CMMC-CCA Cyber AB Certified CMMC Assessor (CCA) Exam Free Practice Exam Questions (2025 Updated)

Both the CSP’s cloud environment and the OSC’s on-premises network/workstations are in-scope because CUI is stored in the cloud but also accessed and transmitted by OSC assets. The cloud vendor’s internal employee network is not in-scope because only the customer-facing FedRAMP environment is within the assessment boundary.

Exact extracts:

“CUI Assets include any OSC asset that stores, processes, or transmits CUI.”

“External service providers are in-scope if their services process, store, or transmit CUI on behalf of the OSC.”

“The OSC’s endpoints and local infrastructure that access CUI are also in-scope.”

Why the other options are incorrect:

A: Cloud environment only is incomplete; OSC workstations also access and transmit CUI.

B: OSC network only ignores the fact that CUI is stored in the cloud.

D: The cloud vendor’s internal employee network is not in-scope.

The CAP requires that prior to the assessment, the Lead Assessor submit documentation confirming that Assessment Team members have no conflicts of interest and meet qualification requirements. This is recorded through the Absence of Conflict of Interest and Confirmation Statement.

Extract:

“Before assessment initiation, the C3PAO must provide confirmation to the Cyber-AB that all Assessment Team members have declared absence of conflict of interest and are confirmed to participate.”

Thus, the required submission is the Absence of Conflict of Interest and Confirmation Statement.

The CMMC Assessment Process (CAP) provides explicit guidance for readiness reviews. If the Lead Assessor determines that the OSC is not prepared, the available options are:

Replan the assessment (adjust scope, timeline, or requirements), or

Reschedule the assessment (move the engagement to a later date).

Extract:

“Following the readiness review, if the OSC is determined not to be ready, the Lead Assessor may recommend that the assessment be replanned or rescheduled.”

Thus, the correct answer is B.

Applicable Requirement (CAP – Planning Phase): Both the OSC (Client) and the CCA are responsible for protecting sensitive evidence and CUI during assessment. This includes documenting risks and mitigations for how such information is handled, especially during virtual collection.

Why D is Correct: CAP requires assessors and OSCs to jointly establish processes ensuring safeguarding of CUI evidence. Both parties must record and agree to risks and mitigations as part of the assessment plan.

Why Other Options Are Insufficient:

A & B: Responsibility is shared, not one-sided.

C: Recording by the assessor alone does not fulfill CAP’s joint responsibility requirement.

References (CCA Official Sources):

CMMC Assessment Process (CAP) v1.0 — Planning Phase (Handling CUI and Sensitive Evidence)

Code of Professional Conduct — Assessor responsibility for safeguarding CUI

===========

Malicious code protection is typically implemented and managed by system or network administrators, who configure, deploy, and monitor anti-malware solutions. Interviews with these administrators provide direct evidence of control implementation.

Exact Extracts:

SI.L2-3.14.2: “Provide protection from malicious code at appropriate locations within organizational information systems.”

CMMC Assessment Guide: “Interviews should be conducted with administrators responsible for deployment and monitoring of malicious code protection.”

NIST SP 800-171A (SI.L2-3.14.2): “Interview system or network administrators to determine how malicious code protection is implemented.”

Why other options are not correct:

A (developers): Developers do not typically manage system-wide malicious code protections.

C (audit personnel): They review logs, not deploy/manage protections.

D (security advisory staff): They track alerts but don’t operate malicious code defenses.

The next step after configuring audit logs and ensuring event content is correct is to periodically review and update the logged events to maintain alignment with evolving security requirements and risks.

Extract from AU.L2-3.3.2 & AU.L2-3.3.7:

“Organizations must review and update audit log events periodically to ensure they continue to support accountability and monitoring objectives.”

While centralized collection and retention are important, the next required objective per progression is review and update of logged events.

The CMMC Scoping Guidance allows assets to be classified as Out-of-Scope if:

They are physically/logically isolated, and

They cannot process, store, or transmit CUI.

Extract:

“Out-of-Scope assets are those that cannot process, store, or transmit CUI and are physically or logically separated from CUI assets.”

The VESDA system only monitors environmental conditions and does not interact with CUI. Its segregation supports an out-of-scope classification.

Logical separation refers to the use of technical and access control mechanisms (e.g., role-based access, IAM tools, VLANs) to enforce boundaries between different users, roles, or networks. In contrast, physical separation relies on distinct hardware or physical barriers. Role-based access control within an IAM solution is a textbook example of logical separation, and it is specifically called out in the CMMC/NIST context.

Exact extracts:

“Logical separation may be achieved through the use of virtualization, encryption, or access control mechanisms such as role-based access controls.”

“Assessment Objectives … Determine if: • separation of users and information types is enforced by physical or logical means.”

“Logical separation is implemented using technical solutions such as access control lists, firewalls configured by policy, or identity and access management solutions.”

Why the other options are incorrect:

A (Data loss alerting): This is monitoring, not separation.

B (Badge access): This is a physical access control, not logical separation.

D (Proxy-configured firewall): This is boundary protection/traffic control; depending on setup it may be physical or logical, but the scenario points to role-based IAM as the logical example.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, SC.L2-3.13.6 “Network Separation.”

NIST SP 800-171 Rev. 2, 3.13.6.

The CAP defines evidence evaluation requirements. Evidence must not only exist but must also be:

Complete (addresses all assessment objectives for the practice)

Validated (verified by the assessor)

Mapped to the practice requirements (traceable to objectives)

Extract:

“The assessor must confirm that the evidence is complete, validated, and mapped directly to the practice requirements in order to conclude that a practice is MET.”

Printers are a concern because they can produce hard copies of CUI, which must be safeguarded like digital CUI. CUI handling requirements extend to both electronic and printed media.

Extract from MP.L2-3.8.4:

“Protect the confidentiality of CUI at rest and in use, including hardcopy outputs such as printed material.”

Thus, the concern is that printed CUI must be protected, making printers relevant to maintenance and safeguarding practices.

The CMMC Assessment Process (CAP) specifies that when disputes cannot be resolved by the Lead Assessor, they must be elevated to the C3PAO Official, who has authority to make the final decision.

Extract:

“Unresolved disputes between the OSC and the Assessment Team must be elevated to the C3PAO Official for final resolution.”

Therefore, the C3PAO Official is the final arbiter in such disputes.

The Examine method is used when the assessor reviews documents, policies, procedures, or system artifacts to validate practices.

Extract:

“Examine: Review, inspect, or analyze assessment objects such as documents, records, and policies to determine compliance with practice requirements.”

Reviewing the incident response plan falls directly under Examine.

CMMC Level 2 requires the ability to control and monitor physical access to systems and facilities containing CUI. The best practice is a badge-based access control system, which provides individual accountability, access tracking, and historical audit records. Keys and keypads do not provide individual traceability. Cameras alone do not prevent unauthorized entry.

Exact Extracts (official CMMC Assessor/Study documents):

PE.L2-3.10.1: “Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.”

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

PE.L2-3.10.5: “Access records must be maintained.”

CMMC Assessment Guide clarifies that acceptable methods include badging systems with individual accountability for traceability.

Why the other options are not correct:

A (keys): Keys do not provide audit logs or individual accountability.

B (cameras): Monitoring alone is insufficient; prevention and control are required.

D (keypads): Shared codes do not provide unique traceability or access history per user.

The CMMC Assessment Process (CAP) requires that results be reported at the OSC level. While findings may be gathered from enclaves or units, the final reporting must be aggregated and scored across the entire OSC assessment boundary.

Extract:

“Final recommended assessment results must be consolidated and reported at the OSC level, regardless of assessment locations or enclaves.”

Thus, the Lead Assessor must ensure aggregation to the OSC level.

Acceptable physical safeguards in lieu of encryption (in limited cases) include trusted couriers, locked containers, and monitored physical transport. “Tamper protection technologies” are not recognized as an acceptable alternative safeguard for protecting CUI in transit.

Extract:

“Physical safeguards such as trusted couriers, locked containers, and controlled site monitoring may substitute for cryptographic protections when encryption is not feasible. Other measures not defined (e.g., tamper protection) do not satisfy the requirement.”

Thus, D is NOT an acceptable safeguard.

The Physical Protection (PE) practices require that unmanned access points to areas containing CUI be restricted with technical controls that only allow entry to authorized personnel. While cameras, signage, and turnstiles support security, they do not actually prevent access.

Extract from PE.L2-3.10.1:

“Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.”

The strongest measure listed is one-way gates requiring credentials or intercom authorization, which directly enforces access control.

The Physical and Environmental Protection (PE) Policy is the governing artifact that describes how physical access to facilities and environments is managed and controlled. While the SSP provides a system-wide overview, and access lists provide details of who is authorized, it is the PE Policy that explicitly documents the physical access control measures required under CMMC.

Extract from PE.L2-3.10.1:

“Organizations must develop, document, and disseminate physical and environmental protection policies that govern how access to buildings and systems containing CUI is limited to authorized individuals.”

CMMC Level 2 control AC.L2-3.1.12: Remote Access requires that all methods of remote access be authorized, monitored, and controlled to protect CUI when accessed from external locations. The assessment guide specifies that assessors must verify that remote sessions are identified, permitted, and controlled. There is no requirement for remote access sessions to be “validated” — this is not part of the assessment objectives for this practice.

Exact extracts:

“Assessment Objectives … Determine if:• remote access methods are identified;• remote access is authorized prior to allowing such connections;• remote access sessions are controlled; and• cryptographic mechanisms are employed to protect confidentiality and integrity of remote access sessions.”

“Remote access to organizational systems is accomplished through the use of managed access control points. A detailed record of all remote access sessions is maintained, and the sessions are subject to monitoring and control.”

Why the other options are required:

Identified (B): OSCs must identify all remote access methods in use.

Permitted (C): Remote access must be explicitly authorized before it is allowed.

Controlled (D): Sessions must be controlled (e.g., via encryption, multifactor authentication, and monitoring).

Validated (A): Not a required assessment objective; it is a distractor option.

References (CCA documents / Study Guide):

CMMC Assessment Guide – Level 2, Version 2.13, AC.L2-3.1.12 “Remote Access” (Assessment Objectives; Discussion; Potential Assessment Methods and Objects).

NIST SP 800-171 Rev. 2, 3.1.12 (remote access).

The assessor must first confirm facts with the OSC before making a determination. It is possible the technician has been granted temporary authorized access, in which case the situation may not be a violation. Therefore, the correct next step is to ask the OSC about the technician’s authorization.

Exact Extracts:

PE.L2-3.10.3: “Escort visitors and monitor visitor activity.”

Assessment Guide: “Assessors should confirm with the OSC whether individuals observed are classified as visitors or authorized personnel before determining compliance.”

“Findings must be validated with OSC-provided evidence or clarification.”

Why other options are not correct:

A: Cannot mark as MET without verifying the technician’s status.

B: Inappropriate — assessors do not direct OSC personnel or vendors.

C: Cannot mark as NOT MET without first confirming authorization.