CCA Cheat Sheet 2026
The 30 highest-yield CCA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
150 questions
240 min time limit
70.00% to pass
- Which CMMC domain deals with identifying and responding to cybersecurity threats? → Incident Response (IR)
- What evidence types are used in CMMC assessments? → Objective evidence from multiple sources
- What is required of assessors before performing evaluations? → Hold certification and adhere to standards
- What standard governs the professional competency expected of CCA assessors in performing their assessments? → The CMMC Assessment Guide, Cyber AB standards, and applicable NIST guidance
- What does the term 'OSC' refer to in the context of CMMC assessments? → Organization Seeking Certification
- What is the standard CMMC term for a contractor or subcontractor that undergoes a CMMC assessment to achieve certification? → Organization Seeking Certification (OSC)
- What is the purpose of CMMC compliance? → To protect sensitive government information
- Which DoD contract clause requires contractors to implement basic safeguarding requirements specifically for Federal Contract Information (FCI)? → FAR 52.204-21
- How many cybersecurity practices are required for CMMC Level 1 (Foundational)? → 17
- What type of sensitive information does CMMC Level 2 specifically aim to protect? → Controlled Unclassified Information (CUI)
- What type of assessment is required for a CMMC Level 1 certification? → Annual self-assessment affirmed by a senior official
- How is a practice marked during a CMMC assessment? → MET/NOT MET/NOT APPLICABLE
- Which CMMC level specifically addresses protecting CUI against Advanced Persistent Threats (APTs)? → Level 3
- Which factor is most important when determining if a cloud service provider falls within an OSC's CMMC assessment scope? → Whether CUI is stored, processed, or transmitted within the CSP environment
- Which DFARS clause requires defense contractors to implement NIST SP 800-171 and report cyber incidents? → DFARS 252.204-7012
- What is the first step a CCA assessor must complete before beginning a CMMC Level 2 assessment? → Define the assessment scope and boundary
- What obligation does a defense contractor have when it discovers a cyber incident affecting CUI under DFARS 252.204-7012? → Report the incident to the DoD within 72 hours of discovery
- What action should a CCA take if they believe the lead assessor on their team is making inaccurate or biased findings? → Raise the concern through the C3PAO's quality assurance process and escalate if unresolved
- Which of the following is NOT one of the three assessment methods defined in the CMMC Assessment Process for evaluating practices? → Survey
- Which organization conducts government-led assessments for CMMC Level 3 (Expert)? → Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
- Which NIST framework provides the foundational risk management guidance that underpins CMMC requirements? → NIST SP 800-171
- Which NIST publication serves as the primary framework for CMMC Level 2 (Advanced) requirements? → NIST SP 800-171
- In CMMC assessment planning, what is a 'Letter of Assessment'? → A formal contract between the C3PAO and the OSC authorizing the assessment
- Who is responsible for submitting CMMC assessment results? → C3PAO
- Which CMMC assessment guide provides the authoritative criteria used by C3PAOs and CCAs during assessments? → CMMC Assessment Guide Level 2
- What does a Plan of Action & Milestones (POA&M) represent in a CMMC assessment context? → A documented plan to remediate identified security weaknesses with target completion dates
- What is the primary purpose of the CMMC assessment methodology? → To ensure consistency in assessments
- What are the three primary methods of evidence collection used in CMMC assessments? → Examine, interview, and test
- Which document serves as the primary planning artifact for a CMMC assessment? → Assessment Plan (AP)
- Which of the following is a key step in the CMMC assessment process? → Planning and executing the assessment
Turn these facts into recall: