Free CMMC-CCA Questions for Cyber AB Certified CMMC Assessor (CCA) CMMC-CCA Exam as PDF & Practice Test Engine

  • Exam Code/Number: CMMC-CCA
  • Exam Name/Title: Certified CMMC Assessor (CCA) Exam
  • Certification Provider: Cyber AB
  • Corresponding Certification: Cyber AB CMMC
  • Exam Questions: 152
  • Updated On: Jul 12, 2026
In completing the assessment of practices in the Access Control (AC) domain, a CCA scored AC.L2-3.1.15:
Privileged Remote Access as NOT MET. The OSC was notified of this deficiency at the end of day two of the assessment. On day five of the assessment, the OSC's Assessment Official contacted the CCA to provide evidence that the deficiencies have been corrected.
What is the CCA's NEXT step?
Correct Answer: A Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
While onsite conducting a CMMC Level 2 assessment at a small architecture firm that handles DoD construction contracts, the client offers a list of personnel for interviews. To answer questions regarding visitor access controls, which personnel would be MOST appropriate for interviewing?
Correct Answer: D Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
An OSC leases several servers and rack space in a FedRAMP MODERATE authorized colocation data center.
Additional servers operate in a LAN room within the company's facility. Both facilities are within the OSC's assessment boundary. In order to assess the physical protection of the environment, the Assessor MUST physically examine the visitor and access controls in place in the:
Correct Answer: A Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
While conducting a Level 2 Assessment, the Assessment Team begins reviewing assessment objects. The team identifies concerns with several of the objects presented. Which artifacts would require the MOST verification?
Correct Answer: B Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
An assessor is trying to determine if an OSC performs scans of their information system and real-time scans of files from external sources as files are downloaded or executed.
Which evidence is LEAST LIKELY to help this assessor?
Correct Answer: B Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
The OSC has not implemented cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission, citing the use of alternative physical safeguards.
Which of the following is NOT an alternative physical safeguard in this scenario?
Correct Answer: C Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
While assessing a company, the CCA is determining whether the company controls and manages connections between its corporate network and all external networks. The company has: (1) a strict employee policy prohibiting personal Internet use and personal email on company computers, and (2) firewalls plus a connection allow-list so only authorized external networks can connect to the company network. Are these safeguards sufficient to meet the applicable CMMC requirement?
Correct Answer: D Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
During the assessment of a company, the CCA learns that 50% of employees work from home using remote access. After reviewing the Access Control policy and audit logs, the CCA is unsure how the system ensures only employees with correct privileges can access CUI. The CCA decides a Test of functionality is required.
Which question is of the LEAST concern to the CCA?
Correct Answer: D Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
Does CMMC Level 2 require that a Cloud Service Provider (CSP) hold a FedRAMP HIGH authorization hosted in a government community cloud (GCC)?
Correct Answer: D Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
The Lead Assessor and OSC Assessment Official determined the resources, cost, and schedule for an upcoming assessment. The Lead Assessor noted the OSC Assessment Official's preferences regarding the limits of the method and the consequent resource, cost, and schedule constraints to arrive at an optimal Assessment Plan. In this situation, who has responsibility for signing the planning agreement?
Correct Answer: B Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
An OSC uses an External Service Provider (ESP) to support part of its CUI processing scope. The OSC has selected an accredited ESP with FedRAMP MODERATE authorization. The OSC has a contract requiring the ESP to meet its security requirements. The ESP has provided a Shared Responsibility Matrix (SRM) consistent with the contract terms.
When assessing these assets, what should the assessor MOST carefully review?
Correct Answer: D Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
A company receives data that they suspect is CUI, but it is not marked as such. What is an acceptable way for the company to handle unmarked potential CUI?
Correct Answer: C Vote an answer
Explanation: Only visible for ExamDiscuss members. You can sign-up / login (it's free).
0
0
0
10