1|Page
Department of Defense (DoD) Cyber Awareness
Challenge Exam 2026 | Latest Verified Questions and
Detailed Answers
OVERVIEW DESCRIPTION:
This comprehensive set of multiple-choice questions is designed for the Department of
Defense (DoD) Cyber Awareness Challenge Exam 2026. The questions systematically cover
the critical domains of cybersecurity and information protection, including the
identification and safeguarding of Controlled Unclassified Information (CUI) and Personally
Identifiable Information (PII), the stringent handling requirements for Sensitive
Compartmented Information (SCI), and the tactics used in phishing, social engineering, and
business email compromise (BEC) attacks. Additionally, the material addresses operational
security (OPSEC) risks associated with social networking and online identity, as well as
best practices for physical security, remote work, and the secure use of mobile devices and
removable media. Each question is paired with a concise expert rationale to reinforce the
principles of risk management, accountability, and the shared responsibility of maintaining
a resilient defense posture against evolving cyber threats.
QUESTION 1
What is the primary risk associated with posting your mother's maiden name on a social
networking site?
A) It violates platform terms of service.
B) It can be used by adversaries to answer security questions and gain unauthorized
access to accounts.
C) It is a form of Controlled Unclassified Information (CUI).
D) It helps establish your online identity more authentically.
CORRECT ANSWER: B
EXPERT RATIONALE: Mother's maiden name is a common security question; publicly
disclosing it provides a key piece of personally identifiable information (PII) that
malicious actors can use for account takeover or identity theft.
,2|Page
QUESTION 2
You receive an email that appears to be from your command's senior leader, requesting
an urgent transfer of funds to a new vendor account. What is this an example of?
A) Spear phishing
B) Vishing
C) Business Email Compromise (BEC)
D) Smishing
CORRECT ANSWER: C
EXPERT RATIONALE: Business Email Compromise (BEC) specifically involves
impersonating a senior executive or trusted partner to trick an employee into
authorizing fraudulent financial transactions.
QUESTION 3
Which of the following is a correct method for marking a document containing
Controlled Unclassified Information (CUI)?
A) Only mark the cover page with "CUI."
B) Use a banner marking of "CUI" at the top and bottom of the document, and apply
portion markings to individual sections.
C) Marking is optional if the information is not classified.
D) Place a "CONFIDENTIAL" stamp on all pages.
CORRECT ANSWER: B
EXPERT RATIONALE: DoD policy requires clear CUI markings, including a banner at the
top and bottom of each page and portion markings to identify specific CUI elements
within the text.
QUESTION 4
When handling Sensitive Compartmented Information (SCI), what physical security
measure is mandatory?
,3|Page
A) Badges may be covered to prevent casual observation.
B) Badges must be visibly displayed above the waist at all times.
C) Badges can be stored in a wallet if entering a SCIF.
D) Badges are only required when escorted by a cleared individual.
CORRECT ANSWER: B
EXPERT RATIONALE: In SCI facilities (SCIFs), visible identification badges above the waist
are required for personnel access control and to quickly identify unauthorized
individuals.
QUESTION 5
What is the appropriate action if you suspect a USB drive found in the parking lot
contains malicious software?
A) Plug it into a stand-alone computer to check its contents.
B) Destroy the device immediately with a hammer.
C) Turn it in to your security point of contact or security office without inserting it into
any DoD system.
D) Format the drive to remove any potential threats before using it.
CORRECT ANSWER: C
EXPERT RATIONALE: Inserting an unknown USB drive into any system risks introducing
malware. The correct procedure is to surrender it to security personnel for proper
forensic handling.
QUESTION 6
What is a key guideline for using government-furnished mobile devices?
A) Using personal cloud storage for PII is acceptable if the device is encrypted.
B) Only government-furnished equipment (GFE) should be used to access, store, or
transmit PII.
C) Public Wi-Fi is acceptable if a VPN is not available.
, 4|Page
D) Two-factor authentication is optional for personal use.
CORRECT ANSWER: B
EXPERT RATIONALE: To ensure proper security controls and accountability, PII must only
be processed on authorized government-furnished equipment, not on personal devices.
QUESTION 7
A foreign national you met at a professional conference sends you a LinkedIn request
and asks detailed questions about your unit's new software system. What should you
do?
A) Decline the request and report the contact to your security officer.
B) Accept the request but provide only unclassified information.
C) Engage professionally to build international partnerships.
D) Block the user but take no further action.
CORRECT ANSWER: A
EXPERT RATIONALE: Unsolicited contact by a foreign national seeking detailed
operational information is a potential elicitation attempt and must be reported to
security.
QUESTION 8
What does "portion marking" refer to in the context of CUI?
A) Marking the document for destruction portions only.
B) Identifying which paragraphs or sections contain CUI with specific markings like
"(CUI)".
C) Physically cutting the document into portions for disposal.
D) Marking only the portions intended for public release.
CORRECT ANSWER: B
EXPERT RATIONALE: Portion marking ensures that recipients can identify exactly which
parts of a document contain CUI, enabling proper handling and dissemination control.
Department of Defense (DoD) Cyber Awareness
Challenge Exam 2026 | Latest Verified Questions and
Detailed Answers
OVERVIEW DESCRIPTION:
This comprehensive set of multiple-choice questions is designed for the Department of
Defense (DoD) Cyber Awareness Challenge Exam 2026. The questions systematically cover
the critical domains of cybersecurity and information protection, including the
identification and safeguarding of Controlled Unclassified Information (CUI) and Personally
Identifiable Information (PII), the stringent handling requirements for Sensitive
Compartmented Information (SCI), and the tactics used in phishing, social engineering, and
business email compromise (BEC) attacks. Additionally, the material addresses operational
security (OPSEC) risks associated with social networking and online identity, as well as
best practices for physical security, remote work, and the secure use of mobile devices and
removable media. Each question is paired with a concise expert rationale to reinforce the
principles of risk management, accountability, and the shared responsibility of maintaining
a resilient defense posture against evolving cyber threats.
QUESTION 1
What is the primary risk associated with posting your mother's maiden name on a social
networking site?
A) It violates platform terms of service.
B) It can be used by adversaries to answer security questions and gain unauthorized
access to accounts.
C) It is a form of Controlled Unclassified Information (CUI).
D) It helps establish your online identity more authentically.
CORRECT ANSWER: B
EXPERT RATIONALE: Mother's maiden name is a common security question; publicly
disclosing it provides a key piece of personally identifiable information (PII) that
malicious actors can use for account takeover or identity theft.
,2|Page
QUESTION 2
You receive an email that appears to be from your command's senior leader, requesting
an urgent transfer of funds to a new vendor account. What is this an example of?
A) Spear phishing
B) Vishing
C) Business Email Compromise (BEC)
D) Smishing
CORRECT ANSWER: C
EXPERT RATIONALE: Business Email Compromise (BEC) specifically involves
impersonating a senior executive or trusted partner to trick an employee into
authorizing fraudulent financial transactions.
QUESTION 3
Which of the following is a correct method for marking a document containing
Controlled Unclassified Information (CUI)?
A) Only mark the cover page with "CUI."
B) Use a banner marking of "CUI" at the top and bottom of the document, and apply
portion markings to individual sections.
C) Marking is optional if the information is not classified.
D) Place a "CONFIDENTIAL" stamp on all pages.
CORRECT ANSWER: B
EXPERT RATIONALE: DoD policy requires clear CUI markings, including a banner at the
top and bottom of each page and portion markings to identify specific CUI elements
within the text.
QUESTION 4
When handling Sensitive Compartmented Information (SCI), what physical security
measure is mandatory?
,3|Page
A) Badges may be covered to prevent casual observation.
B) Badges must be visibly displayed above the waist at all times.
C) Badges can be stored in a wallet if entering a SCIF.
D) Badges are only required when escorted by a cleared individual.
CORRECT ANSWER: B
EXPERT RATIONALE: In SCI facilities (SCIFs), visible identification badges above the waist
are required for personnel access control and to quickly identify unauthorized
individuals.
QUESTION 5
What is the appropriate action if you suspect a USB drive found in the parking lot
contains malicious software?
A) Plug it into a stand-alone computer to check its contents.
B) Destroy the device immediately with a hammer.
C) Turn it in to your security point of contact or security office without inserting it into
any DoD system.
D) Format the drive to remove any potential threats before using it.
CORRECT ANSWER: C
EXPERT RATIONALE: Inserting an unknown USB drive into any system risks introducing
malware. The correct procedure is to surrender it to security personnel for proper
forensic handling.
QUESTION 6
What is a key guideline for using government-furnished mobile devices?
A) Using personal cloud storage for PII is acceptable if the device is encrypted.
B) Only government-furnished equipment (GFE) should be used to access, store, or
transmit PII.
C) Public Wi-Fi is acceptable if a VPN is not available.
, 4|Page
D) Two-factor authentication is optional for personal use.
CORRECT ANSWER: B
EXPERT RATIONALE: To ensure proper security controls and accountability, PII must only
be processed on authorized government-furnished equipment, not on personal devices.
QUESTION 7
A foreign national you met at a professional conference sends you a LinkedIn request
and asks detailed questions about your unit's new software system. What should you
do?
A) Decline the request and report the contact to your security officer.
B) Accept the request but provide only unclassified information.
C) Engage professionally to build international partnerships.
D) Block the user but take no further action.
CORRECT ANSWER: A
EXPERT RATIONALE: Unsolicited contact by a foreign national seeking detailed
operational information is a potential elicitation attempt and must be reported to
security.
QUESTION 8
What does "portion marking" refer to in the context of CUI?
A) Marking the document for destruction portions only.
B) Identifying which paragraphs or sections contain CUI with specific markings like
"(CUI)".
C) Physically cutting the document into portions for disposal.
D) Marking only the portions intended for public release.
CORRECT ANSWER: B
EXPERT RATIONALE: Portion marking ensures that recipients can identify exactly which
parts of a document contain CUI, enabling proper handling and dissemination control.
