Free practice test · no sign-up

Cyber AB CCAFree Certified CMMC Assessor practice test

10 real Cyber AB CCA practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 500questions whenever you’re ready. The Cyber AB CCA passing score is 500 / 800.

Question 1 of 10

A government contractor permits employees to use mobile devices—such as tablets and smartphones—to handle CUI-related design files. Your review of AC.L2-3.1.18 confirms the contractor keeps a thorough log of all mobile devices connecting to its systems. AC.L2-3.1.19 mandates encryption of CUI on mobile platforms; the contractor currently applies full-device encryption. Which of the following best explains why you might recommend container-based encryption instead of full-device encryption?

Answer key

All 10 Cyber AB CCA questions & answers

Prefer to just read the answers and explanations? Here’s the full key for this free Cyber AB CCA test.

Q1. A government contractor permits employees to use mobile devices—such as tablets and smartphones—to handle CUI-related design files. Your review of AC.L2-3.1.18 confirms the contractor keeps a thorough log of all mobile devices connecting to its systems. AC.L2-3.1.19 mandates encryption of CUI on mobile platforms; the contractor currently applies full-device encryption. Which of the following best explains why you might recommend container-based encryption instead of full-device encryption?

Correct answer: C. Container-based encryption gives organizations granular control over sensitive data, reduces performance overhead by encrypting selectively, and isolates work data from personal data in BYOD scenarios.

Containerization restricts encryption to specific apps and their associated data rather than the entire device. This targeted approach enables fine-grained control over which data is protected and who may access it—for example, a work email app can be secured without touching personal photos or banking apps. Full-device encryption can degrade performance during boot and decryption cycles. Encrypting only the container minimizes that impact. In BYOD environments, containerization lets organizations protect work data without requiring access to employees' personal information, creating a clear boundary between professional and personal content.

Q2. A government contractor permits employees to use mobile devices to handle CUI. Your review of AC.L2-3.1.18 shows the contractor maintains detailed records of all mobile devices accessing its systems. AC.L2-3.1.19 requires CUI on mobile devices to be encrypted; the contractor uses full-device encryption. What is the fundamental requirement that any encryption solution used to protect CUI on mobile devices must satisfy?

Correct answer: C. The cryptographic algorithms and modules must be FIPS-validated.

The CMMC Assessment Guide specifies that when cryptography is required to protect CUI, it must use FIPS-validated cryptographic modules—meaning the module has been independently tested and validated to meet FIPS 140-2 or FIPS 140-3 requirements. Simply choosing an approved algorithm is insufficient; the entire module (hardware and/or software) that implements the algorithm must be separately validated under the FIPS 140 program. The other options, while potentially desirable for usability, are not the key compliance requirement for protecting CUI on mobile devices.

Q3. A government contractor permits employees to use mobile devices to handle CUI. Your review of AC.L2-3.1.18 confirms the contractor maintains thorough records of device connections. AC.L2-3.1.19 requires CUI encryption on mobile platforms; the contractor relies on full-device encryption. When assessing AC.L2-3.1.19, which personnel would provide the most useful insight into how well the contractor has implemented this control?

Correct answer: D. Personnel with access control responsibilities for mobile devices

Interviewing professionals who manage mobile device access control—such as information security staff, network and systems administrators, and those responsible for mobile device management—provides the most relevant insight into how the contractor has implemented CUI encryption on mobile devices. These individuals can speak directly to technical configuration, policy enforcement, and operational realities of the control.

Q4. You have been assigned to assess a contractor that manufactures Advanced Combat Helmets for the US military. The contractor must pass a mandatory CMMC assessment to retain the contract. As part of framing the assessment, you need to determine the OSC's operational context, including its location model. Which of the following location factors would you NOT typically consider when assessing this contractor's environment?

Correct answer: D. Whether the contractor has automated its internal workflows

When framing a CMMC assessment, location considerations focus on the contractor's physical and logical footprint. A fully virtualized model, a hybrid traditional/distributed model, and a distributed model all describe valid location-related configurations an assessor must account for. Whether the contractor has automated its workflows, however, is an operational consideration—not a location factor. It has no bearing on determining the physical or logical scope of the assessment environment.

Q5. A contractor has expanded operations to a second state but chose not to deploy separate infrastructure at the new site. Instead, employees at the new location use remote access to connect to systems at headquarters. You have been called to assess the confidentiality protections for remotely accessed information. What are the assessment objectives for AC.L2-3.1.13 (Remote Access Confidentiality)?

Correct answer: C. To confirm that cryptographic mechanisms to protect the confidentiality of remote access sessions are both identified and implemented

AC.L2-3.1.13 (Remote Access Confidentiality) has two assessment objectives: (a) determining whether cryptographic mechanisms to protect the confidentiality of remote access sessions are identified, and (b) determining whether those cryptographic mechanisms are implemented. Both must be addressed for the practice to be considered met.

Q6. A contractor recently transitioned to a remote workforce. Employees access CUI through encrypted VPN tunnels into virtual desktop infrastructure. The environment includes servers, workstations, laptops, smartphones, and tablets. During assessment, you discover some employees also use SSH to access cloud instances and on-premises servers containing CUI. Why should the contractor's use of SSH to protect CUI in transit concern you?

Correct answer: D. SSH encrypts only specific application sessions between client and server—it does not encrypt all traffic through a tunnel the way a VPN does.

Unlike a VPN, which encrypts all traffic flowing through the tunnel, SSH secures only the specific application session or connection that is configured to use it. Other traffic on the same system or network path is not protected by SSH. This limitation could expose CUI if other data paths are not independently secured. If SSH is used without additional protective controls, the contractor may not fully comply with CMMC AC.L2-3.1.12, which requires protecting CUI during transmission.

Q7. A contractor recently transitioned to a remote workforce. Employees access CUI through encrypted VPN tunnels into virtual desktop infrastructure. The environment includes servers, workstations, laptops, smartphones, and tablets. During assessment, you find some employees also use SSH to access cloud instances and servers containing CUI. Which approach would be MOST effective in ensuring that only authorized users and devices can connect to the remote access system?

Correct answer: C. Requiring strong authentication mechanisms—such as MFA or certificate-based authentication—at the start of every remote session

CMMC practice AC.L2-3.1.12 requires that remote access sessions be controlled and monitored to ensure only authorized users and devices connect. Initializing all remote sessions with robust authentication—such as multi-factor authentication, certificate-based authentication, or device authentication—directly verifies authorization and is the most effective control for this purpose. Limiting simultaneous connections does not verify who is connecting. A next-generation firewall focuses on external threats rather than user authorization. A strong password policy alone is less effective than multi-factor authentication at confirming both user identity and device trustworthiness.

Q8. You are conducting a triennial CMMC review for a contractor that recently added new network nodes and servers. To evaluate AU.L2-3.3.7 (Authoritative Time Source), you trigger documented events that generate audit logs on both the new and existing systems. Reviewing the logs, you observe timestamp discrepancies between the old and new nodes. Further investigation reveals the contractor has a central NTP server, but the newly deployed systems are configured to synchronize only when their clock differs from the NTP source by more than 30 seconds. How would you assess the contractor's implementation of AU.L2-3.3.7?

Correct answer: A. Not Met

AU.L2-3.3.7 requires internal system clocks used to generate audit record timestamps to be compared to and synchronized with an authoritative time source. While the contractor has deployed a central NTP server, the new systems' 30-second synchronization threshold means they can remain out of sync with the authoritative source for up to 30 seconds at a time. This inconsistency produces non-uniform timestamps across systems, which does not satisfy the practice's requirement for consistent synchronization.

Q9. You are conducting a triennial CMMC review for a contractor that recently added new nodes and servers. To evaluate AU.L2-3.3.7, you trigger documented events generating audit logs across new and existing systems. Timestamp inconsistencies appear between old and new nodes. Investigation shows the central NTP server is in place, but new systems only synchronize when the time difference exceeds 30 seconds. Based on this finding, how many points would you assign for the contractor's implementation of AU.L2-3.3.7?

Correct answer: C. -1

AU.L2-3.3.7 is a single-point practice valued at 1 point under the DoD Assessment Scoring Methodology. Because the contractor has not fully implemented the practice—the new systems do not synchronize consistently with the authoritative time source—the practice is scored as Not Met, resulting in a deduction of 1 point (represented as -1).

Q10. You are conducting a triennial CMMC review for a contractor that recently added new nodes and servers. You trigger documented events to generate audit logs across old and new systems for the AU.L2-3.3.7 evaluation. You observe timestamp inconsistencies. The contractor has a central NTP server, but new systems only synchronize when their clock differs from the NTP server by more than 30 seconds. Why is time synchronization with the NTP server necessary, and what synchronization interval is considered best practice?

Correct answer: D. To ensure all systems record audit events using a uniform time reference, with a recommended synchronization accuracy of within 1 second

AU.L2-3.3.7 requires synchronization with an authoritative time source to generate consistent timestamps across audit records. The Discussion section notes this requirement 'provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.' While the practice does not prescribe a specific synchronization interval, industry best practice calls for audit log timestamp accuracy within 1 second of the authoritative time source.

Exam facts and objectives sourced from the official Cyber AB certification page. Last reviewed June 2026.

Ready for the full Cyber AB CCA bank? Start free.

500 questions, timed mock exams, and missed-question review — 30 free questions, no card.

Start free trial
Cyber AB CCA study guide & details →