CCA Cheat Sheet 2026

The 30 highest-yield CCA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

150 questions
240 min time limit
70.00% to pass
  1. Which CMMC domain deals with identifying and responding to cybersecurity threats? Incident Response (IR)
  2. What evidence types are used in CMMC assessments? Objective evidence from multiple sources
  3. What is required of assessors before performing evaluations? Hold certification and adhere to standards
  4. What standard governs the professional competency expected of CCA assessors in performing their assessments? The CMMC Assessment Guide, Cyber AB standards, and applicable NIST guidance
  5. What does the term 'OSC' refer to in the context of CMMC assessments? Organization Seeking Certification
  6. What is the standard CMMC term for a contractor or subcontractor that undergoes a CMMC assessment to achieve certification? Organization Seeking Certification (OSC)
  7. What is the purpose of CMMC compliance? To protect sensitive government information
  8. Which DoD contract clause requires contractors to implement basic safeguarding requirements specifically for Federal Contract Information (FCI)? FAR 52.204-21
  9. How many cybersecurity practices are required for CMMC Level 1 (Foundational)? 17
  10. What type of sensitive information does CMMC Level 2 specifically aim to protect? Controlled Unclassified Information (CUI)
  11. What type of assessment is required for a CMMC Level 1 certification? Annual self-assessment affirmed by a senior official
  12. How is a practice marked during a CMMC assessment? MET/NOT MET/NOT APPLICABLE
  13. Which CMMC level specifically addresses protecting CUI against Advanced Persistent Threats (APTs)? Level 3
  14. Which factor is most important when determining if a cloud service provider falls within an OSC's CMMC assessment scope? Whether CUI is stored, processed, or transmitted within the CSP environment
  15. Which DFARS clause requires defense contractors to implement NIST SP 800-171 and report cyber incidents? DFARS 252.204-7012
  16. What is the first step a CCA assessor must complete before beginning a CMMC Level 2 assessment? Define the assessment scope and boundary
  17. What obligation does a defense contractor have when it discovers a cyber incident affecting CUI under DFARS 252.204-7012? Report the incident to the DoD within 72 hours of discovery
  18. What action should a CCA take if they believe the lead assessor on their team is making inaccurate or biased findings? Raise the concern through the C3PAO's quality assurance process and escalate if unresolved
  19. Which of the following is NOT one of the three assessment methods defined in the CMMC Assessment Process for evaluating practices? Survey
  20. Which organization conducts government-led assessments for CMMC Level 3 (Expert)? Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
  21. Which NIST framework provides the foundational risk management guidance that underpins CMMC requirements? NIST SP 800-171
  22. Which NIST publication serves as the primary framework for CMMC Level 2 (Advanced) requirements? NIST SP 800-171
  23. In CMMC assessment planning, what is a 'Letter of Assessment'? A formal contract between the C3PAO and the OSC authorizing the assessment
  24. Who is responsible for submitting CMMC assessment results? C3PAO
  25. Which CMMC assessment guide provides the authoritative criteria used by C3PAOs and CCAs during assessments? CMMC Assessment Guide Level 2
  26. What does a Plan of Action & Milestones (POA&M) represent in a CMMC assessment context? A documented plan to remediate identified security weaknesses with target completion dates
  27. What is the primary purpose of the CMMC assessment methodology? To ensure consistency in assessments
  28. What are the three primary methods of evidence collection used in CMMC assessments? Examine, interview, and test
  29. Which document serves as the primary planning artifact for a CMMC assessment? Assessment Plan (AP)
  30. Which of the following is a key step in the CMMC assessment process? Planning and executing the assessment
Turn these facts into recall: