CMMC-CCA Cyber AB Certified CMMC Assessor (CCA) Exam Free Practice Exam Questions (2025 Updated)

The CMMC Scoping Guidance specifies that Contractor Risk Managed Assets must:

Be documented in the asset inventory,

Be governed by the organization’s own risk-based policies and procedures,

Be included in the system boundary/network diagram.

Extract:

“Contractor Risk Managed Assets are those managed according to the OSC’s risk-based policies and procedures. They must be documented in the asset inventory and represented in the system boundary.”

Thus, option C is the best answer.

The Shared Responsibility Matrix (Customer Responsibility Matrix) is a key artifact in CMMC assessments involving MSPs or cloud service providers. It defines what security responsibilities belong to the OSC and which belong to the service provider. To evaluate the MSP’s impact, the assessor must review this matrix to understand boundaries of responsibility for CUI protection.

Exact extracts:

“When external service providers are included in the assessment boundary, organizations must provide documentation that specifies security responsibilities.”

“A Shared Responsibility Matrix (or Customer Responsibility Matrix) defines which controls are implemented by the OSC versus the external provider.”

“Assessors should request and review this matrix to understand division of responsibilities.”

Why the other options are incorrect:

A: Onsite MSP staff presence does not clarify responsibility for security controls.

C: Reviewing classification helps, but it does not explain responsibility allocation.

D: Policies/org charts do not establish shared control responsibilities.

The control PS.L2-3.9.1: Screen Individuals requires that individuals be screened before authorizing access to organizational systems and CUI. Since employees are assigned to work immediately upon hire, before screenings are complete, this practice is NOT MET. Completing screenings within the first week does not satisfy the requirement.

Exact extracts:

“Screen individuals prior to authorizing access to organizational systems containing CUI.”

“Assessment Objectives … Determine if: [a] individuals requiring access to CUI are screened before access is granted.”

“It is not sufficient for screening to occur after access has been authorized.”

Why the other options are incorrect:

A: Remediation may be possible, but scoring must be NOT MET.

B: A single practice being NOT MET does not automatically cause assessment failure (depends on aggregate score).

C: HR responsibility does not excuse failure to complete screening before granting access.

Applicable Requirement: CM.L2-3.4.1 — “Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”

Why C is Correct: Baseline management requires documenting and tracking authorized deviations to ensure systems remain consistent with approved baselines. Evidence must show the OSC manages exceptions as part of its configuration management process.

Why Other Options Are Insufficient:

A: Physical safeguards protect images but do not demonstrate baseline management.

B: Reviews may be helpful, but deviations are explicitly required documentation.

D: Chain of custody applies to asset tracking, not baseline management.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — CM.L2-3.4.1

NIST SP 800-171A — CM.L2-3.4.1 Assessment Objectives

CMMC Assessment Guide – Level 2, Baseline Configurations

===========

Contractor Risk Managed Assets (CRMA) are required to be identified in the System Security Plan (SSP) because the SSP must describe how each in-scope asset category is managed, including risk-based policies, procedures, and practices. Network diagrams and inventories alone are insufficient without documentation in the SSP.

Exact Extracts:

CMMC Scoping Guide: “Contractor Risk Managed Assets are part of the CMMC Assessment Scope and must be identified in the OSC’s SSP and supporting documentation.”

“The SSP must describe how the contractor manages risk for Contractor Risk Managed Assets.”

“The asset categories (CUI assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets) must be included in the SSP with supporting evidence.”

Why the other options are not correct:

A: Identification/authentication policy does not specifically require mention of CRMAs.

B: Physical protection policies address facility controls, not risk-managed assets.

C: Awareness training covers employees, not technical classification of assets.

D: Correct, because the SSP must explicitly document how CRMAs are managed using risk-based approaches.

Wireless access to systems transmitting, processing, or storing CUI must be protected with FIPS 140-validated cryptography and access must be limited to authenticated users. This ensures confidentiality and integrity of CUI while preventing unauthorized wireless access.

Exact Extracts (official CMMC Assessor/Study documents):

SC.L2-3.13.13: “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”

AC.L2-3.1.1 / 3.1.2: “Limit system access to authorized users… and authenticate the identities of those users.”

SC.L2-3.13.17: “Protect wireless access to the system using authentication and encryption.”

Assessment Guide clarifies: “Wireless access must use FIPS 140 validated cryptographic modules and must be restricted to authenticated users.”

Why other options are not correct:

A: Only requires encryption; does not address authenticated access, which is mandatory.

B: Vetting and access lists may be useful, but they are not sufficient substitutes for cryptographic and authentication requirements.

D: Identifying users in diagrams is good documentation practice but not a CMMC requirement for wireless protection.

References (official CCA/CMMC documents):

CMMC Assessment Guide – Level 2, Version 2.13: Practices SC.L2-3.13.13 and SC.L2-3.13.17 (pp. 134–136).

NIST SP 800-171A, Assessment Objectives for wireless access and cryptographic requirements.

The Physical Protection (PE) practices require that visitors to facilities where CUI is processed must be escorted at all times by an authorized individual. Familiarity or long-term knowledge of the visitor does not remove the requirement.

Extract from PE.L2-3.10.3:

“Escort visitors and monitor visitor activity to ensure they do not access areas or information for which they are not authorized.”

Thus, the correct action is for the contact person (the engineer’s point of contact) to escort the engineer during the entire maintenance activity.

To scope connections to external systems, the OSC must fully define all external connections — not just general statements about "small use" or "backups." Incomplete or vague descriptions are not sufficient for scoping.

Extract:

“The OSC must identify and define the extent of all external connections that support processing, storage, or transmission of CUI to determine scope.”

Thus, the data provided are not sufficient, because the OSC has not fully defined external connections.

Applicable CMMC/NIST Requirement: AC.L2-3.1.20 — “Verify and control/limit connections to and use of external systems.”

Isolation Not Required (refutes B): The requirement acknowledges that individuals using external systems (e.g., contractors, partners) may need to access organizational systems. In such cases, organizations must ensure those connections do not compromise or harm organizational systems. Therefore, complete isolation from all external systems is not mandated.

Policy Alone is Insufficient (refutes A): Assessment guidance requires mechanisms that technically enforce terms and conditions for use of external systems. A written employee policy by itself does not satisfy the requirement unless paired with technical enforcement (e.g., firewalls, connection rules).

Allow-lists & Firewalls are Best Practice (supports C): Assessment considerations specify that organizations should restrict external systems to an approved list, such as by using firewalls, VPNs, IP restrictions, or certificates. The company’s use of firewalls and a connection allow-list directly addresses this requirement.

Full Control of External Systems Not Required (refutes D): The definition of “external systems” clarifies that organizations typically do not have direct supervision or authority over those systems. The requirement is to limit and control connections to such systems, not to own or fully manage them.

Assessment Objectives for AC.L2-3.1.20 (from NIST SP 800-171A):

Connections to external systems are identified.

Use of external systems is identified.

Connections to external systems are verified.

Use of external systems is verified.

Connections to external systems are controlled/limited.

Use of external systems is controlled/limited.

Firewalls and allow-lists satisfy these verification and limitation requirements, enabling a CCA to mark the practice MET if evidence is present.

References (CCA Official Sources):

NIST SP 800-171 Rev. 2 — §3.1.20 (Discussion)

NIST SP 800-171A — §3.1.20 (Assessment Objectives & Methods)

CMMC Assessment Guide – Level 2, Version 2.13 — AC.L2-3.1.20 (External Connections [CUI Data], including “Potential Assessment Considerations”)

AC.L2-3.1.21 requires that the use of portable storage devices be restricted and explicitly authorized. The described process covers labeling and limiting use but does not include documented management authorization.

Extract:

“Restrict the use of portable storage devices on external systems. Authorization for use must be formally documented and approved by management.”

Thus, the missing element is recorded management authorization.

Verification of physical access controls under PE.L2-3.10.3: Physical Access Control requires evidence from records, logs, and audit trails. Reviewing access logs provides direct confirmation of which badge types grant entry into controlled areas. SOPs or interviews may support the claim but are indirect; testing physical entry is not an approved method for CCAs.

Exact extracts:

“Assessment Methods – Examine: access control policy; physical access control system records; physical access audit logs.”

“Assessment Methods – Interview: staff may be interviewed, but interviews must be supported by documentary evidence.”

“Testing physical entry by assessors is not an authorized assessment method.”

Why the other options are incorrect:

A/B: Interviews or SOP reviews may provide supporting context, but they do not prove operational badge restrictions.

D: Assessors are prohibited from attempting physical bypass or entry tests.

The CMMC practice CM.L2-3.4.8 – Application Allow Listing requires that only specifically authorized software is permitted to execute, while all other software is automatically denied.

Extract:

“Application allow listing requires that only approved, explicitly identified applications are authorized to execute on a system. Reliance on users to notify IT after the fact does not meet the requirement.”

Because the OSC’s process depends on users self-reporting rather than enforcing automated allow listing, it is not properly implemented.

During the planning phase, the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.

Exact Extracts:

CMMC Assessment Guide: “During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.”

“The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.”

Why the other options are not correct:

B: Appeals are addressed post-assessment, not in planning.

C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.

D: FedRAMP equivalency determination is part of scope validation, not general planning.

Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.

Exact extracts:

“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”

“Organizations must identify how these assets are managed by organizational policies.”

“Risk Managed Assets must be included in scope diagrams.”

Why the other options are incorrect:

A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.

C: They are explicitly excluded from practice assessment.

References (CCA documents / Study Guide):

CMMC Assessment Scope – Level 2 Scoping Guide (Risk Managed Assets).

===========

SI.L2-3.14.7 requires the OSC to identify unauthorized use of organizational systems. The OSC meets this requirement by configuring the FedRAMP MODERATE provider’s SIEM to monitor their entire cloud environment where CUI is processed.

Extract:

“Organizations must employ monitoring mechanisms to detect unauthorized use of information systems. Cloud-native environments with FedRAMP authorized monitoring meet the requirement when properly configured and documented.”

Thus, the practice is MET because the SIEM covers the cloud environment.

In CMMC scoping, only assets that process, store, or transmit CUI (CUI Assets) or that can access them (Security Protection, Contractor Risk Managed, Specialized Assets) are in-scope. Since the SCADA system is firewalled off and does not handle CUI, it does not fall under CUI Asset classification and is considered Out-of-Scope.

Exact extracts:

“CUI Assets are those that process, store, or transmit CUI.”

“Assets that do not process, store, or transmit CUI and have no connectivity to CUI Assets are considered Out-of-Scope.”

“Specialized Assets… are only in-scope if they process, store, or transmit CUI.”

Why the other options are incorrect:

A: Inclusion requires processing/storing/transmitting CUI.

C: OSC cannot arbitrarily bring unrelated systems into scope; CUI relevance governs scope.

D: Not all Specialized Assets are in-scope; only those with CUI interaction are.

CMMC Level 2 requires that network access to CUI systems be restricted to authorized users and devices. A guest network without password protection that connects directly into the LAN violates AC.L2-3.1.3 (Access Enforcement) and SC.L2-3.13.16 (Cryptographic protection) because unauthorized users may access OSC systems and CUI indirectly.

Exact Extracts:

AC.L2-3.1.3: “Control the flow of CUI by enforcing access restrictions.”

SC.L2-3.13.16: “Employ cryptographic mechanisms to protect confidentiality of CUI during transmission.”

Assessment Guide: “Guest wireless networks must be segmented and controlled to prevent unauthorized access to internal networks containing CUI.”

Why other options are not correct:

A: Additional assessment is irrelevant — issue is failure to meet requirements.

C/D: False — requirements clearly exist, and the OSC’s current setup fails them.

To verify scanning (such as anti-virus and file integrity functions), the strongest evidence includes system configurations, AV alerts/logs, and interviews with technical staff. A policy document (System Information and Integrity Policy) provides intent but not actual implementation proof, making it the least helpful.

Extract:

“Policies provide documented intent, but assessors must validate actual implementation through configuration reviews, alerts/logs, and personnel interviews.”

Thus, the policy alone is the least useful evidence for confirming scans are actually performed.

A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.

Extract from SC.L2-3.13.10:

“Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.”

Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.