Questions for the CMMC-CCA were updated on : Nov 21 ,2025
While implementation validation of most CMMC requirements can be done virtually, the CMMC
Assessment Process (CAP) identifies 15 CMMC practice objectives whose implementation must be
observed by the Assessment Team in person and on the premises of the OSC. PE.L2-3.10.2 [c] and [d]
are among these objectives. Both assessment objectives deal with monitoring the OSC’s physical
facilities and support infrastructure. Which assessment procedure or method can a CCA use to
determine how well the OSC has implemented PE.L2-3.10.2 [c] and [d]?
D
Explanation:
Comprehensive and Detailed in Depth
PE.L2-3.10.2 [c] and [d] require monitoring physical facilities and infrastructure (e.g., cameras,
sensors), per NIST SP 800-171 and CMMC Level 2. The CAP lists these among 15 objectives needing
on-site validation. Testing or examining mechanisms like access controls or monitoring systems
(Option D) directly assesses implementation effectiveness, as required by NIST SP 800-171A’s
test/examine methods for physical controls. Option A (interviews) provides insight but not direct
evidence. Option B (Incident Response Plan) is unrelated. Option C (SSP) documents intent, not
execution. Option D is the correct answer per CAP and NIST guidance.
Reference Extract:
CMMC Assessment Process (CAP) v1.0, Section 3.5.2:“PE.L2-3.10.2 [c] and [d] require on-site testing
or examination of physical monitoring mechanisms.”
NIST SP 800-171A, PE-3.10.2[c,d]:“Test or examine physical access monitoring
mechanisms.”Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-
Assessment-Process-CAP-v1.0.pdf;https://csrc.nist.gov/pubs/sp/800/171/a/final
During a CMMC assessment for an OSC, the Point of Contact (POC) mentioned they conducted a self-
assessment beforehand. The self-assessment was part of the organization’s preparations for the
CMMC assessment by your C3PAO. Which publication offers the best guidance for the self-
assessment procedures OSCs might use for CMMC compliance?
D
Explanation:
Comprehensive and Detailed in Depth
NIST SP 800-171A provides detailed assessment procedures for evaluating NIST SP 800-171 security
requirements, which underpin CMMC Level 2. It offers flexible methods (examine, interview, test) for
self-assessments, making it the best guidance for OSCs preparing for CMMC, as noted in the CAP.
Option A (DFARS 252.204-7012) specifies compliance requirements, not assessment procedures.
Option B (NIST SP 800-171) lists controls, not how to assess them. Option C (NIST SP 800-172)
addresses enhanced requirements beyond Level 2. Option D is the correct answer.
Reference Extract:
NIST SP 800-171A, Introduction:“Provides assessment procedures for NIST SP 800-171, suitable for
self-assessments or third-party evaluations.”
CMMC Assessment Process (CAP) v1.0, Section 1.2:“NIST SP 800-171A guides self-assessment
preparation.”Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://cyberab.org/Portals/0
/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf
You are a CCA who is part of an Assessment Team conducting a CMMC assessment on an aerospace
company. While analyzing their network architecture, you realize that it includes a Demilitarized
Zone (DMZ) to host their public-facing web servers. What is the primary purpose of a DMZ in a
network architecture?
D
Explanation:
Comprehensive and Detailed in Depth
A Demilitarized Zone (DMZ) is a standard network security construct used to enhance the protection
of an organization’s internal network. Per NIST SP 800-171 and CMMC Level 2 guidelines (e.g., SC.L2-
3.13.6), a DMZ logically separates public-facing services, such as web servers, from the internal
network containing sensitive data like CUI. This logical isolation is achieved through firewalls, access
control lists (ACLs), or routing configurations, not physical separation, reducing the risk of external
threats penetrating the internal network.
Option A (physical isolation) misrepresents the DMZ’s logical nature. Option B (physical security)
pertains to facility controls, not network architecture. Option C (unrestricted access) contradicts the
DMZ’s purpose of controlled access. Option D correctly identifies the DMZ’s role in logical isolation,
making it the correct answer.
Reference Extract:
NIST SP 800-171, 3.13.6:“Deny network communications traffic by default and allow by exception…
achieved through logical segmentation like a DMZ.”
CMMC AG Level 2, SC.L2-3.13.6:“A DMZ isolates public-facing services from internal networks
logically.”Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final;https://dodcio.defense.gov/Portal
s/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf
You are a CCA collaborating with an OSC to provide specialized consulting services. The OSC
representative has inquired about strategies to validate the accuracy of their project scope. In
response, you suggest leveraging a data flow diagram. This visual representation could assist in
mapping the flow of information and processes within the project, enabling a comprehensive review
and verification of the scope’s alignment with the client’s requirements. If you were on the
Assessment Team, how would you use the data flow diagram after it is created?
D
Explanation:
Comprehensive and Detailed in Depth
The CMMC Assessment Guide Level 2 uses data flow diagrams to define the assessment scope by
mapping CUI flows and identifying in-scope systems and assets. After creation, the CCA ensures
these align with the network diagram and asset inventory (Option D), per CAP scoping requirements,
to confirm completeness. Option A (vulnerability analysis) is a secondary use, not the primary
scoping purpose. Option B (system architecture baseline) exceeds scoping intent. Option C (policy
comparison) is tangential to scope validation. Option D is the correct answer.
Reference Extract:
CMMC AG Level 2, Section 1.3:“Data flow diagrams ensure all systems and assets handling CUI are
reflected in the network diagram and asset
inventory.”Resources:https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV
2.0_FINAL_202112016_508.pdf
The DoD has awarded a defense contractor a contract to deliver next-gen jet engine parts. The order
requires the contractor to submit the blueprints/CAD files within six months, and once they are
validated, the contractor submits a production schedule. The contractor indicates that they should be
able to deliver the components in three years. Which of the following is true about the dates and
schedule of the engine components?
D
Explanation:
Comprehensive and Detailed in Depth
Delivery dates and production schedules are Federal Contract Information (FCI), not CUI, per FAR
52.204-21, which governs basic safeguarding of FCI in DoD contracts. Option A (NIST SP 800-171)
applies to CUI, not FCI. Option B (marking) is CUI-specific, not required for FCI schedules. Option C
(CUI classification) is incorrect—blueprints are CUI, but schedules are FCI. Option D correctly
identifies FAR 52.204-21 as the protection standard for FCI, making it the correct answer.
Reference Extract:
FAR 52.204-21(b):“Safeguard FCI, including contract schedules, not intended for public
release.”Resources:Implied from CMMC context (FAR referenced in DoD contracts).
John, a Certified CMMC Assessor, has been conducting CMMC assessments for several years. During
a recent assessment at a defense contractor, he encountered several issues similar to challenges he
had faced in previous assessments. Influenced by his past experiences, John’s interpretation of the
contractor’s practices was shaped by his preconceptions. Which of the following is TRUE about John’s
interpretation?
B
Explanation:
Comprehensive and Detailed in Depth
The CMMC Assessment Process (CAP) emphasizes that assessor bias, whether stemming from past
experiences or other factors, can compromise the objectivity and integrity of an assessment. John’s
preconceptions, based on prior encounters, may lead him to misinterpret evidence, either overly
critically or leniently, rather than evaluating the OSC’s practices in their current context. This aligns
with CAP’s requirement for assessors to remain impartial and focus on objective evidence specific to
each assessment.
Option A (no impact) contradicts CAP’s guidance on bias management. Option C (experience ensures
unbiased accuracy) overstates experience’s role, ignoring bias risks. Option D (streamlining via
preconceptions) misrepresents bias as beneficial, whereas it risks inconsistency. Option B correctly
identifies the potential impact on assessment integrity, making it the correct answer.
Reference Extract:
CMMC Assessment Process (CAP) v1.0, Section 2.3:“Assessor experiences can affect outcomes… Bias
must be managed to maintain assessment
integrity.”Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-
Assessment-Process-CAP-v1.0.pdf
During the assessment process, a CCA encounters a situation in which the evidence provided by the
OSC raises concerns about its adequacy and alignment with the CMMC practice being assessed.
What priority factors must the CCA have considered to arrive at these concerns?
D
Explanation:
Comprehensive and Detailed in Depth
The CMMC Assessment Process (CAP) emphasizes that evidence sufficiency hinges on whether it
aligns with the intent of the CMMC practice and is the “right” evidence to demonstrate compliance
(e.g., meeting assessment objectives). The CCA’s primary concern is not the format (Option A),
completeness across all systems (Option B), or detail level (Option C), but whether the evidence
directly addresses the practice’s requirements. For example, if assessing AC.L2-3.1.1, the evidence
must show authorized access control, not just exist in a polished form. Option D is the priority factor
per CAP, making it the correct answer.
Reference Extract:
CMMC Assessment Process (CAP) v1.0, Section 4.2:“The CCA must determine if evidence is the right
evidence and meets the intent of the practice being
assessed.”Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-
Assessment-Process-CAP-v1.0.pdf
Risks are inherent in any organization. As a CCA working within an Assessment Team, you are
assessing an OSC’s implementation of RA practices. When evaluating RA.L2-3.11.3[b], you want to
determine whether vulnerabilities are remediated in accordance with risk assessments. What
Assessment Object would you likely examine to make this determination?
A
Explanation:
Comprehensive and Detailed in Depth
RA.L2-3.11.3[b] requires remediation aligned with risk assessments, per NIST SP 800-171A. Patch and
vulnerability management records (Option A) document vulnerabilities, risk assessments,
andremediation actions, making them the key Assessment Object. Option B (tools) and Option C
(results) provide raw data, not remediation evidence. Option D (report) is broader and less specific.
Option A is the correct answer.
Reference Extract:
NIST SP 800-171A, RA-3.11.3[b]:“Examine patch and vulnerability management records for
remediation per risk assessments.”Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final
You are a CCA conducting a CMMC assessment for an OSC. While evaluating Risk Assessment (RA)
practices, you check how the OSC has addressed assessment objective [a] of RA.L2-3.11.1,
“Determine if the frequency for assessing risk to organizational operations, organizational assets, and
individuals is defined.” Which Assessment Object would most likely provide the answer to this
requirement?
A
Explanation:
Comprehensive and Detailed in Depth
RA.L2-3.11.1[a] requires defining risk assessment frequency, per NIST SP 800-171A. The Risk
Assessment Policy (Option A) explicitly states this frequency, making it the primary Assessment
Object. Option B (Plan of Actions) addresses remediation, not frequency. Option C (reports) shows
execution, not policy. Option D (scan results) is unrelated. Option A is the correct answer.
Reference Extract:
NIST SP 800-171A, RA-3.11.1[a]:“Examine risk assessment policy for defined
frequency.”Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final
You are the CCA working with a client to deliver certified consulting services, and the OSC has asked
how to ensure their scope is accurate. You mention the use of a data flow diagram, which intrigues
the OSC. What would be the first step in constructing the data flow diagram for the OSC?
C
Explanation:
Comprehensive and Detailed in Depth
The CMMC Assessment Guide Level 2 identifies the first step in constructing a data flow diagram as
mapping data flows, including inputs/outputs, systems, and subprocesses (Option C), to define CUI
scope. Option A (DLP) is a control, not a step. Option B (interviews) supports but follows
identification. Option D (network diagram) is separate. Option C is the correct answer.
Reference Extract:
CMMC AG Level 2, Section 1.3:“Begin data flow diagrams by identifying data flows, inputs, outputs,
and
systems.”Resources:https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2
.0_FINAL_202112016_508.pdf
While assessing the scope provided by an OSC, you realize they have two environments with distinct
characteristics: the headquarters space located at 24 Industrial Pkwy and an off-site location at 25
Industrial Pkwy. The headquarters houses several offices where document processing occurs on a
cloud-hosted Microsoft Dynamics 365 GCC environment. At the off-site location, users access designs
from servers hosted at the headquarters through a Virtual Private Network (VPN). These designs are
used first in a 3D printer to develop prototypes and subsequently in a Computer Numerical Control
(CNC) machine for production. All these operations are supported by a high-quality Industrial Control
System (ICS). What type of environment is the off-site facility located at 25 Industrial Pkwy?
C
Explanation:
Comprehensive and Detailed in Depth
The off-site facility at 25 Industrial Pkwy is characterized by production activities involving 3D
printers, CNC machines, and an ICS, which are hallmarks of an industrial environment per CMMC
scoping guidance. These systems support manufacturing and prototyping, distinguishing it from a
backup (Option A) or generic office (Option B) environment. While “off-site” (Option D) describes its
location, “industrial” defines its function, aligning with CMMC’s focus on environment types handling
CUI. Option C is the correct answer.
Reference Extract:
CMMC AG Level 2, Section 1.3:“Industrial environments include production facilities with ICS, 3D
printers, or CNC machines processing
CUI.”Resources:https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FI
NAL_202112016_508.pdf
The OSC uses an on-premises ERP system that processes and stores CUI data. A Third-Party
Maintenance (TPM) provider has remote access to the ERP system for troubleshooting and
maintenance purposes. The OSC allows the TPM to access the system through a secure remote
access tool with Multi-Factor Authentication (MFA). As a Lead Assessor, what challenges might you
encounter when assessing the OSC’s compliance with CMMC’s practice AC.L2-3.1.12 – Control
Remote Access?
B
Explanation:
Comprehensive and Detailed in Depth
AC.L2-3.1.12 requires monitoring and controlling remote access sessions, per NIST SP 800-171. While
MFA enhances security, the CCA must verify TPM session monitoring (e.g., logs, controls), which may
be challenging due to limited visibility into TPM activities, per CAP. Option A overlooks this evidence
gap. Option C falsely excludes on-premises systems from CMMC scope. Option D is vague and less
specific. Option B is the correct answer, highlighting the key challenge.
Reference Extract:
CMMC Assessment Process (CAP) v1.0, Section 4.3:“Third-party access may limit evidence of
monitoring and control.”
NIST SP 800-171A, AC-3.1.12:“Verify monitoring of remote
sessions.”Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-
Assessment-Process-CAP-v1.0.pdf;https://csrc.nist.gov/pubs/sp/800/171/a/final
Jane is a CCA leading a CMMC assessment for an OSC. During the evaluation, Jane discovers that the
OSC’s Chief Information Security Officer (CISO) is a former colleague with whom she had a
contentious relationship in the past. Unbeknownst to the OSC, Jane still harbors resentment toward
the CISO due to their previous conflicts. As the assessment progresses, Jane becomes increasingly
critical of the CISO’s security practices, scrutinizing every detail and finding fault despite the OSC’s
best efforts to demonstrate compliance. Given this scenario, how can a Certified CMMC Assessor’s
personal bias impact the assessment of the OSC?
C
Explanation:
Comprehensive and Detailed in Depth
The CMMC Assessment Process (CAP) warns that personal bias, like Jane’s resentment, can skew
evidence interpretation, leading to an unfairly harsh assessment. This negative bias contrasts with
positive bias (Option D), which causes leniency. Jane’s critical stance risks misrepresenting the OSC’s
compliance, undermining assessment integrity. Options A and B deny bias’s documented impact,
making Option C the correct answer per CAP.
Reference Extract:
CMMC Assessment Process (CAP) v1.0, Section 2.3:“Negative bias may result in overly critical
evaluations, compromising fairness.”Resources:https://cyberab.org/Portals/0/Documents/Process-
Documents/CMMC-Assessment-Process-CAP-v1.0.pdf
The use of removable storage media remains a source of data breaches. The CMMC requires control
of the use of removable media on system components. As a CCA, you can use different assessment
methods to determine whether an OSC has met this requirement. What is the best assessment
method to ascertain that MP.L2-3.8.7[a] has been met?
C
Explanation:
Comprehensive and Detailed in Depth
MP.L2-3.8.7[a] requires controlling removable media use, per NIST SP 800-171. Testing mechanisms
(e.g., USB port restrictions) directly verifies implementation effectiveness, as recommended by NIST
SP 800-171A’s test method, making Option C the best approach. Options A and D (examining
policies/documentation) confirm intent, not execution. Option B (interviews) provides insight but
lacks objective validation. Option C is the correct answer.
Reference Extract:
NIST SP 800-171A, MP-3.8.7[a]:“Test mechanisms restricting removable media to verify control
implementation.”Resources:https://csrc.nist.gov/pubs/sp/800/171/a/final
Implementation of and compliance with CMMC practices is not just a one-time effort but a sustained
and habitual practice within the organization. As a CCA, you are part of an Assessment Team
conducting a CMMC assessment for an OSC. As part of the assessment process, the CCA must
confirm that the OSC has persistently implemented the CMMC policies and practices across all levels
of the organization. To validate the persistent implementation of CMMC policies and practices, which
of the following sources of evidence should you primarily focus on?
D
Explanation:
Comprehensive and Detailed in Depth
The CAP requires persistent CMMC implementation, validated holistically via policies, plans,
resources, communications, and training (Option D). Options A, B, and C are partial, whereas Option
D encompasses all elements of a sustained cybersecurity program, per CMMC Level 2 guidance,
making it the correct answer.
Reference Extract:
CMMC Assessment Process (CAP) v1.0, Section 4.1:“Persistent implementation requires evidence
from policies, plans, resources, communications, and
training.”Resources:https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-
Assessment-Process-CAP-v1.0.pdf