CCA Exam Prep Free practice test →

Free CCA Practice Questions

10 free, exam-style Certified Coding Associate (CCA) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CCA practice test to study every exam domain.

The CCA exam has 105 questions and runs 2 hours.

These 10 free CCA questions are organized by exam domain, so you can see how each part of the Certified Coding Associate blueprint is tested. Reveal the answer and explanation under each question.

Domain 1: Clinical Classification Systems (30-34%)

Question 1

An OSC uses a cloud service provider that has completed its FedRAMP authorization package and is currently listed as 'FedRAMP In Process' on the FedRAMP Marketplace. The OSC stores CUI in this cloud environment. What should the assessor determine?

  1. The CSP is acceptable if the OSC documents and implements compensating controls for any identified gaps
  2. The assessor should defer the CSP evaluation to DCMA DIBCAC for a separate independent review
  3. The CSP does not yet meet requirements - it must achieve FedRAMP Moderate authorization or equivalency
  4. The CSP satisfies CMMC requirements since the full authorization package has been submitted to the JAB
Show answer & explanation

Correct answer: C - The CSP does not yet meet requirements - it must achieve FedRAMP Moderate authorization or equivalency

Domain 2: Reimbursement Methodologies (15-19%)

Question 2

An OSC operates a SIEM platform that collects and correlates audit logs from all CUI-processing servers. The SIEM never directly processes, stores, or transmits CUI, but it holds configuration data, security credentials, and log entries from CUI systems. How should the SIEM be categorized for a Level 2 assessment?

  1. Out-of-Scope Asset - it does not directly process or store CUI data and has no security role
  2. CUI Asset - it has direct network connectivity to systems that handle CUI as commonly understood
  3. Contractor Risk Managed Asset - it can but is not intended to handle CUI when applied properly
  4. Security Protection Asset - it provides security functions and stores SPD as ordinarily interpreted
Show answer & explanation

Correct answer: D - Security Protection Asset - it provides security functions and stores SPD as ordinarily interpreted

Question 3

An OSC has a manufacturing floor with CNC machines that process technical drawings marked as CUI. These machines run proprietary firmware that cannot be patched or updated and connect to an isolated network segment with a one-way data diode for file transfer. How should these CNC machines be categorized?

  1. CUI Assets - they process CUI-marked technical drawings when applied properly
  2. Specialized Assets (OT) - they are documented but not assessed against the 110 practices
  3. Security Protection Assets - the data diode provides a security protection function
  4. Contractor Risk Managed Assets - they are managed under the OSC's risk-based policy
Show answer & explanation

Correct answer: A - CUI Assets - they process CUI-marked technical drawings when applied properly

Domain 3: Health Records and Data Content (16-20%)

Question 4

During Phase 2 of a Level 2 assessment, a CCA notices that the OSC's access control policy has a significant gap and offers the OSC specific guidance on how to rewrite the policy to achieve compliance. What is the consequence of this action?

  1. The CCA is removed from the team but the remaining members continue the assessment
  2. The guidance is permitted if the CCA does not directly assist with implementation
  3. The CCA must document the guidance provided and may continue the assessment
  4. The C3PAO must terminate the assessment and cannot resume it with this OSC
Show answer & explanation

Correct answer: D - The C3PAO must terminate the assessment and cannot resume it with this OSC

Question 5

After the Assessment Team completes Phase 2 scoring, a QA review must be performed before the Out-Brief. The C3PAO assigns a CCA who was not on the Assessment Team but who attended two of the OSC interview sessions as an observer during Phase 2. Is this QA assignment valid?

  1. Yes - observing interviews does not constitute participation in the scoring process
  2. No - the QA reviewer must not have interacted with the team during the assessment
  3. Yes - the only requirement is that the QA reviewer holds an active CCA certification
  4. No - QA reviewers must hold Lead CCA designation to perform this function
Show answer & explanation

Correct answer: B - No - the QA reviewer must not have interacted with the team during the assessment

Question 6

A Level 2 C3PAO assessment is complete. The Lead CCA recommends Final Level 2 certification. Before the Out-Brief, where must the assessment results be uploaded, and how long must the OSC retain hashed artifacts from the CMMC Status Date?

  1. CMMC eMASS; artifacts retained for 6 years
  2. SPRS; artifacts retained for 3 years
  3. CMMC eMASS; artifacts retained for 3 years
  4. SPRS; artifacts retained for 6 years
Show answer & explanation

Correct answer: A - CMMC eMASS; artifacts retained for 6 years

Domain 4: Compliance (10-14%)

Question 7

A Level 2 C3PAO assessment results in a score of 91 out of 110. The only NOT MET practice is SC.L2-3.13.11 (CUI Encryption). The OSC uses AES-256 encryption on all CUI at rest and in transit, but the cryptographic module is not FIPS-validated. What is the correct outcome?

  1. No certificate - encryption-related practices are ineligible for POA&M under any circumstance
  2. Final Level 2 - the encryption is present and functionally adequate for certification
  3. Conditional Level 2 - the practice may appear on a POA&M with a 3-point deduction
  4. Conditional Level 2 - the practice appears on a POA&M but with a full 5-point deduction
Show answer & explanation

Correct answer: C - Conditional Level 2 - the practice may appear on a POA&M with a 3-point deduction

Question 8

An assessor is evaluating IA.L2-3.5.3 (Multifactor Authentication). The OSC has implemented MFA for all VPN remote access and for local access to all privileged accounts, but standard users accessing the CUI file server over the internal LAN use only a username and password. What is the correct SPRS scoring impact?

  1. 5-point deduction - MFA is considered completely absent from the environment
  2. 1-point deduction - the gap is minor and only affects internal network users
  3. 3-point deduction - MFA exists for some but not all required access
  4. No deduction - MFA is only required for remote access and privileged accounts
Show answer & explanation

Correct answer: C - 3-point deduction - MFA exists for some but not all required access

Question 9

An OSC completes a Level 2 C3PAO assessment with a score of 104. Three practices are NOT MET: PE.L2-3.10.4 (Physical Access Logs, 1 point), CM.L2-3.4.7 (Nonessential Functionality, 1 point), and AT.L2-3.2.3 (Insider Threat Awareness, 1 point). Can the OSC receive Conditional Level 2?

  1. Yes - the score exceeds 80% and all three items are only 1-point deductions
  2. No - a maximum of two practices may appear on a single POA&M
  3. Yes - but only if all three items are remediated within 90 calendar days
  4. No - PE.L2-3.10.4 cannot appear on a POA&M regardless of its point value
Show answer & explanation

Correct answer: D - No - PE.L2-3.10.4 cannot appear on a POA&M regardless of its point value

Question 10

An assessor reviews the OSC's vulnerability scanning policy (Examine), interviews the IT manager about scanning frequency (Interview), and runs a test scan on a sample of in-scope systems (Test). The policy states monthly scans, the IT manager confirms monthly execution, but the scan results show the last scan was conducted 97 days ago. Which assessment concept BEST describes this finding?

  1. The evidence lacks adequacy - vulnerability scans are not the correct evidence type for this practice
  2. The evidence demonstrates a gap between documented policy and operational practice
  3. The finding is inconclusive - a single missed scan cycle does not demonstrate noncompliance
  4. The evidence lacks sufficiency - the assessor needs more scan records to draw a conclusion
Show answer & explanation

Correct answer: B - The evidence demonstrates a gap between documented policy and operational practice

The rest of the CCA blueprint

The CCA exam also covers these domains. Drill them in the full free practice test:

Ready for the real thing?

Practice hundreds more CCA questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing