CMMC Annual Affirmation Legal Liability: What Executives Must Verify Before Signing
Educational research, not legal, contractual, or compliance advice. Confirm scope and exposure with a CMMC Registered Practitioner Organization (RPO) or a qualified federal-contracts attorney before you act.
CMMC annual affirmation legal liability comes down to one uncomfortable fact: the submission in SPRS takes about thirty seconds, and the system will not stop you from affirming something you cannot prove. Under 32 CFR § 170.22, a senior person — by name — attests that your organization has implemented and will maintain every applicable Cybersecurity Maturity Model Certification (CMMC) requirement for every system in scope. Under DFARS 252.204-7021, that affirmation — no more than one year old — is part of staying eligible for the contract. If it is knowingly false, or made with reckless disregard for whether it is true, the federal False Claims Act ( 31 U.S.C. § 3729) can attach, and a named individual — not only the company — can be exposed.
The good news, and the reason this page exists: a documented, evidence-based basis for what you sign is exactly what the law’s “knowing” standard turns on. We read the rule text, the contract clause, the statute, and the U.S. Department of Justice (DOJ) settlement press releases ourselves. Below we map every trigger that turns a routine affirmation into a legal-risk problem, what you are actually representing in each case, and what to verify before you click Affirm.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, SPRS/PIEE, or any U.S. government agency.
Quick answers (the questions you came with)
| Your question | The short answer |
|---|---|
| Is the CMMC annual affirmation legally meaningful? | Yes. It is a named senior-official attestation submitted in SPRS, tied to continuing compliance and to contract eligibility under DFARS 252.204-7021. |
| Is it the same as a new C3PAO assessment? | No. Level 2 third-party assessments generally run on a three-year cycle; the affirmation is annual and is submitted by your own official. |
| Who signs it? | The Affirming Official — a senior representative inside your organization with authority to affirm continuing compliance (32 CFR § 170.22). |
| Can the signer be personally liable? | It’s legally possible. In the DOJ cybersecurity settlements we verified for this page, the recoveries were paid by the company, not the named signer — but the rule puts a person on record, so treat it as personal exposure. |
| What actually creates the risk? | Signing without evidence; ignoring known gaps; a stale System Security Plan (SSP) or Plan of Action and Milestones (POA&M); changed scope; an unsupported SPRS score; unverified subcontractor flow-down. |
| What should you do first? | Build a pre-affirmation evidence packet and resolve material gaps before you click Affirm. |
Is this you?You’re a CEO, owner, CISO, IT director, compliance lead, FSO, or contracts officer at a defense contractor, and someone has asked you (or you’ve been named) to sign the annual affirmation. This page is built for you.
If this is you, stop reading and call counsel today:you already know, or strongly suspect, that a current or recent affirmation does not match reality — a score you know is wrong, a control you know isn’t implemented, a gap nobody has fixed. That is not a situation any article should walk you through. Preserve your records and get a qualified federal-contracts attorney on the phone first.
Print or save this page before your internal review. The tables below are built to double as your pre-affirmation meeting agenda.
The right help depends on your situation
The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO (Certified Third-Party Assessment Organization), an RPO (Registered Provider Organization), an MSSP (Managed Security Service Provider), a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
We’ll come back to who helps with what. First, the part most pages skip: what you’re actually signing.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
What does the CMMC annual affirmation actually say?
The CMMC annual affirmation is a statement, submitted in the Supplier Performance Risk System (SPRS), that your organization has implemented and will maintain all applicable CMMC security requirements for the systems within your assessment scope. 32 CFR § 170.22 requires it after every assessment — including after a POA&M closeout — and annually thereafter, entered electronically in SPRS by a designated Affirming Official.
Read that twice, because the difference between “implemented” and “will maintain” is where most of the risk lives. You are not affirming that you passed an audit on a Tuesday in the past. You are affirming a present-tense, continuing state: the controls exist, they operate, and you are keeping them that way.
The affirmation is also tied to a named human. It carries the Affirming Official’s name, title, and contact information. The submission statement displayed in SPRS warns that misrepresenting your CMMC compliance status to the government may result in criminal prosecution under 18 U.S.C. § 1001, civil liability under the False Claims Act, and contract remedies. (Read the exact on-screen text the day you submit; the warning is part of the record you are agreeing to.)
Here is what the rule language means in plain terms, and the evidence each phrase quietly assumes you have.
| Phrase in the rule | What it means | Evidence it assumes exists |
|---|---|---|
| “Affirming Official” | A senior representative with authority to commit the company | A documented designation; real authority, not just SPRS access |
| “implemented” | The controls exist and actually operate | Control evidence — configurations, logs, policies, screenshots |
| “will maintain” | A continuing compliance posture, not a one-time pass | A review cadence, monitoring, named control owners |
| “all applicable CMMC security requirements” | The full requirement set for your level | Your control mapping (15 for Level 1; 110 for Level 2; +24 for Level 3) |
| “within the relevant CMMC Assessment Scope” | Only the scoped systems — but all of them | A current boundary diagram, asset inventory, and CUI data-flow map |
For reference, CMMC Level 1 covers the 15 basic safeguarding requirements in FAR 52.204-21; Level 2 maps to the 110 requirements in NIST SP 800-171 Revision 2, organized into 14 control families; and Level 3 adds 24 selected requirements from NIST SP 800-172. Those numbers are fixed in 32 CFR Part 170. The affirmation is your formal attestation that the set applicable to you is met and maintained.
Is the Affirming Official personally liable for a false CMMC affirmation?
Personal civil liability is legally possible, and the structure is deliberately built to put a name on the line — but be precise about what that means. The False Claims Act reaches any person who knowingly makes or causes a false claim, which can include an individual. In the DOJ cybersecurity False Claims Act settlements we verified for this page, the recoveries were paid by the company, not by the signer personally. The prudent posture for an Affirming Official is to treat the affirmation as personal exposure and to be able to show a reasonable basis for it.
This is the single most overstated and under-explained question on the internet, so let’s separate the three kinds of exposure cleanly.
| Exposure | Who | Legal basis | The standard | What the record shows |
|---|---|---|---|---|
| Corporate civil | The contractor entity | False Claims Act, 31 U.S.C. § 3729 | Knowing, deliberate ignorance, or reckless disregard. No intent to defraud is required. | This is where every cyber-FCA case we checked has landed — the company pays. |
| Personal civil | The Affirming Official / executives | Same statute (individuals who make or cause a false claim) | Same knowing standard | Legally available, and the affirmation attaches an individual’s name. In the settlements we verified, the recoveries were paid by the organization — but the structure deliberately puts a person on record. |
| Criminal | Individuals | 18 U.S.C. § 1001, referenced in the SPRS submission statement | Knowingly and willfully — a higher bar; far rarer | Cited in the affirmation warning. Criminal cyber-misrepresentation prosecutions exist but are the exception, not the norm. |
The headline most articles bury: specific intent to defraud is not an element of a civil False Claims Act violation.The statute defines “knowingly” to include actual knowledge, deliberate ignorance of the truth, and reckless disregard for the truth. In practical terms, “I didn’t know” is not a defense when you should have known — and “I let IT handle it and signed what they gave me” is closer to reckless disregard than to a safe harbor.
Can a false CMMC affirmation send someone to jail?
Criminal exposure exists but is uncommon, and it requires a higher standard than civil liability. The SPRS submission statement references 18 U.S.C. § 1001, which makes a knowing and willfulmaterially false statement to the federal government a crime. Civil False Claims Act enforcement — treble damages and per-claim penalties — is the primary, well-documented risk for CMMC affirmations; treat criminal risk as real but exceptional, and route any situation that feels criminal to counsel immediately.
We say this plainly because the scare-copy version (“you’ll go to jail for a checkbox”) is both wrong and unhelpful. The accurate version is more useful: the civil exposure is the one you should plan around, and the protection against it is evidence.
How does False Claims Act risk enter a CMMC affirmation?
False Claims Act risk enters when a cybersecurity representation tied to a federal contract is knowingly false, made with deliberate ignorance, or made with reckless disregard for the truth. When a contractor certifies CMMC or DFARS compliance as a condition of payment or eligibility and that certification is false, the government’s theory is that the related claims for payment are false under 31 U.S.C. § 3729. The penalties are treble (triple) the government’s damages plus a per-claim civil penalty. See our deeper breakdown at False Claims Act CMMC risk.
The numbers are not small. As of the inflation adjustment effective July 3, 2025, the per-claim civil penalty runs from $14,308 to $28,619 per false claim, and that stacks on top of treble damages. If a violator gives the government all the information it has within 30 days of learning it, fully cooperates, and does so before any enforcement action or investigation is under way, a court may reduce damages to double rather than triple — a real incentive that counsel weighs case by case.
The “knowing” standard sounds abstract until you map it onto an affirmation. Here is how each version of it shows up at the moment you sign — and the single piece of evidence that pulls you back from the line.
| What “knowing” means under § 3729 | How it shows up at affirmation time | The evidence that lowers the risk |
|---|---|---|
| Actual knowledge | The signer knows the SSP doesn’t match the live environment but affirms anyway | A documented exception register and counsel review |
| Deliberate ignorance | No one checks the controls owned by a struggling team before signing | Control-owner sign-offs gathered before the affirmation |
| Reckless disregard | The signer never reviews the SPRS score, SSP, or POA&M | A pre-signing review packet the official actually read |
Two more mechanics every Affirming Official should understand:
Materiality is a real defense — and a real fight. Under Universal Health Services v. Escobar, 579 U.S. 176 (2016), the materiality standard is “rigorous and demanding.” Defendants do challenge whether a given cybersecurity requirement was material to payment. Georgia Tech, as you’ll see below, litigated exactly this point.
The whistleblower is usually someone in the building. The False Claims Act’s qui tamprovisions let a private person (a “relator”) sue on the government’s behalf and keep a share of any recovery — between 15% and 30%. Look at the cases below: the relator was an insider nearly every time — a head of security, a director of engineering, a compliance officer. Your own people are the most likely source of a complaint, not some outside auditor.
This enforcement posture is not new and not slowing. In October 2021, DOJ launched its Civil Cyber-Fraud Initiative, explicitly using the False Claims Act against contractors and grant recipients for knowing failures to meet cybersecurity standards, knowing misrepresentations of security practices, and knowing failures to report incidents.
What do the real cases show?
The enforcement record is no longer hypothetical, and it points at one thing over and over: the gap between what was certified and what was true. Below are the cybersecurity False Claims Act settlements that matter most for understanding affirmation risk, each checked against the DOJ press release. We’ve added the detail competitors leave out — what was actually false, the SPRS or compliance mechanism that created the exposure, and the lesson for the person signing.
A necessary caveat before the table: most of these resolve allegations only, with no determination of liability, and not all of them are CMMC affirmationcases specifically. The relevance is the government’s demonstrated willingness to pursue cybersecurity misrepresentation theories — and the fact patterns map almost perfectly onto the things an annual affirmation attests to.
| Case (DOJ release) | Date | Amount | What was alleged to be false | The mechanism | Whistleblower share | The lesson for an Affirming Official |
|---|---|---|---|---|---|---|
| LOGZONE Inc. | Jun 18, 2026 | $507,144 | Self-reported a top SPRS score (110) in 2021; DCMA’s assessment later found −170 (scale: −203 to 110). Failed to implement required NIST SP 800-171 controls on two Navy contracts from May 2021 to March 2025. | An inflated SPRS self-score that didn’t survive a DoD review | — | The clearest possible warning: a self-score you can’t back up is the exposure. This is exactly what your affirmation attests to. |
| MORSECORP Inc. | Mar 26, 2025 | $4.6M | Posted an SPRS score of 104; a 2022 third-party assessment found the true score was negative 142. Left it uncorrected until June 2023 — after a federal subpoena. Used email hosting that did not meet federal cloud requirements. | An inflated SPRS score not updated after a lower result | $851,000 (≈18.5%) to a relator who was the company’s own head of security | A stale, inflated score you “should have known” was wrong is the textbook exposure. Correct the score before you affirm. |
| Raytheon / RTX / Nightwing | May 2025 | $8.4M | Failed to implement a required System Security Plan across 29 DoD contracts (2015–2021) | The conduct predated Nightwing’s 2024 acquisition; the settlement named the acquirer among the parties on the hook — a textbook successor-liability outcome | ≈$1,512,000 (≈18%) to a former Director of Engineering | Liability survives a sale. Treat CMMC status, SPRS scores, and prior cybersecurity representations as M&A diligence items. |
| Georgia Tech Research Corp. | Sep 30, 2025 | $875,000 | Failed to develop a required SSP for years; failed to run antivirus on the relevant network; submitted a misleading “virtual,” campus-wide SPRS score instead of the as-implemented numbers | A fictitious assessment scope and a missing SSP | $201,250 to two former cybersecurity-team members | No breach is required for liability. And contractors can fight — Georgia Tech litigated materiality before settling — but the underlying records have to be defensible. |
| Health Net Federal Services / Centene | Feb 2025 | $11.25M | Allegedly submitted false annual cybersecurity certifications on a military health (TRICARE) contract and ignored audit findings | A false annual security certification | — | Cyber-FCA is not defense-industry-only. The trigger is the certification, wherever it appears. |
| Aerojet Rocketdyne | 2022 | $9M | Alleged misrepresentation of compliance with federal cybersecurity requirements | The landmark that established the theory, pre-CMMC rule | Relator was former Aerojet employee Brian Markus | The case that proved cyber representations can become False Claims Act matters. Everything since builds on it. |
Notice the pattern. The dollar figures vary. The agencies vary. The throughline never does: a representation the company could not back up, usually surfaced by an insider. That is the exact thing your annual affirmation is. And it is not slowing down — the LOGZONE settlement landed in June 2026, and its fact pattern (a perfect self-reported SPRS score, a far lower DoD-assessed reality) is the affirmation risk in its purest form. For context on how lying on your SPRS score plays out, and for the penalties for an inaccurate SPRS score, see our dedicated pages on each.
What actually creates CMMC annual affirmation legal liability?
CMMC annual affirmation legal liability is created less by honest, documented gaps that are openly tracked, and more by signing as if everything is fine while the evidence quietly says otherwise. Risk climbs when the signer ignores known gaps, relies on a stale SSP or POA&M, lets the SPRS record drift out of sync with reality, or signs after a material change to scope, cloud, or suppliers without re-checking.
This is the asset we built for this page: a trigger-by-trigger map of what you’re representing in each common situation, what creates the legal or contract risk, the minimum evidence to have in hand before you sign, and the provider category that helps if the statement isn’t yet defensible. To assemble it we read the affirmation rule (32 CFR § 170.22), the contract clause (DFARS 252.204-7021), and the False Claims Act (31 U.S.C. § 3729), and mapped each trigger to its primary source.
The CMMC Annual Affirmation Liability Map
| Trigger / situation | What the Affirming Official is representing | What creates legal or contract risk | Minimum evidence before signing | Provider category if not yet defensible |
|---|---|---|---|---|
| Initial status achieved | The OSA has implemented and will maintain applicable requirements for the assessed scope | Treating the first SPRS affirmation as a ceremonial click rather than a representation tied to real systems | Assessment result, scope boundary, CMMC Unique Identifier (UID), SSP, POA&M status, evidence index | RPO/RP for readiness validation; GRC platform for evidence management |
| Annual affirmation after Final status | The organization has continued to meet requirements since the status date | Control drift, architecture or cloud changes, expired evidence, an SSP that no longer matches reality | Control-owner sign-offs, change log, SSP revision history, patch/vulnerability evidence, access reviews | MSSP/MSP for continuous controls; GRC platform for recurring evidence |
| Conditional status / POA&M closeout | Allowed POA&M items are closed and Final status is supported | Signing while items remain open, misunderstood, or outside the allowed window | POA&M closeout evidence, updated SSP, closeout record, revised SPRS/eMASS status | RPO/RP for closeout readiness; C3PAO only for formal Level 2 closeout where required |
| Missed or stale affirmation | The company holds the current annual affirmation eligibility requires | Believing a three-year assessment is enough while the annual affirmation has lapsed | SPRS affirmation date, CMMC Status Date, an expiration calendar, a named owner | GRC/compliance-ops support; internal compliance owner |
| Scope or CMMC UID changed | The affirmation still covers the systems that handle FCI/CUI | A new cloud tenant, enclave, MSP, acquisition, facility, or supplier path falls outside the assessed scope | Updated scope diagram, CUI data-flow map, CMMC UID and CAGE mapping, cloud boundary review | CUI enclave provider; Microsoft GCC High / AWS GovCloud implementer; RPO/RP for scoping |
| Subcontractor flow-down | Subcontractors handling FCI/CUI have the right status and affirmation | Relying on an unsupported “we’re compliant” email, or flowing down the wrong level | Supplier CMMC status proof, affirmation date, CMMC UID where shared, subcontract language | Supply-chain compliance support; RPO/RP; contracts counsel |
| Executive signs without verification | The signer had a reasonable basis for the statement | Actual knowledge, deliberate ignorance, or reckless disregard of known gaps | A pre-signing review memo, an exception register, counsel review of material gaps | Qualified federal-contracts counsel plus an RPO/RP readiness review |
| Later government / DIBCAC review | The status can withstand scrutiny after the fact | A subsequent DCMA DIBCAC review shows the status wasn’t achieved or maintained | Evidence retention, artifact integrity, SSP/POA&M history, control test records | Assessment-readiness provider; counsel if prior statements may be inaccurate |
Primary basis: 32 CFR § 170.22 requires affirmation after assessments, after POA&M closeout, and annually thereafter, in SPRS; DFARS 252.204-7021 ties a current affirmation and current CMMC status to eligibility and to the systems that process, store, or transmit FCI or CUI in performance of the contract.
What should you verify before you click Affirm in SPRS?
Before you affirm, confirm that the SPRS record, the CMMC UID, the CAGE and legal-entity mapping, the assessment scope, the SSP, the POA&M, your control evidence, and any material system changes all support the statement. The goal is not a perfect binder; it is a defensible basis for the representation — the thing that turns “reckless disregard” into “reasonable reliance.”
SPRS will not make you prove any of this at the moment you submit. The button works whether or not your evidence is ready. The system can, and will, accept an affirmation that no one in your company could defend in front of an auditor. That sounds like a reason to relax. It’s the opposite: it means the only thing standing between your signature and a False Claims Act problem is the file youdecide to build before you click. Which is also the good news — that file is entirely within your control, and it is the single best protection an Affirming Official has.
Use this as the executive’s checklist.
| Evidence item | Why it matters | Owner |
|---|---|---|
| CMMC UID | Ties the status to the right system | Compliance lead |
| CAGE / legal-entity mapping | Prevents affirming under the wrong organization | Contracts |
| Assessment type and level | Self, C3PAO, or DIBCAC changes what evidence must exist | Compliance |
| Last affirmation date | Confirms whether the affirmation is current (under one year) | Affirming Official |
| SSP (current) | Describes the system you're actually attesting to | Security / IT |
| POA&M status | Shows known gaps and whether closeout is required | Compliance |
| Scope and CUI data-flow diagram | Confirms which systems are in and out | Security architect |
| Control evidence | Supports the “implemented” claim — configs, logs, policies | Control owners |
| Change log since the status date | Surfaces whether compliance actually changed | IT / security |
| Subcontractor status proof | Supports flow-down representations | Supply chain / contracts |
| Executive review memo | Records what was reviewed before signing | Affirming Official |
Your 90 / 60 / 30-day affirmation runway
Treat the annual affirmation like an executive control review, not a last-minute data-entry task. The contractors who get burned are almost always the ones who discovered the gap the week it was due.
| Timing | Action | Owner |
|---|---|---|
| 90 days out | Confirm the CMMC Status Date, level, scope, CMMC UID, CAGE, SSP, and POA&M | Compliance / IT |
| 60 days out | Confirm SPRS / PIEE access and that the evidence packet is complete | Affirming Official / identity admin |
| 30 days out | Review material gaps, environment changes, and supplier issues; escalate to counsel if needed | Executive (+ counsel) |
| Due date | Submit only if the record supports the statement | Affirming Official |
| After submission | Archive the evidence packet and calendar next year’s review | Compliance operations |
Which DFARS clauses matter before a CMMC annual affirmation?
DFARS 252.204-7021 is the CMMC clause, but it sits alongside three older DFARS cybersecurity clauses that still apply: 252.204-7012 (safeguarding covered defense information and 72-hour incident reporting), 252.204-7019 (the offeror’s current NIST SP 800-171 assessment requirement for award eligibility), and 252.204-7020 (DoD assessments and SPRS score posting). Before you affirm, know which of these your contract carries, because they define the obligations your affirmation sits on top of.
| Clause | What it does | Why it matters before you affirm |
|---|---|---|
| DFARS 252.204-7012 | Safeguarding Covered Defense Information and 72-hour cyber-incident reporting | The underlying security and reporting duty for covered defense information — it predates CMMC and still applies |
| DFARS 252.204-7019 | Notice of NIST SP 800-171 DoD Assessment Requirements | Requires a current NIST SP 800-171 assessment posted in SPRS to be eligible for award |
| DFARS 252.204-7020 | NIST SP 800-171 DoD Assessment Requirements | Lets DoD conduct its own assessments, requires score posting in SPRS, and flows down to subcontractors |
| DFARS 252.204-7021 | Contractor Compliance with CMMC Level Requirements | Requires current CMMC status and an annual affirmation in SPRS for each applicable assessment |
The practical point: your annual affirmation doesn’t live alone. It rides on top of a stack of cybersecurity obligations, and a gap in any of them — an unreported incident under 7012, a stale assessment under 7019, an unsupported score under 7020 — can be the thing that makes the affirmation false.
How does DFARS 252.204-7021 make this a contract-eligibility issue?
DFARS 252.204-7021 — the contract clause that operationalizes CMMC — requires a contractor to maintain the required CMMC status for the life of the contract and to complete an annual affirmation of continuous compliance in SPRS for each applicable CMMC UID, for each system that processes, stores, or transmits FCI or CUI. It also requires you to ensure your subcontractors do the same before award and annually after. In short: the affirmation is not paperwork off to the side — it is part of maintaining the CMMC status your eligibility depends on, for award, option exercise, and subcontracts.
The clause defines what “current” means, and the timing differs by status. This is the table to keep.
| Status type | Assessment validity | Affirmation requirement | The practical risk |
|---|---|---|---|
| Conditional Level 2 | Up to 180 days to close POA&M | A corresponding affirmation | POA&M closeout must happen — Conditional is not permanent |
| Final Level 1 (Self) | 1 year | Affirmation not older than 1 year | Annual self-assessment and affirmation discipline required |
| Final Level 2 (Self) | 3 years | Affirmation not older than 1 year | The assessment can be valid while your affirmation has gone stale |
| Final Level 2 (C3PAO) | 3 years | Affirmation not older than 1 year | Certification does not replace the annual executive attestation |
| Final Level 3 (DIBCAC) | 3 years | Affirmation not older than 1 year | Level 3 also requires maintaining the underlying Level 2 (C3PAO) affirmation |
The trap hiding in that table: a three-year assessment lulls people into thinking they’re covered for three years. They’re not. The affirmation is annual, and an expired affirmation can break eligibility even when the assessment is still valid. Put the date on a calendar with an owner.
This matters right now because the timeline is live. The CMMC Program Rule (32 CFR Part 170) became effective December 16, 2024, and the DFARS acquisition rule that carries the clause into contracts (DFARS Case 2019-D041) became effective November 10, 2025. That date opened Phase 1 (November 10, 2025 through November 9, 2026), with Phase 2 beginning November 10, 2026. The reason your inbox suddenly cares about affirmations is that they now show up in real solicitations and contracts, not future planning decks.
A caution we’ll repeat: phase timing is not legal advice about your obligation. The contract clause, your solicitation language, your FCI/CUI handling, and your contracting officer set what you actually owe. “My contract doesn’t say CMMC yet” is not the same as “I have no cybersecurity-representation risk.”
Do you need a C3PAO every year for the annual affirmation?
No — not merely because the annual affirmation is due. A C3PAO (Certified Third-Party Assessment Organization) performs the formal Level 2 certification assessment, which generally runs on a three-year cycle when required. The annual affirmation in between is submitted by your own Affirming Official in SPRS. You do not hire an assessor every year just to affirm.
So when do you need each kind of help?
| Situation | Do you need a C3PAO? | Better first step |
|---|---|---|
| Annual affirmation due between Level 2 C3PAO assessments | Usually no | In-house evidence packet; a readiness review if you’re unsure |
| Initial Level 2 certification required by your contract | Yes | Readiness work first, then an authorized/accredited C3PAO |
| POA&M closeout after a Level 2 Conditional status | Often yes, for formal closeout | Confirm the exact path with your assessor and the rule |
| You changed cloud, enclave, or MSP after assessment | Not automatically | Scope review with an RPO/RP and your technical provider |
| You have known control failures | Not first | Remediate before any formal assessment or affirmation |
One independence point that protects you: keep readiness help and the formal assessment separate. Under 32 CFR § 170.8(b)(17)(ii)(G) — carried into the Cyber AB Code of Professional Conduct — a C3PAO and its assessment-team members are barred from performing your Level 2 certification assessment if they served as your consultant to prepare for anyCMMC assessment within the previous three years, regardless of which level that prior work was for. So if a single vendor offers to “get you ready and certify you,” that’s a flag to slow down and ask how they keep the roles — and the three-year clock — separate.
What if your environment, suppliers, or a past affirmation changed?
Change is the most common way a clean affirmation turns risky. A new cloud tenant, a new managed-service provider, a fresh CUI enclave, an acquisition, a new facility, or a new supplier handling CUI can move your real systems outside the scope you were assessed against — which means last year’s affirmation may no longer describe this year’s environment. The fix is to re-check scope and evidence before you re-affirm, not after.
A few specific situations come up again and again:
Your environment changed after assessment.A new Microsoft 365 GCC High tenant, an Azure Government or AWS GovCloud move, a new MSP, a new VDI or remote-access pattern — any of these can change whether your assessed scope still matches the systems handling CUI. Re-scope before you affirm. This usually points to a CUI enclave or GCC High specialist, or an RPO/RP for the scoping work.
Subcontractor and supply-chain risk. If your contract requires flow-down, your affirmation risk isn’t limited to your own network. DFARS 252.204-7021 requires you to ensure applicable subcontractors complete and maintain affirmations when their systems handle FCI or CUI for the subcontract. The December 2025 settlement involving an Illinois machining subcontractor — DOJ’s first targeting the defense supply chain, resolved for roughly $421,000 and originating from a former quality-control manager’s qui tam complaint — is the early signal that subs are now enforcement targets, not bystanders. Don’t accept a generic “we’re compliant.” Verify status, the CMMC UID where shared, and the affirmation date — without asking the supplier to email you CUI to “prove” it. You can verify a company’s CMMC status in SPRS without exchanging sensitive data.
You discovered a past affirmation or score was wrong.Don’t paper over it with a fresh unsupported affirmation. Preserve the evidence, determine whether the issue affects your scope, status, or current affirmation, correct the underlying record where required, and bring in counsel if a prior government-facing statement may have been material. Some notice and correction steps are contract-specific, which is precisely why this is a lawyer’s call, not a checklist’s.
| Situation | The safe action before affirming |
|---|---|
| SSP is outdated | Update it, or document why it still reflects the current in-scope environment. See our resources on SSP and POA&M services. |
| POA&M unresolved | Confirm whether status remains valid and whether closeout is required |
| SPRS score is wrong | Correct it; consult counsel if prior submissions may be material |
| Evidence is missing | Gather it, or document compensating facts, before signing |
| Scope changed | Re-scope before affirming |
| Supplier changed | Re-check flow-down and supplier status |
Which provider category helps before you affirm — and which doesn’t?
The right provider category depends on why your affirmation isn’t yet defensible. A C3PAO is for formal certification where your contract requires it. For pre-affirmation readiness, evidence, monitoring, scoping, or legal risk, the better fit is usually an RPO/RP, an MSSP/MSP, a GRC platform, a CUI enclave provider, or a federal-contracts attorney. Matching the category to the actual gap is the whole game — and it’s the logic behind The CMMC Path Framework, which maps your level, FCI/CUI handling, assessment type, environment, and timeline to a provider category, not a named vendor.
| If the problem is… | Likely provider category | Don’t confuse it with… |
|---|---|---|
| You don’t know your level, scope, or assessment type | RPO/RP readiness advisor | A C3PAO quote before scoping |
| Your evidence is scattered or unowned | GRC platform / documentation support | Formal certification |
| Your controls drift between assessments | MSSP/MSP / managed compliance | A one-time gap assessment |
| Your CUI is spread across too many systems | CUI enclave / secure collaboration provider | Enterprise-wide remediation by default |
| You need formal Level 2 certification | C3PAO | A readiness consultant |
| You may have a false prior representation | Qualified federal-contracts counsel | A sales discovery call |
| Subcontractor flow-down is unclear | Contracts counsel + RPO/RP | Guessing from a supplier’s marketing |
Two honest limits worth stating: software alone does not make you compliant — a GRC platform organizes evidence, it doesn’t implement controls — and no provider, in any category, can guarantee a certification outcome. Anyone promising guaranteed certification is telling you something the rules don’t allow them to promise.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Is CMMC Level 2 based on NIST SP 800-171 Revision 2 or Revision 3?
For CMMC purposes today, Level 2 maps to NIST SP 800-171 Revision 2 (the 110 requirements across 14 families), and Level 3 adds 24 selected requirements from NIST SP 800-172. 32 CFR Part 170 incorporates those specific publications by reference. Do not let a provider treat NIST SP 800-171 Revision 3 as the controlling CMMC assessment baseline unless DoD amends the rule or issues controlling implementation guidance.
The confusion is understandable — NIST published Revision 3, and parts of the federal contracting world are moving toward it. But the CMMC rule that governs your assessment and your affirmation points at Revision 2. Building to Revision 3 voluntarily is a defensible future-proofing decision; representing that Revision 3 is your required CMMC baseline today is not accurate. Ask any provider to show you where the current rule says otherwise.
What we verified for this page
This page separates two kinds of statements on purpose: primary-source regulatory and legal facts, and our editorial provider-category guidance. The rule and statute facts come straight from the sources below; the provider-category recommendations are our editorial conclusions drawn from those facts. We read each source rather than relying on summaries.
We checked:
- 32 CFR § 170.22— affirmation content, the Affirming Official role, timing, and SPRS submission (eCFR).
- DFARS 252.204-7021 and related clauses -7012, -7019, -7020— current-status, annual affirmation, CMMC UID, assessment, and subcontractor requirements (Acquisition.gov).
- Federal Register— the CMMC Program Rule effective date (Dec 16, 2024) and the DFARS rule, DFARS Case 2019-D041, effective Nov 10, 2025 (CMMC Program Rule).
- 31 U.S.C. § 3729— the False Claims Act “knowing” definition, treble damages, and per-claim penalties (LII); the per-claim inflation adjustment effective July 3, 2025.
- 18 U.S.C. § 1001— the criminal false-statement reference in the SPRS submission warning (LII).
- 32 CFR § 170.8(b)(17)(ii)(G)— the C3PAO three-year consultant conflict-of-interest rule (eCFR).
- DOJ Civil Cyber-Fraud Initiativeand each cybersecurity settlement cited above — verified against the DOJ press release.
- NIST SP 800-171 Revision 2 and NIST SP 800-172— as incorporated by reference in 32 CFR Part 170.
What we did not verify:any individual contractor’s SPRS status; whether a specific affirmation creates liability in a particular case; whether a specific contract requires notice, cure, or disclosure; and any named provider’s current Cyber AB Marketplace status. Those depend on your facts and should be confirmed with a CMMC RPO/RP and qualified federal-contracts counsel.
Frequently asked questions
Is the CMMC annual affirmation legally binding?
It is a formal attestation submitted in SPRS by an authorized Affirming Official, and DFARS 252.204-7021 ties a current affirmation to maintaining eligibility under the contract. Whether a specific false statement creates liability depends on the facts and the applicable law.
Who is liable if a CMMC affirmation is wrong?
The company is the primary contracting party, and in the cybersecurity False Claims Act settlements we verified, the recoveries were paid by the organization. The statute also reaches individuals who knowingly make or cause false claims, so the Affirming Official should treat the signature as personal exposure and involve counsel if the evidence doesn’t support it.
Does the False Claims Act apply to CMMC annual affirmations?
It can. The False Claims Act (31 U.S.C. § 3729) reaches false or reckless statements connected to federal contract payments, and it defines “knowingly” to include actual knowledge, deliberate ignorance, and reckless disregard — no specific intent to defraud is required.
Can the Affirming Official go to jail?
Criminal exposure exists but is rare and requires a higher standard — a knowing and willful false statement under 18 U.S.C. § 1001. Civil penalties (treble damages plus per-claim penalties) are the primary, far more common risk.
What is the penalty for a false CMMC affirmation?
Under the False Claims Act, treble (triple) the government’s damages plus a per-claim civil penalty that runs from $14,308 to $28,619 as of July 3, 2025. Damages may be reduced to double if the violator reports all known information within 30 days, fully cooperates, and does so before any enforcement action or investigation begins.
Do we need a C3PAO every year for the annual affirmation?
No, not just because the affirmation is due. The annual affirmation is submitted by your own Affirming Official in SPRS; the formal Level 2 C3PAO assessment is a separate certification path that generally runs on a roughly three-year cycle.
What happens if we miss the annual affirmation?
Your CMMC status may no longer be “current” for contract purposes, because DFARS 252.204-7021 requires an affirmation no older than one year for each applicable CMMC UID. That can affect eligibility even when the underlying assessment is still valid.
Can our MSP, RPO, or consultant sign the affirmation for us?
No, unless that person is genuinely the senior representative inside your organization with authority to affirm continuing compliance. Outside providers can prepare evidence; they should not be your Affirming Official.
What should we verify before signing?
Scope, CMMC UID, CAGE and legal-entity mapping, the SSP, POA&M status, control evidence, system and cloud changes, subcontractor flow-down, and the prior SPRS record. The aim is a defensible basis for the statement.
What if our SSP is outdated?
Update it, or document why it still reflects the actual in-scope environment, before you sign. An affirmation resting on a stale SSP is exactly the risk this page is built to prevent. See our resources on SSP and POA&M services.
Can we affirm with an open POA&M?
It depends on your level, status, and whether the POA&M is valid and within the allowed window. Don’t treat an open POA&M as harmless without checking the specific rule path and your assessment status. See Conditional Level 2 and POA&M closeout.
Is CMMC Level 2 based on NIST SP 800-171 Revision 2 or Revision 3?
For CMMC purposes today, Level 2 maps to NIST SP 800-171 Revision 2 (110 requirements across 14 families), and Level 3 adds 24 selected requirements from NIST SP 800-172. 32 CFR Part 170 incorporates those publications by reference. Do not treat Revision 3 as the controlling CMMC baseline unless DoD amends the rule.
Is this legal advice?
No. This is educational regulatory research from an independent trade publication on CMMC 2.0 and DIB compliance. Confirm your scope, contract obligations, and legal exposure with a CMMC RPO/RP and a qualified federal-contracts attorney.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Do not submit CUI, drawings, technical data, export-controlled information, passwords, or sensitive contract details.
Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. It is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, SPRS/PIEE, or any U.S. government agency. This article is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your CMMC level — not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner Organization (RPO/RP) or a qualified federal-contracts attorney before you act.