
Get all the Information About Cyber AB CMMC-CCA Exam 2026 Practice Test Questions
Check Real Cyber AB CMMC-CCA Exam Question for Free (2026)
Cyber AB CMMC-CCA Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
NEW QUESTION # 72
While completing the Level 2 Assessment, the Lead Assessor found that the OSC was deficient on a number of CMMC practices. Forty practices were scored as NOT MET, all on the Authorized Deficiency Corrections list. The OSC remediated 17 of those during closeout, leaving 23 practices still NOT MET. What should the Lead Assessor recommend?
- A. Pass the OSC but put the 23 remaining on a POA&M
- B. Fail the OSC and require them to remediate and reapply for Level 2 certification
- C. Recommend an interim certification and revisit the failed practices upon certification renewal
- D. Recommend an interim certification and put the 23 remaining practices on a POA&M
Answer: B
Explanation:
Under CMMC 2.0 Level 2, POA&Ms are permitted only for a limited subset of practices and only if the organization achieves at least 80% compliance, with no high-weight practices failed. With 23 practices NOT MET, the OSC falls below this threshold. Therefore, the Lead Assessor must recommend a Fail, requiring remediation and reassessment.
Exact extracts:
* "For Level 2, OSCs must achieve a score of at least 80% and cannot fail any high-weighted practices."
* "POA&Ms may be allowed for a small number of selected practices but must be closed within 180 days."
* "If the OSC does not meet minimum requirements, the assessment result is Fail and the OSC must remediate before reapplying." Why the other options are incorrect:
* A: POA&Ms cannot cover such a large number of deficiencies.
* C/D: Interim certification does not exist in CMMC 2.0.
References:
CMMC Assessment Guide - Level 2, POA&M policy.
DoD CMMC 2.0 Program guidance on minimum passing scores and fail conditions.
NEW QUESTION # 73
When preparing for an assessment, the assessor determines that the client's proprietary data resides within an enclave. However, the assessor is unable to review policies containing proprietary data onsite and plans to have the policies copied on removable media by the client's IT staff, whom they are scheduled to interview.
What should the assessor consider as part of their planning?
- A. No proprietary data can leave the client's environment without the express written consent of the OSC POC.
- B. The assessor can transmit data outside the client's environment if the client's IT support staff grants access.
- C. No proprietary data can leave the client's environment under any circumstances.
- D. No proprietary data can leave the client's environment without the express written consent of the OSC Assessment Official.
Answer: D
Explanation:
Assessor conduct is governed by the CMMC Code of Professional Conduct. Proprietary or sensitive data from the OSC environment cannot leave without express written consent from the OSC's Assessment Official (AO). The AO is the authorized point of control for assessment-related data. This protects client confidentiality and maintains ethical handling of sensitive information.
Exact Extracts:
* CMMC Assessor Code of Professional Conduct: "No proprietary or sensitive information may be removed from an OSC environment without the express written consent of the OSC's designated Assessment Official."
* "Assessors are bound to protect confidentiality and may not transmit data outside of agreed assessment channels without written authorization." Why the other options are not correct:
* A: Too absolute - proprietary data can leave if AO provides written consent.
* B: IT staff cannot authorize release of proprietary data.
* C: POC is not the authority for data release - only the Assessment Official is.
References:
CMMC Code of Professional Conduct: Confidentiality requirements.
CMMC Assessment Guide - Level 2: Ethical responsibilities of assessors.
NEW QUESTION # 74
Video monitoring is used by an OSC to help meet PE.L2-3.10.2: Monitor Facility. The OSC's building has three external doors, each with badge access and a network-connected video camera above the door. The video cameras are connected to the same network as employee computers. The OSC contracted a local security company to provide surveillance services. The security company stores the recordings at its premises and requires access to the OSC's network to manage the video cameras. Which factor is a clear negative finding for the OSC's assessment?
- A. A non-certified third party's data center may not store video recordings for a company authorized to process CUI
- B. Video surveillance alone does not satisfy the facility monitoring requirement of PE.L2-3.10.2
- C. A non-certified third party accesses the OSC's network to manage the cameras
- D. Video surveillance needs to be of both private and public areas of the building
Answer: C
Explanation:
The negative finding is that the OSC permits an uncertified external security provider to access the OSC's internal network. This introduces unmanaged risk to the CUI environment. CMMC requires the OSC to control and monitor external service provider access. The storage of recordings externally is not inherently noncompliant if properly controlled, and video monitoring is a valid method of meeting PE.L2-3.10.2. The key failure is giving unmanaged third-party access.
Exact extracts:
* "Monitor physical facility to detect and respond to physical security incidents." (PE.L2-3.10.2)
* "Assessment Objectives ... Determine if: monitoring is performed; unauthorized physical access is detected and responded to."
* "External service providers that connect into the OSC network are considered in-scope and must meet CMMC requirements or have equivalent authorization (e.g., FedRAMP)." Why other options are incorrect:
* A: Requirement does not mandate monitoring of both public and private areas.
* C: Video surveillance is an acceptable facility monitoring method when properly implemented.
* D: External storage can be acceptable if contractual safeguards and compliance are in place.
References:
CMMC Assessment Guide - Level 2, PE.L2-3.10.2.
CMMC Scoping Guide - External Service Providers.
NEW QUESTION # 75
What is NOT required for the Lead Assessor to confirm when verifying readiness to conduct an assessment?
- A. That evidence is available and accessible for the targeted CMMC Level
- B. Whether the OSC can better meet the targeted CMMC Level
- C. That risks have been identified
- D. That necessary logistics have been arranged
Answer: B
Explanation:
The Lead Assessor's readiness checks focus on logistics, scope, evidence availability, and risk awareness to ensure the assessment can proceed. It is not the assessor's role to advise or determine if the OSC could achieve a higher certification level - the OSC selects its target level.
Exact extracts:
* "Lead Assessors must confirm readiness by verifying logistics, scope boundaries, risks, and evidence availability."
* "Assessors do not advise OSCs on selecting certification levels or alternative approaches; this is outside the assessment scope." Why the other options are required:
* A: OSC risks must be identified and discussed as part of scoping.
* B: Logistics (scheduling, facilities, communications) must be confirmed.
* D: Evidence must be available and accessible to avoid delays.
References:
CMMC Assessment Process (CAP), Pre-Assessment Readiness Activities.
CCA Study Guide - Lead Assessor Responsibilities.
NEW QUESTION # 76
An assessor is examining an organization's system maintenance program. While reviewing the system maintenance policy and the OSC's maintenance records for the CUI network, the assessor notices there is no mention of printers. The assessor asks the IT manager if the company has any printers.
Why is the assessor concerned if the OSC has printers?
- A. Printers cannot be used on a CUI network without government approval.
- B. Firmware on a network printer needs to have updates as needed.
- C. Printers can produce hard copies of CUI data that need to be safeguarded.
- D. Printers must be completely isolated from all non-CUI assets.
Answer: C
Explanation:
Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.
Extract from MP.L2-3.8.4:
"Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material." Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.
Reference: CMMC Assessment Guide - Level 2, MP Domain.
NEW QUESTION # 77
While conducting a CMMC Level 2 self-assessment, an organization's Chief Information Security Officer asks the system administrator for evidence that remote access is routed through fully managed access control points. Which documentation would BEST demonstrate that all remote access is routed through managed access control points?
- A. SSP and vendor management
- B. Network diagram and VPN logs
- C. Access control policy and procedures
- D. Cloud service audit logs and hardware asset inventory
Answer: B
Explanation:
To validate that remote access is routed through managed access control points, the assessor requires technical evidence, not just policy. The network diagram shows the design and routing of remote access through controlled points (e.g., VPN gateways), and VPN logs provide operational evidence that remote sessions are enforced through those points.
Exact Extracts:
* AC.L2-3.1.14: "Route remote access through managed access control points."
* Assessment Objective (AC.L2-3.1.14[a]): "Remote access is routed through managed access control points."
* Assessment Method (Examine/Interview/Test): Requires network diagrams and remote access logs as evidence.
* CMMC Assessment Guide specifies: "Network diagrams and supporting logs are required to demonstrate implementation of remote access routing." Why the other options are not correct:
* B (policy/procedures): Policies describe intent, not proof of implementation.
* C (SSP/vendor mgmt): SSPs provide system description but not direct evidence of enforcement.
* D (cloud logs/hardware inventory): These do not specifically demonstrate remote access routing through managed points.
References:
CMMC Assessment Guide - Level 2, Version 2.13: AC.L2-3.1.14 (pp. 25-27).
NIST SP 800-171A, Access Control assessment procedures.
NEW QUESTION # 78
A CCA is reviewing an OSC's evidence for a CMMC practice and finds that the documentation is in draft form, marked "For Internal Use Only," and lacks final approval. The OSC insists it is actively used. How should the CCA evaluate this evidence?
- A. Reject the draft documentation and score the practice as "NOT MET."
- B. Document the lack of final approval as an evidence gap and assess based on all available evidence, including usage confirmation.
- C. Request the OSC to finalize the documentation before continuing the assessment.
- D. Accept the draft documentation as sufficient since it is actively used.
Answer: B
Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP requires noting deficiencies like lack of approval as gaps while assessing all evidence (Option B).
Options A, C, and D misapply CAP procedures.
Extract from Official Document (CAP v1.0):
* Section 2.2 - Conduct Assessment (pg. 25):"Document lack of final approval as an evidence gap and assess based on all available evidence." References:
CMMC Assessment Process (CAP) v1.0, Section 2.2.
NEW QUESTION # 79
NIST SP 800-171A specifies the assessment methods for defining the nature and the extent of a CCA's actions. What is the purpose of the test assessment method?
- A. To review compliance with an applicable standard and security assurance claims
- B. To exercise assessment objects under specified conditions to compare actual with expected behavior
- C. To execute a systematic process, procedure, or technique for obtaining security assurance evidence and consistently verifying security assurance claims
- D. To review, inspect, observe, or analyze assessment objects
Answer: B
Explanation:
The test assessment method means the assessor actively exercises or stimulates the system (or object) under defined conditions to compare actual results with expected behavior. This goes beyond review or observation and involves hands-on validation.
Exact Extracts:
* NIST SP 800-171A: "The test method is the process of exercising assessment objects under specified conditions to compare actual with expected behavior."
* CMMC Assessment Guide: "Testing requires assessors to observe the execution of functions, mechanisms, or activities to confirm effectiveness." Why the other options are not correct:
* A: This defines Examine (not Test).
* B: This aligns with Interview or compliance review, not Test.
* D: This is a generic definition but does not capture the essence of Test (direct execution under conditions).
References:
NIST SP 800-171A: Appendix D, Assessment Methods (Examine, Interview, Test).
CMMC Assessment Guide - Level 2, Version 2.13: Use of test assessment methods.
NEW QUESTION # 80
During a CMMC assessment, you, as a CCA, are interviewing a key OSC employee with information security responsibilities about the access control procedures. As the interview progresses, you realize that the initial information provided in the System Security Plan (SSP) doesn't fully align with the employee's explanation.
Based on the scenario and your role as a CCA, what is not one of your responsibilities as an assessment team member?
- A. Update the assessment plan to reflect the newly discovered information about access control procedures.
- B. Interview additional personnel to corroborate the information provided by the POC.
- C. Map the interview findings regarding access control to the relevant CMMC practices.
- D. Inform the OSC management about the potential discrepancy between the SSP and actual practices.
Answer: D
Explanation:
Comprehensive and Detailed in Depth Explanation:
The CCA's role is to collect and assess evidence objectively, not to inform OSC management of discrepancies, which is outside the assessment scope and risks consulting. Options A, B, and D are within the CCA's duties per CAP.
Extract from Official Document (CAP v1.0):
* Section 2.2 - Conduct Assessment (pg. 25):"The Assessment Team shall gather evidence and map findings to CMMC practices, not provide feedback or recommendations to OSC management." References:
CMMC Assessment Process (CAP) v1.0, Section 2.2.
NEW QUESTION # 81
A company is undergoing a CMMC Level 2 Assessment. The Assessment Team is planning and preparing the assessment. Who is responsible for identifying methods, techniques, and responsibilities for collecting, managing, and reviewing evidence?
- A. CMMC Quality Assurance Professional
- B. Assessment Team Member
- C. C3PAO Quality Oversight Manager
- D. Lead Assessor
Answer: D
Explanation:
The Lead Assessor is responsible for managing the assessment team and planning the assessment, including defining the methods, techniques, and responsibilities for collecting, managing, and reviewing evidence.
Team members execute assigned tasks, but the Lead Assessor provides direction and oversight.
Exact Extracts:
* CMMC Assessment Guide: "The Lead Assessor is responsible for the management of the assessment, including defining evidence collection methods, techniques, and responsibilities."
* "The assessment team members carry out activities as directed by the Lead Assessor."
* "The C3PAO Quality Oversight and CMMC Quality Assurance are post-assessment quality functions, not evidence planning functions." Why other options are not correct:
* B: Team members execute tasks but do not define methods and responsibilities.
* C: Quality Oversight Managers review assessments after completion, not during planning.
* D: CMMC Quality Assurance Professionals conduct QA on assessments, not evidence planning.
References:
CMMC Assessment Guide - Level 2, Version 2.13: Assessment planning roles and responsibilities (pp. 4-6).
NEW QUESTION # 82
During scoping discussions with a Lead Assessor, the OSC mentions that there are several connected systems within the organization's network. How should an OSC consider security tools in a CMMC Assessment Scope?
- A. Only include network security tools in the scope.
- B. Security tools should be considered part of the assessment scope.
- C. It is up to the Lead Assessor.
- D. Disregard the security tools altogether.
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
Security tools are Security Protection Assets (SPAs) per the CMMC Assessment Scope - Level 2, as they provide security functions (e.g., monitoring, logging) to the CUI/FCI environment. They must be included in the scope, regardless of specific type (contrary to Option A). Option B contradicts the guidance, and Option C misplaces responsibility. D is correct.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.3 (SPAs), p. 6: "Security tools are SPAsand part of the assessment scope."
NEW QUESTION # 83
A CCA is asked to validate if an OSC has separated their systems containing CUI from other departments' systems on their local network. Which of the following MUST the CCA assess?
- A. Network Address Translation (NAT)
- B. Area Network (WAN)
- C. Virtual Private Network (VPN)
- D. Virtual Local Area Network (VLAN)
Answer: D
Explanation:
To validate separation of CUI systems from non-CUI systems on a local network, the assessor must evaluate the VLAN configuration. VLANs are a recognized logical segmentation method for separating enclaves, as defined in the CMMC Scoping Guide.
Exact Extracts:
* CMMC Scoping Guide: "Isolation can be achieved by implementing subnetworks with firewalls, routers, and VLANs to ensure separation of CUI assets from out-of-scope assets."
* "CUI Assets must be isolated from non-CUI assets unless those non-CUI assets are designated as Security Protection Assets or Contractor Risk Managed Assets." Why other options are not correct:
* A (WAN): Wide Area Networks describe external connectivity, not local separation.
* B (VPN): VPN provides encrypted remote access but does not enforce local network segmentation.
* D (NAT): NAT provides IP translation, not logical separation of traffic.
References:
CMMC Assessment Scope - Level 2, Version 2.13: Isolation requirements and VLAN as an example (pp. 9-
11).
CMMC Assessment Guide - Level 2: Assessor validation of enclave boundary methods.
NEW QUESTION # 84
You are a CCA with an active and good standing on the Cyber AB Marketplace. An OSC has contracted your C3PAO for a prospective CMMC Assessment. The OSC provides signal processing services for the DoD.
You assisted the OSC in preparing for the upcoming CMMC assessment by conducting an initial evaluation of their implementation practices. With your background in cybersecurity and extensive experience, your C3PAO and Lead Assessor have selected you to join the Assessment Team. Based on this scenario, which of the following is the most important factor for the C3PAO to consider when assigning assessors to the Assessment Team?
- A. The Assessor's hourly rate, especially for independent assessors.
- B. The Assessor's professional reputation within the CMMC ecosystem.
- C. The Assessor's active status and good standing as a CMMC Certified Assessor or Professional, verified on the Cyber AB Marketplace, are important factors.
- D. The Assessor's specialization with the OSC's lines of business or industry sub-sector.
Answer: C
Explanation:
Comprehensive and Detailed in Depth Explanation:
The CAP prioritizes verified credentials (Option A), though the CCA's prior consulting role creates a conflict (CoPC Paragraph 3.1), which should preclude assignment. The question focuses on general factors, making A correct.
Extract from Official Document (CAP v1.0):
* Section 1.5 - Assessment Team Roles (pg. 16):"The C3PAO must verify that all assessment team members possess an active status in good standing as a CMMC Certified Assessor or Professional." References:
CMMC Assessment Process (CAP) v1.0, Section 1.5; CoPC Paragraph 3.1.
NEW QUESTION # 85
An OSC plans to bid for a DoD contract to supply laser welding services to repair a fleet of unmanned aerial vehicles (UAVs). This requires them to be CMMC Level 2 certified since the information they will receive from the DoD is Controlled Technical Information (CTI). However,their repair and welding services require a Computer Numerical Control (CNC) machine to fabricate some crucial parts. Since the welding is mainly automated using robots, the OSC has intelligently integrated its SCADA system with Programmable Logic Controllers (PLCs) for increased accuracy, improved safety and efficiency, and enhanced flexibility. As the Lead Assessor for the C3PAO Assessment Team validating the OSC's CMMC assessment scope, you expect the OSC to handle the SCADA system, PLCs, and CNC machines in all the following ways EXCEPT?
- A. Provide a network diagram of the assessment scope (to include these assets) to facilitate scoping discussions during the pre-assessment.
- B. Document these assets in the asset inventory.
- C. Categorize them as CUI assets.
- D. Document these assets in the SSP to show they are managed using the OSC's risk-based security policies, procedures, and practices.
Answer: C
Explanation:
Comprehensive and Detailed Explanation:
SCADA, PLCs, and CNC machines are Operational Technology (OT) and classified as Specialized Assets per the CMMC Assessment Scope - Level 2. They must be documented in the SSP (Option B), network diagram (Option C), and asset inventory (Option D) to show risk-based management. However, they are not CUI Assets (Option A) unless they process, store, or transmit CUI, which is not indicated here-they support production, not CUI handling. A is the exception.
Reference:
CMMC Assessment Scope - Level 2, Section 2.3.4 (Specialized Assets), p. 6: "OT is not categorized as CUI Assets unless it handles CUI."
NEW QUESTION # 86
In validating the OSC's implementation of AC.L2-3.1.16: Wireless Access Authorization, the CCA observes various personal and non-enterprise devices connected to the OSC's Wi-Fi. Because organizations handle wireless access differently, the CCA must locate evidence showing who has ultimate authority over wireless access. Which authority is acceptable for authorizing wireless access?
- A. A written policy executed by the CEO listing the pre-authorization requirements for Wi-Fi connectivity
- B. The CEO emailing the company instructing everyone to put personal devices on the company Wi-Fi
- C. The CEO mandating IT to add their personal phone to the company Wi-Fi
- D. A detailed document from the head of IT with instructions on how to connect to the guest Wi-Fi network
Answer: A
Explanation:
CMMC Level 2 requires that wireless access be formally authorized based on management-approved policy and criteria. The Assessment Guide specifies that "management guidelines form the basis for the requirements that must be met prior to authorizing a wireless connection." Therefore, a written policy executed by the CEO, which defines pre-authorization requirements, constitutes proper evidence of authorization. Informal emails or IT connection instructions do not meet this requirement.
Exact extracts:
* "Authorize wireless access prior to allowing such connections."
* "Assessment Objectives ... Determine if: [a] wireless access points are identified; and [b] wireless access is authorized prior to allowing such connections."
* "Guidelines from management form the basis for the requirements that must be met prior to authorizing a wireless connection. These guidelines may include the following: * types of devices, such as corporate or privately owned equipment; * configuration requirements of the devices; and * authorization requirements before granting such connections."
* Assessment method - Examine: "Access control policy; procedures addressing wireless implementation and usage (including restrictions); wireless access authorizations ..." Why the other options are unacceptable:
* A and C are ad-hoc instructions from the CEO, not a formal management policy establishing authorization criteria.
* D is an IT-authored instruction document, not a management-level authorization policy.
References (CCA documents / Study Guide):
* CMMC Assessment Guide - Level 2, Version 2.13, AC.L2-3.1.16 "Wireless Access Authorization" (Assessment Objectives; Discussion; Further Discussion; Potential Assessment Methods and Objects).
* NIST SP 800-171 Rev. 2, 3.1.16 (mapped within the CMMC Level 2 Assessment Guide).
NEW QUESTION # 87
An OSC's network diagram shows a separate network segment (192.168.50.0/24) designated for its engineering department. This segment restricts access to specific engineering resources. While the servers are physically located in a shared data center, the network configuration isolates them logically. Through which of the following does the network segmentation create isolation for the engineering department's resources?
- A. Encryption of engineering data at rest
- B. Logical separation through network configuration
- C. Requirement of a security badge to access the data center
- D. Physical barriers within the data center
Answer: B
Explanation:
Comprehensive and Detailed in Depth Explanation:
Network segmentation, as described in NIST SP 800-171 (SC-3.13.6) and CMMC Level 2, isolates resources logically using configurations like subnets (e.g., 192.168.50.0/24), firewalls, or ACLs, not physical means.
This protects engineering resources containing CUI by restricting access, despite their physical location in a shared data center. Option B (physical barriers) applies to facility security, not network isolation. Option C (encryption at rest) protects data, not network access. Option D (security badges) is irrelevant to network segmentation. Option A is the correct answer per CMMC guidelines.
Reference Extract:
* NIST SP 800-171, 3.13.6:"Deny traffic by default and allow by exception through logical segmentation."
* CMMC AG Level 2, SC.L2-3.13.6:"Logical separation via network configuration isolates sensitive resources."Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://dodcio.defense.gov/Portals/0
/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
NEW QUESTION # 88
You were the Lead Assessor on a team that conducted a CMMC assessment for an OSC that passed and earned a CMMC L2 Certification. Meeting this requirement, the OSC bid on and won a DoD contract.
However, a rival company disputes the OSC's CMMC certification status in court. As part of the evidence, the court has directed you to release the assessment results and any evidence you might have relied on to arrive at the assessment results. Based on the CoPC, what action should you take in this situation?
- A. Release the assessment results.
- B. Do not release the assessment results under any circumstances.
- C. Release only a summary of the assessment results.
- D. Release the assessment results only after obtaining written permission from the OSC being assessed.
Answer: A
Explanation:
Comprehensive and Detailed in Depth Explanation:
The CoPC allows disclosure of assessment results when legally obligated, such as by a court order, overriding confidentiality unless Cyber AB permits otherwise. Option A (requiring OSC permission) is superseded by legal obligation. Option C (never releasing) violates the court order. Option D (summary) does not comply fully. Option B is required.
Extract from Official Document (CoPC):
* Paragraph 3.2(1) - Confidentiality (pg. 6):"Protect confidential customer data unless permitted in writing by the Cyber AB or required by a legal obligation to disclose the information." References:
CMMC Code of Professional Conduct, Paragraph 3.2(1).
NEW QUESTION # 89
......
Use Free CMMC-CCA Exam Questions that Stimulates Actual EXAM : https://getfreedumps.passreview.com/CMMC-CCA-exam-questions.html