Affirmations & Continuous Compliance
CMMC certification is not a one-time event. Every level of CMMC status — Level 1, Level 2 (Self), Level 2 (C3PAO), Level 3 — requires an annual affirmation submitted to SPRS by an Affirming Official, plus reassessment when significant changes occur. The rules live in 32 CFR § 170.22 (affirmations) and 32 CFR § 170.21(b) (POA&M closeout).
The Affirming Official
Section titled “The Affirming Official”Per 32 CFR § 170.4, the Affirming Official is “the senior level representative within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance.”
In practice this is typically:
- Small contractors: the CEO, COO, or owner-operator
- Mid-size contractors: a Vice President or C-level officer with security oversight
- Large primes: the CISO or equivalent senior security executive
This is not a role you delegate to an IT manager or compliance specialist. The DoD wants accountability at the level where executive authority — and consequence — sits.
What gets affirmed
Section titled “What gets affirmed”The Affirming Official affirms continuing compliance with the security requirements at the relevant CMMC level. For Level 2, this means continued implementation of all 110 NIST SP 800-171 Rev 2 requirements within the assessment scope, with the SSP current and the boundary unchanged in any way that would invalidate the assessment.
The affirmation is not a re-test. The C3PAO doesn’t reassess; the Affirming Official attests under penalty of false claims (per 18 U.S.C. § 1001 for false statements and 31 U.S.C. § 3729 under the False Claims Act) that the implementation that earned the certification is still in place. This is not a casual signature.
The cycle
Section titled “The cycle”The certification itself runs on a three-year cycle for Level 2 (C3PAO) and Level 3 (DIBCAC). The affirmation runs on an annual cycle within that.
| Event | When | Who |
|---|---|---|
| Initial assessment | Day 0 | C3PAO |
| Initial affirmation | At assessment, posted to SPRS | Affirming Official |
| Annual affirmation | Within 365 days of last affirmation | Affirming Official |
| Annual affirmation | Within 365 days of last affirmation | Affirming Official |
| Recertification | Day 1095 (3 years) | C3PAO |
For Level 2 self-assessment, the cycle is the same — the only difference is that the OSA performs both the initial assessment and the closeout self-assessment, and the Affirming Official’s affirmation accompanies each step.
What triggers reassessment vs annual affirmation
Section titled “What triggers reassessment vs annual affirmation”The 32 CFR rule distinguishes between routine changes (covered by the annual affirmation) and significant changes (require new assessment).
Routine changes — covered by annual affirmation:
- New employee laptops configured to the existing baseline
- Server hardware refresh within the same architecture
- Patch and update cycles within the existing SSP framework
- Personnel changes that don’t affect the assessment scope
Significant changes — require a new assessment:
- Network expansion that changes the assessment boundary
- Mergers and acquisitions bringing new systems into scope
- Fundamental architecture changes (on-prem to cloud, or cloud to on-prem)
- New CUI workloads added to a tenant when the SSP doesn’t cover that pattern
- Any change that materially alters how the 110 requirements are implemented
The practical test: does the existing SSP describe how this change is handled? If yes, annual affirmation covers it. If no, you need a new assessment.
What happens if you miss an affirmation
Section titled “What happens if you miss an affirmation”A missed annual affirmation in SPRS is a contract eligibility issue. Contracting officers checking SPRS will see a stale affirmation and may treat the contractor as ineligible for award.
If a Conditional Status’s 180-day POA&M window expires without a successful closeout assessment, the Conditional Status expires and the contractor must begin again with a new initial assessment.
The link to operational discipline
Section titled “The link to operational discipline”Continuous compliance isn’t an annual scramble. The contractors who pass with distinction treat affirmation as a checkpoint on a year-round programme:
- Quarterly: access reviews, configuration drift checks, vulnerability scans within the SSP cycle
- Monthly: evidence collection (logs, screenshots, attestations) into the binder
- Weekly: operational plan of action review (temporary deficiencies tracked)
- Continuously: SSP currency — any architecture or process change reflected within days, not at audit time
The Affirming Official should be reviewing the operational plan of action and SSP at least quarterly — not signing the annual affirmation cold.