — Trusted couriers
Correct as an alternative physical safeguard. If a trusted courier physically transports media containing CUI with chain of custody controls, encryption may not be required for that transmission medium. This is explicitly recognized as an alternative in NIST SP 800-171.

B — Lockable casings
Correct as an alternative physical safeguard. Locked hard cases, tamper-resistant containers, or lockable briefcases used during physical transport of media provide physical protection that can substitute for encryption, provided access is controlled.

C — Physical access site monitoring
Correct as an alternative physical safeguard. If transmission occurs within a physically monitored and controlled site (e.g., internal wired network with restricted building access), encryption may not be mandatory. Monitoring includes guards, cameras, and access logs.

Reference:
CMMC Level 2 Practice SC.L2-3.13.8 (Cryptographic protection for transmission). NIST SP 800-171 Rev 2, Requirement 3.13.8. NIST SP 800-171A (Assessment Procedures) – Alternative physical safeguards.

Explanation:
After determining scope and reviewing key documents (SSP, self-assessment results, staff roles), the logical next preparation step is to identify the specific evidence needed to assess each practice. A preliminary list of anticipated evidence helps plan interviews, examinations, and tests, ensuring efficient use of assessment time and resources.

Correct Option:

C — A preliminary list of the anticipated evidence
The assessor uses the SSP and scope to map each CMMC practice to expected evidence (policies, procedures, logs, configurations, interview subjects). This list guides data collection, confirms OSC readiness, and prevents missing evidence. It is a standard deliverable in assessment planning.

Incorrect Options:

A — A list of objectives
Incorrect. Assessment objectives are defined by CMMC Level 2 practices themselves, not by the OSC. The assessor does not request a "list of objectives" from the OSC. Objectives are inherent to the assessment model and already known to the assessor.

B — A manual for each system
Incorrect. While system manuals may be useful for understanding specialized assets, they are not a standard or most likely request at this stage. Manuals are rarely required evidence for CMMC practices and are not listed in typical evidence request templates.

D — A list of assets that are determined to be out-of-scope
Incorrect. The assessor has already determined the assessment scope (including what is in-scope). Out-of-scope assets are not assessed. Requesting a list of out-of-scope assets is unnecessary at this preparation stage and may confuse scope boundaries.

Reference:
CMMC Assessment Guide – Planning Phase (Evidence Identification). CMMC CCA Handbook – Pre-Assessment Evidence Requests. CMMC Level 2 Assessment Preparation Guide.

Explanation:
The OSC needs automatic unlocking, individual tracking, and access history. A badge system (proximity card, smart card) meets all three requirements: badges automatically unlock doors for authorized personnel, each badge uniquely identifies the individual, and logs provide access history. This satisfies PE.L2-3.10.5 (physical access control) and PE.L2-3.10.4 (access logs).

Correct Option:

C — Install a badge system and require each individual to use their badge to gain entry to the building.
Badge systems provide unique identifiers per user, automatic door unlocking, electronic logging of entry/exit times and identities, and easy revocation (deactivating lost/stolen badges). This fully addresses the OSC's requirements for automation, individual tracking, and historical access records.

Incorrect Options:

A — Maintain a list of authorized personnel and assign them a building key.
Incorrect. Keys provide no individual tracking (keys can be copied or shared) and no access history. Keys cannot automatically unlock based on authorization in real time beyond physical possession. This fails all three stated requirements.

B — Maintain security cameras to continuously monitor access to the building.
Incorrect. Cameras record video but do not automatically unlock doors, do not individually identify personnel without manual review (and often cannot read badges/faces reliably), and do not produce structured access history easily queried. This does not meet the stated requirements.

D — Install a keypad system and require the entry code to be changed when an individual leaves the company.
Incorrect. Keypad codes are shared or known by multiple individuals, preventing individual tracking. Access history cannot distinguish who entered using the code. Changing codes upon departure is administratively burdensome and fails individual accountability.

Reference:
CMMC Level 2 Practice PE.L2-3.10.5 (Physical access control) and PE.L2-3.10.4 (Access logs). NIST SP 800-171 Requirements 3.10.4, 3.10.5. CMMC Assessment Guide – Physical Protection domain – Badge system requirements.

Explanation:
A policy is not effectively implemented if personnel routinely violate it without detection or correction. The assessor finds that employees access CUI on teleworking laptops lacking full disk encryption, directly contradicting the policy. This indicates insufficient implementation—the control is not consistently applied. Practice SC.L2-3.13.8 (encryption for CUI) is likely NOT MET.

Correct Option:

B — Insufficient because there are teleworking instances where the policy is not followed.
Implementation requires consistent application of controls across all covered scenarios. Documented exceptions are acceptable if risk-assessed and authorized, but the scenario indicates unauthorized non-compliance. The assessor must cite this as a gap—policy exists but enforcement/monitoring is insufficient.

Incorrect Options:

A — Acceptable because it requires full disk encryption of company laptops.
Incorrect. A policy document alone does not constitute acceptable implementation. Evidence of actual enforcement and compliance is required. Since employees violate the policy in practice, the implementation is insufficient regardless of the policy's wording.

C — Acceptable as long as an equivalent technical safeguard is implemented for all teleworking scenarios.
Incorrect. The scenario does not state that any equivalent safeguard exists. Even if it did, equivalent safeguards must be documented, authorized, and validated. The policy specifically requires full disk encryption; deviations would need formal exception handling, which is not described.

D — Insufficient because full disk encryption is not required for laptops to comply with CMMC requirements.
Incorrect. Full disk encryption is a valid method to meet SC.L2-3.13.8 (encryption of CUI on mobile devices) and is often required or strongly recommended. The insufficiency here is not due to encryption not being required; it is due to policy violation.

Reference:
CMMC Level 2 Practice SC.L2-3.13.8 (Cryptographic protection). NIST SP 800-171 Requirement 3.13.8. CMMC Assessment Guide – Policy vs. Implementation Gap Assessment. NIST SP 800-171A – Objective 2 (Implementation verification).

Explanation:
To verify that only the IT manager can change laptop setup and user privileges, the assessor must examine system audit logs. Audit logs record who performed privileged actions (e.g., changes to configurations, user privilege escalations) and when. Logs provide objective evidence of whether unauthorized individuals have made changes, confirming or contradicting the IT department's claim.

Correct Option:

A — System audit logs
Audit logs (e.g., Windows Event Logs, syslog, change management logs) capture the identity of users executing privileged commands. By reviewing logs for laptop configuration changes and privilege modifications, the assessor can verify that only the IT manager performed these actions or detect violations. This is objective evidence under AU.L2-3.3.1.

Incorrect Options:

B — Inventory records
Incorrect. Inventory records track asset existence, location, and assigned user but do not record who changed configurations or privileges. Inventory does not provide evidence of privileged action accountability.

C — Acceptable use policy
Incorrect. An acceptable use policy (AUP) documents rules for system usage but does not prove who actually performed configuration changes. Policy defines what should happen; audit logs show what did happen.

D — Remote access procedures
Incorrect. Remote access procedures document how remote connections are established and secured. They do not contain records of who changed laptop setups or user privileges. Procedures are prospective, not retrospective evidence.

Reference:
CMMC Level 2 Practice AU.L2-3.3.1 (Create and retain system audit logs). NIST SP 800-171 Requirement 3.3.1. CMMC Assessment Guide – Audit and Accountability domain – Using logs to verify privilege separation.

Explanation:
The OSC has an open (no password), unauthenticated guest network that connects directly to the local LAN containing CUI assets. This violates multiple CMMC Level 2 practices, including AC.L2-3.1.12 (monitor/control remote access), AC.L2-3.1.13 (remote access confidentiality/integrity), and SC.L2-3.13.13 (separate subnetworks). Therefore, the OSC has NOT met network access restriction requirements.

Correct Option:

B — No, the OSC has not met the network access restriction requirements.
An open guest network connected to the CUI LAN allows unauthorized, unauthenticated, unmonitored access to the internal network. This fails fundamental access restrictions. The OSC must isolate guest networks from CUI assets (e.g., via VLAN, firewall, separate physical infrastructure) and require authentication.

Incorrect Options:

A — No, the OSC needs to go through an additional assessment.
Incorrect. The issue is not a need for "additional assessment." The OSC has a clear compliance failure. Additional assessment does not fix the technical control gap. The statement misdirects from the actual finding.

C — Yes, there are no network access restriction requirements.
Incorrect. CMMC Level 2 includes numerous network access restriction requirements (AC and SC domains). This claim is factually false. The OSC cannot claim exemption from these requirements.

D — Yes, the OSC has met the network access restriction requirements.
Incorrect. The described configuration is a textbook violation. Open guest networks with LAN connectivity expose CUI assets to unauthorized access, man-in-the-middle attacks, and network reconnaissance. This does not meet requirements.

Reference:
CMMC Level 2 Practices AC.L2-3.1.12, AC.L2-3.1.13, SC.L2-3.13.13. NIST SP 800-171 Requirements 3.1.12, 3.1.13, 3.13.13. NIST SP 800-207 (Zero Trust Architecture) – Guest network isolation. CMMC Assessment Guide – Network Access Restriction domain.

Explanation:
CM.L2-3.4.6 (least functionality) requires configuring systems to provide only essential capabilities and disabling non-essential functions. Personnel who wrote the configuration management policy typically have theoretical/documentation knowledge but rarely know actual system configurations or which functions are enabled/disabled. They are the least likely to provide useful operational evidence for least functionality.

Correct Option:

C — Interview personnel who wrote the configuration management policy.
Policy authors know intent and requirements but usually lack hands-on knowledge of system configurations, registry settings, enabled protocols, or disabled services. Their testimony provides policy-level information, not implementation evidence. For least functionality, assessors need operational staff (system administrators, security engineers).

Incorrect Options:

A — Interview personnel with information security responsibilities.
Likely useful. Information security personnel (e.g., security analysts, ISSOs) typically implement or oversee least functionality configuration, including whitelisting, disabling unnecessary ports/protocols, and maintaining secure baselines. Their interviews yield relevant operational evidence.

B — Interview personnel with application development responsibilities.
Likely useful. Developers can confirm which application features are essential versus non-essential, provide input on disabled functionality, and demonstrate that development environments follow least functionality principles. Their perspective is valuable.

D — Interview personnel with security configuration management responsibilities.
Highly useful. Security configuration managers directly implement, monitor, and maintain least functionality controls—e.g., removing unnecessary software, disabling services, applying secure configuration guides (CIS, STIGs). They are primary sources for this practice.

Reference:
CMMC Level 2 Practice CM.L2-3.4.6 (Least functionality). NIST SP 800-171 Requirement 3.4.6. CMMC Assessment Guide – Selecting interview subjects based on control ownership. NIST SP 800-171A – Objective 2 (Implementation) vs. Objective 1 (Policy).