Free Preparation Discussions
MENU
Cyber AB CMMC-CCA Exam Questions
- Topic 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 Requirements: This section of the exam measures skills of cybersecurity assessors and focuses on evaluating the environments of organizations seeking certification at CMMC Level 2. It covers understanding differences between logical and physical settings, recognizing constraints in cloud, hybrid, on-premises, single, and multi-site environments, and knowing what environmental exclusions apply for Level 2 assessments.
- Topic 2: CMMC Level 2 Assessment Scoping: This section of the exam measures skills of cybersecurity assessors and revolves around determining the proper scope of a CMMC assessment. It involves analyzing and categorizing Controlled Unclassified Information (CUI) assets, interpreting the Level 2 scoping guidelines, and making accurate judgments in scenario-based exercises to define what assets and systems fall within assessment boundaries.
- Topic 3: CMMC Assessment Process (CAP): This section of the exam measures skills of compliance professionals and tests knowledge of the full assessment lifecycle. It covers the steps needed to plan, prepare, conduct, and report on a CMMC Level 2 assessment, including the phases of execution and how to document and follow up on findings in alignment with DoD and CMMC-AB expectations.
- Topic 4: Assessing CMMC Level 2 Practices: This section of the exam measures skills of cybersecurity assessors in evaluating whether organizations meet the required practices of CMMC Level 2. It emphasizes applying CMMC model constructs, understanding model levels, domains, and implementation, and using evidence to determine compliance with established cybersecurity practices.
Free Cyber AB CMMC-CCA Exam Actual Questions
Note: Premium Questions for CMMC-CCA were last updated On Apr. 06, 2026 (see below)
The team is assessing an OSC that uses the cloud for hosting its online services. Which of the following is NOT important for the assessor to consider?
Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).
Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never ''authenticated as a prerequisite to access.'' Authentication applies to users, devices, and processes, not cryptographic modules themselves.
Why A, B, C are Correct Considerations:
Devices must be authorized before connecting.
Processes acting on behalf of a user must be authenticated.
Users must be authorized prior to access. These are all directly mapped to AC and IA domains.
Reference (CCA Official Sources):
NIST SP 800-171 Rev. 2 --- IA and SC requirements
NIST SP 800-171A --- Assessment Objectives for AC/IA wireless and cloud access
CMMC Assessment Guide -- Level 2, Cloud/ESP Considerations
===========
During an assessment, the IT security engineers responsible for password policy for the OSC provided documentation that all passwords are protected using a one-way hashing methodology. As a result, which statement is true?
A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.
Extract from SC.L2-3.13.10:
''Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.''
Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.
During an assessment, the OSC was found to have implemented 68% of CMMC practice SC.L2-3.13.11 -- CUI Encryption. However, the OSC Assessment Official cited issues with the vendor for not fully implementing the practice. Nonetheless, it has been listed in their POA&M. Which of the following is true regarding the use of a POA&M during a CMMC assessment?
Comprehensive and Detailed In-Depth Explanatio n:
SC.L2-3.13.11 (5-point practice) requires full implementation for certification. Per CAP, a POA&M documents deficiencies but isn't a substitute for completion (A). Options B, C, and D contradict CMMC rules, as partial implementation or POA&M listing doesn't equate to Met status, especially for 5-point practices ineligible for POA&M deferral.
Extract from Official CMMC Documentation:
CMMC Assessment Guide Level 2 (v2.0), SC.L2-3.13.11: 'Full implementation required.'
CAP v5.6.1: 'POA&M not a substitute for Met status.'
Resources:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
You are a CCA participating in an assessment exercise for an OSC. You have completed the exercise, and the OSC has hashed the evidence artifacts in accordance with the CMMC Artifact Hashing Tool User Guide. What is the next step for your Assessment Team with respect to the Evidence Artifact Hashes?
Comprehensive and Detailed in Depth
The CAP requires the C3PAO to report OSC hashes to CMMC eMASS after hashing, not encrypting (Option A), using a C3PAO cloud (Option C), or doing nothing (Option D). Option B is correct.
Extract from Official Document (CAP v1.0):
Section 3.5 -- Archive Assessment Artifacts (pg. 36):'Once hashed, the C3PAO shall report the OSC's hash values in the CMMC eMASS System.'
CMMC Assessment Process (CAP) v1.0, Section 3.5.
During a CMMC assessment, a CCA took home some documents from the OSC's facility without their knowledge. The documents contained confidential, proprietary information (jet engine designs). After a few days, the OSC realized the documents were missing. Upon realizing the mistake, the CCA returned the document and informed the Lead Assessor. One year later, the information appeared online. The OSC believes the CCA duplicated the information and kept a copy for themselves. Angered by the situation, the OSC sues the CCA for IP theft. Under the CoPC, what action should the CCA take?
Comprehensive and Detailed in Depth
The CoPC requires CCAs to report legal actions like lawsuits related to their CMMC role to the Cyber AB within 30 days, ensuring transparency and accountability. Option A (pleading guilty) is a legal strategy, not a CoPC requirement. Option B (doing nothing) ignores reporting obligations. Option D (asking C3PAO) is not mandated by CoPC. Option C is the required action.
Extract from Official Document (CoPC):
Paragraph 3.6(4) -- Lawful and Ethical Practices (pg. 8):'Report to the Cyber AB within 30 days any legal actions, such as being sued for larceny, related to your role in the CMMC ecosystem.'
CMMC Code of Professional Conduct, Paragraph 3.6(4).
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Rusty
11 days agoVerdell
18 days agoMargery
25 days agoAron
1 month agoLauran
1 month agoIlda
2 months agoPage
2 months agoTamra
2 months agoAlexis
3 months agoAlyssa
3 months agoJuliana
3 months agoEmile
3 months agoFidelia
4 months agoSheridan
4 months agoVictor
4 months agoErnie
4 months agoMalissa
5 months agoAlyce
5 months agoAnnelle
5 months agoReita
5 months agoJaime
6 months agoStanford
6 months agoJamey
6 months agoLorean
6 months agoBilly
7 months agoMalinda
7 months agoAlise
7 months agoLyla
7 months agoAileen
7 months agoJules
7 months ago