CMMC CCP PRACTICE EXAM
2026/2027 ACTUAL QUESTIONS
WITH VERIFIED ANSWERS.
What are the 14 Domains in CMMC?
1. Access Control (AC)
2. Audit and Accountability (AU)
3. Awareness and Training (AT)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Assessment (RA)
12. Security Assessment (CA)
13. Systems and Communications Protection (SC)
14. System and Information Integrity (SI)
How many practices are in CMMC Level 1?
17 Practices
Limit information system access to the types of
transactions and functions that authorized users are
permitted to execute.
(Access Control) AC.L1-3.1.2 - TRANSACTION &
FUNCTION CONTROL
(Access Control) AC.L1-3.1.2 Assessment Objectives
,(Access Control) AC.L1-3.1.2 - TRANSACTION & FUNCTION
CONTROL
Determine if: [a] the types of transactions and functions that
authorized users are permitted to execute are defined;
[b] system access is limited to the defined types of transactions
and functions for authorized users.
Verify and control/limit connections to and use of external
information systems.
(Access Control) AC.L1-3.1.20 – EXTERNAL
CONNECTIONS
(Access Control) AC.L1-3.1.20 EXTERNAL CONNECTIONS -
Assessment Objectives
(Access Control) AC.L1-3.1.20 - Assessment Objectives
Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited
[f] the use of external systems is controlled/limited.
Control information posted or processed on publicly
accessible information systems.
(Access Control) AC.L1-3.1.22 – CONTROL PUBLIC
INFORMATION
(Access Control) AC.L1-3.1.22 CONTROL PUBLIC
INFORMATION - Assessment Objectives
, (Access Control) AC.L1-3.1.22 Assessment Objectives
Determine if:
[a] individuals authorized to post or process information on
publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on
publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to
publicly accessible systems;
[d] content on publicly accessible systems is reviewed to
ensure that it does not include FCI; and [e] mechanisms are in
place to remove and address improper posting of FCI.
Identify information system users, processes acting on
behalf of users, or devices.
Identification and Authentication (IA) IA.L1-3.5.1
– IDENTIFICATION
(Identification and Authentication) IA.L1-
3.5.1 IDENTIFICATION – Assessment Objectives
Identification and Authentication (IA) IA.L1-3.5.1
– Assessment Objectives
Determine if:
[a] system users are identified;
[b] processes acting on behalf of users are identified; and [c]
devices accessing the system are identified.
Authenticate (or verify) the identities of those users,
processes, or devices, as a prerequisite to allowing access
to organizational information systems.
2026/2027 ACTUAL QUESTIONS
WITH VERIFIED ANSWERS.
What are the 14 Domains in CMMC?
1. Access Control (AC)
2. Audit and Accountability (AU)
3. Awareness and Training (AT)
4. Configuration Management (CM)
5. Identification and Authentication (IA)
6. Incident Response (IR)
7. Maintenance (MA)
8. Media Protection (MP)
9. Personnel Security (PS)
10. Physical Protection (PE)
11. Risk Assessment (RA)
12. Security Assessment (CA)
13. Systems and Communications Protection (SC)
14. System and Information Integrity (SI)
How many practices are in CMMC Level 1?
17 Practices
Limit information system access to the types of
transactions and functions that authorized users are
permitted to execute.
(Access Control) AC.L1-3.1.2 - TRANSACTION &
FUNCTION CONTROL
(Access Control) AC.L1-3.1.2 Assessment Objectives
,(Access Control) AC.L1-3.1.2 - TRANSACTION & FUNCTION
CONTROL
Determine if: [a] the types of transactions and functions that
authorized users are permitted to execute are defined;
[b] system access is limited to the defined types of transactions
and functions for authorized users.
Verify and control/limit connections to and use of external
information systems.
(Access Control) AC.L1-3.1.20 – EXTERNAL
CONNECTIONS
(Access Control) AC.L1-3.1.20 EXTERNAL CONNECTIONS -
Assessment Objectives
(Access Control) AC.L1-3.1.20 - Assessment Objectives
Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited
[f] the use of external systems is controlled/limited.
Control information posted or processed on publicly
accessible information systems.
(Access Control) AC.L1-3.1.22 – CONTROL PUBLIC
INFORMATION
(Access Control) AC.L1-3.1.22 CONTROL PUBLIC
INFORMATION - Assessment Objectives
, (Access Control) AC.L1-3.1.22 Assessment Objectives
Determine if:
[a] individuals authorized to post or process information on
publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on
publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to
publicly accessible systems;
[d] content on publicly accessible systems is reviewed to
ensure that it does not include FCI; and [e] mechanisms are in
place to remove and address improper posting of FCI.
Identify information system users, processes acting on
behalf of users, or devices.
Identification and Authentication (IA) IA.L1-3.5.1
– IDENTIFICATION
(Identification and Authentication) IA.L1-
3.5.1 IDENTIFICATION – Assessment Objectives
Identification and Authentication (IA) IA.L1-3.5.1
– Assessment Objectives
Determine if:
[a] system users are identified;
[b] processes acting on behalf of users are identified; and [c]
devices accessing the system are identified.
Authenticate (or verify) the identities of those users,
processes, or devices, as a prerequisite to allowing access
to organizational information systems.
