Free Preparation Discussions
MENU
Cyber AB CMMC-CCA Exam Questions
- Topic 1: Evaluating Organizations Seeking Certification (OSC) against CMMC Level 2 Requirements: This section of the exam measures skills of cybersecurity assessors and focuses on evaluating the environments of organizations seeking certification at CMMC Level 2. It covers understanding differences between logical and physical settings, recognizing constraints in cloud, hybrid, on-premises, single, and multi-site environments, and knowing what environmental exclusions apply for Level 2 assessments.
- Topic 2: CMMC Level 2 Assessment Scoping: This section of the exam measures skills of cybersecurity assessors and revolves around determining the proper scope of a CMMC assessment. It involves analyzing and categorizing Controlled Unclassified Information (CUI) assets, interpreting the Level 2 scoping guidelines, and making accurate judgments in scenario-based exercises to define what assets and systems fall within assessment boundaries.
- Topic 3: CMMC Assessment Process (CAP): This section of the exam measures skills of compliance professionals and tests knowledge of the full assessment lifecycle. It covers the steps needed to plan, prepare, conduct, and report on a CMMC Level 2 assessment, including the phases of execution and how to document and follow up on findings in alignment with DoD and CMMC-AB expectations.
- Topic 4: Assessing CMMC Level 2 Practices: This section of the exam measures skills of cybersecurity assessors in evaluating whether organizations meet the required practices of CMMC Level 2. It emphasizes applying CMMC model constructs, understanding model levels, domains, and implementation, and using evidence to determine compliance with established cybersecurity practices.
Free Cyber AB CMMC-CCA Exam Actual Questions
Note: Premium Questions for CMMC-CCA were last updated On Jun. 09, 2026 (see below)
A Lead Assessor is preparing to conduct a Level 2 Assessment for an OSC. During the planning phase, the Lead Assessor and OSC have:
Developed evidence collection approach;
Identified the team members, resources, schedules, and logistics;
Identified and managed conflicts of interest;
Gained access to the OSC's relevant documentation.
Based on the information provided, which would be an additional element to be discussed during the planning phase of the assessment?
During the planning phase, the Lead Assessor must ensure that evidence gaps are identified and documented before assessment execution. This ensures that the OSC is aware of missing or insufficient evidence and can address them prior to final scoring.
Exact Extracts:
CMMC Assessment Guide: ''During planning, assessors and OSC should confirm sufficiency of evidence and identify/document any evidence gaps.''
''The planning phase ensures readiness to proceed with the assessment, including identifying gaps and establishing how they will be addressed.''
Why the other options are not correct:
B: Appeals are addressed post-assessment, not in planning.
C: Assessment costs are agreed upon contractually, not part of the assessment planning phase.
D: FedRAMP equivalency determination is part of scope validation, not general planning.
CMMC Assessment Guide -- Level 2, Version 2.13: Assessment planning activities (pp. 5--8).
The assessor begins the assessment by meeting with the client's stakeholders and learns that multiple subsidiaries exist. In order to perform a complete assessment, the assessor must review documents from multiple entities as multiple, corresponding Commercial and Government Entity (CAGE) codes were provided. Which of the following entities may receive certification as a result of this?
Certification can only be granted to the legal entities that own the CAGE codes under assessment. If multiple CAGE codes are in play (HQ, host, and supporting units), and they are all included in scope, then all entities with corresponding CAGE codes that were assessed can be certified.
Exact Extracts:
CMMC Assessment Guide: ''The CMMC certificate is issued to the legal entity (as identified by the CAGE code(s)) that was assessed.''
''When multiple CAGE codes are presented, all in-scope entities must provide documentation and may be certified if assessed.''
''Certification applies to the OSC legal entity (or entities) within scope, including HQ, host, and supporting units, as applicable.''
Why other options are not correct:
A/B/C: Limit scope to only HQ or subsets, but the requirement is that all entities with provided and in-scope CAGE codes are eligible.
CMMC Assessment Guide -- Level 2, Version 2.13: Certification applicability to CAGE codes and organizational entities (pp. 3--5).
While conducting a CMMC Level 2 gap analysis with a large defense contractor, a CMMC RP confirms that the organization uses a RADIUS server for authentication. What additional method could be used to comply with AC.L2-3.1.17: Wireless Access Protection?
Applicable Requirement: AC.L2-3.1.17 --- ''Authorize wireless access prior to allowing such connections.''
Correct Interpretation: Strong authentication and encryption methods (e.g., WPA2-Enterprise, WPA3-Enterprise) are required to protect wireless communications and enforce authorization.
Why C is Correct: WPA2-Enterprise uses 802.1X authentication (often with RADIUS), ensuring that only authorized users/devices can connect. This directly supports AC.L2-3.1.17.
Why Other Options Are Insufficient:
A (Layer 3 switch): Network hardware but not specifically a wireless access control mechanism.
B (IDS): Detects intrusions but does not prevent or authorize wireless access.
D (Frequency-hopping): Obsolete method, not aligned with modern encryption/authentication requirements.
Reference (CCA Official Sources):
NIST SP 800-171 Rev. 2 --- AC.L2-3.1.17
NIST SP 800-171A --- AC.L2-3.1.17 Assessment Objectives
CMMC Assessment Guide -- Level 2, AC.L2-3.1.17
===========
The team is assessing an OSC that uses the cloud for hosting its online services. Which of the following is NOT important for the assessor to consider?
Applicable Requirement: SC.L2-3.13.8 (Cryptographic protection of communications) and IA.L2-3.5.x (Identification and authentication).
Why D is Correct: Encryption must be validated as FIPS 140-2/3 compliant but is never ''authenticated as a prerequisite to access.'' Authentication applies to users, devices, and processes, not cryptographic modules themselves.
Why A, B, C are Correct Considerations:
Devices must be authorized before connecting.
Processes acting on behalf of a user must be authenticated.
Users must be authorized prior to access. These are all directly mapped to AC and IA domains.
Reference (CCA Official Sources):
NIST SP 800-171 Rev. 2 --- IA and SC requirements
NIST SP 800-171A --- Assessment Objectives for AC/IA wireless and cloud access
CMMC Assessment Guide -- Level 2, Cloud/ESP Considerations
===========
During an assessment, the IT security engineers responsible for password policy for the OSC provided documentation that all passwords are protected using a one-way hashing methodology. As a result, which statement is true?
A one-way hash function is a cryptographic method used to store passwords securely. It is not reversible; hashed values cannot be converted back into the original password.
Extract from SC.L2-3.13.10:
''Store and transmit authentication information in a protected form by using one-way cryptographic transformations (e.g., hashing). One-way transformations cannot be reversed to reveal the original authentication secret.''
Thus, the correct statement is that the transformation makes it impossible to re-convert the hashed password.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Robert Parker
1 day agoEric Edwards
19 days agoJason Smith
30 days agoEmma Davis
1 month agoEmma Anderson
1 month agoDeborah Reed
27 days agoDeborah Clark
22 days agoSharon Lewis
20 days agoLinda Nguyen
1 month agoRusty
2 months agoVerdell
2 months agoMargery
3 months agoAron
3 months agoLauran
3 months agoIlda
4 months agoPage
4 months agoTamra
4 months agoAlexis
4 months agoAlyssa
5 months agoJuliana
5 months agoEmile
5 months agoFidelia
5 months agoSheridan
6 months agoVictor
6 months agoErnie
6 months agoMalissa
6 months agoAlyce
7 months agoAnnelle
7 months agoReita
7 months agoJaime
7 months agoStanford
8 months agoJamey
8 months agoLorean
8 months agoBilly
8 months agoMalinda
9 months agoAlise
9 months agoLyla
9 months agoAileen
9 months agoJules
9 months ago