Is the CMMC annual affirmation required every year?

Yes. An affirmation is required at every CMMC level -- at each assessment, after a POA&M closeout where applicable, and annually after your Final CMMC Status Date. The assessment cycle differs by level (Level 1 annually; Level 2 and Level 3 every three years), but the affirmation is annual across the board.

Is the CMMC affirmation submitted in SPRS?

Yes. Under 32 CFR 170.22, all CMMC affirmations are entered electronically in SPRS, the DoD's Supplier Performance Risk System. The Affirming Official needs a PIEE account with the SPRS Cyber Vendor User role.

Who is the CMMC Affirming Official?

A senior-level representative from within your organization who is responsible for CMMC compliance and has the authority to affirm continuing compliance. There is no government license for the role, but the signature is a legal representation, so the signer needs evidence behind it.

Do we need a C3PAO every year for the annual affirmation?

No -- not just because the affirmation is due. Level 2 (C3PAO) and Level 3 assessments are generally every three years, with annual affirmations handled in-house in between. A C3PAO is required for the certification assessment itself and certain Level 2 closeouts.

What happens if we miss the CMMC annual affirmation?

For Level 2 and Level 3, the assessment can lapse. Under DFARS 252.204-7021 and 252.204-7025, you are not eligible for award without a current CMMC status and a current affirmation in SPRS, which you must maintain for the life of the contract.

Will SPRS remind me before the annual affirmation is due?

Don't count on it. Track the deadline yourself with a recurring reminder at least 30 days before your CMMC Status Date anniversary. The Affirm button becomes available in SPRS 60 days before the affirmation expiration date, but tracking the deadline is your responsibility.

What if our POA&M is still open?

Conditional status carries a 180-day closeout requirement for Level 2 and Level 3. If the POA&M is not successfully closed in that window, the Conditional status for that system expires. A separate affirmation is also required after closeout. Level 1 allows no POA&Ms.

Does CMMC Level 1 require an annual affirmation?

Yes. Level 1 requires an annual self-assessment and an annual affirmation covering the 15 safeguards in FAR 52.204-21.

Does CMMC Level 3 require both a Level 2 and a Level 3 affirmation?

Yes. For Level 3, the Level 2 (C3PAO) affirmation must continue to be completed annually in addition to the Level 3 (DIBCAC) affirmation, to maintain eligibility for Level 3 contracts.

Is CMMC Level 2 assessed against NIST SP 800-171 Revision 2 or Revision 3?

Revision 2 today. The DoD has issued a class deviation keeping Revision 2 as the assessment standard and has said it will incorporate Revision 3 through future rulemaking, so contractors should close Revision 2-to-Revision 3 gaps in anticipation.

Can an MSP or RPO help prepare the affirmation evidence?

Yes -- outside providers can build and maintain your evidence, run readiness reviews, and support SPRS navigation. What they cannot do is be your Affirming Official, who must be the authorized senior representative inside your organization.

Can the same C3PAO remediate us and then assess us?

No. The Cyber AB Code of Professional Conduct prohibits a C3PAO from providing CMMC consulting or readiness services to an organization it also assesses. Keep readiness and formal assessment separate, and verify any assessor in the official Cyber AB Marketplace.

Check My Affirmation DeadlineCheck →

CMMC Annual Affirmation: Who Must Sign, When SPRS Is Due, and What to Verify First

By The Defense Compliance Report Editorial Team · Last verified: June 15, 2026

This is educational regulatory analysis, not legal, contractual, or compliance advice for your specific contract. The Defense Compliance Report is not affiliated with the DoD, the Cyber AB, DCMA DIBCAC, SPRS, PIEE, or any U.S. government agency. Sources:32 CFR §170.22 · DFARS 252.204-7021 & 252.204-7025 · SPRS Affirming Official Tutorial · DoD CIO CMMC page · DoD CMMC FAQ (May 2026) · DOJ press releases.

If you just earned a CMMC status — or you’re the executive whose name is about to go on the line — the CMMC annual affirmation is the part nobody warned you about.

The CMMC annual affirmation is a yearly statement you submit in SPRS (the Department of Defense’s Supplier Performance Risk System), signed by your Affirming Official— a senior person inside your company — attesting that you still meet every CMMC security requirement for your level. Under 32 CFR §170.22, you affirm after each assessment, after any POA&M closeout, and every year following your CMMC Status Date. It applies at Level 1, Level 2 (self or C3PAO), and Level 3 (DIBCAC).

“The click in SPRS is easy. The hard part is knowing whether the thing you are affirming is still true.” That single sentence is the whole reason this page exists.

The 60-second answer

Your question	The short answer
What is it?	A recurring SPRS attestation that you still meet your CMMC requirements. Not a new assessment — a confirmation.
Who signs?	A senior-level Affirming Official from inside your organization with authority to affirm continuing compliance (32 CFR §170.22).
Where?	In SPRS, under the CMMC Assessments tab. The signer needs a PIEE account with the SPRS Cyber Vendor User role.
When?	At Conditional status, at Final status, after a POA&M closeout, and annually after your CMMC Status Date.
Is a C3PAO required every year?	No — not just because an affirmation is due. Level 2/3 assessments run on a three-year cycle, with annual affirmations in between.
What if you miss it?	For Level 2 and Level 3, the assessment lapses. Under DFARS, you're not eligible for award without a current status and a current affirmation.
What to do before you click Affirm?	Verify scope, CMMC UID, CAGE codes, your SSP, POA&M status, control evidence, and any cloud/MSP/environment changes.

Get the free CMMC Annual Affirmation Checklist.

A one-page, level-specific worksheet that walks your Affirming Official through everything to confirm before they sign — so the signature is defensible, not a leap of faith.

Download the Affirmation Checklist →

What is a CMMC annual affirmation?

A CMMC annual affirmation is the required SPRS submission in which an Affirming Official attests that the organization has implemented, and will maintain, all applicable CMMC security requirements for the assessed scope. It is not a fresh assessment by itself, but it is not empty paperwork either: under 32 CFR §170.22, the affirmation is tied to continuing compliance and to your contract eligibility.

Per 32 CFR §170.22, each affirmation includes the Affirming Official’s name, title, and contact information, plus a statement attesting that the organization “has implemented and will maintain implementation of all applicable CMMC security requirements” to its CMMC Status for all information systems within the relevant CMMC Assessment Scope.

Damaging admission

The affirmation itself asks you to upload no evidence at all. It’s a name, a title, a contact, a checkbox, and a click. SPRS doesn’t check your work when you affirm. The DoD verifies that you submittedthe affirmation, and reserves the right to test your actual CMMC status through a DCMA DIBCAC assessment — and those results can override your self-representation. That’s why the person signing needs a defensible internal evidence packet before they do — which is the whole point of this page.

If you want the regulatory backbone of the program first, our CMMC certification process guide walks the full path; this page is about the recurring obligation that outlives the assessment.

Who has to submit a CMMC annual affirmation — and at which level?

Annual affirmation applies at every CMMC level, but the assessment cadence and specifics differ. Level 1 is an annual self-assessment plus affirmation; Level 2 (self or C3PAO) runs a three-year assessment cycle with annual affirmations in between; Level 3 (DIBCAC) follows the same three-year pattern and must also keep its Level 2 (C3PAO) affirmation current every year. Every level files in SPRS.

The CMMC annual affirmation matrix (all four paths)

CMMC path	What you’re affirming (source)	Assessment cadence	When you affirm	If you fail to affirm	Primary source
Level 1 (Self)	15 safeguards (FAR 52.204-21), for FCI	Self-assessment, annually	At each annual self-assessment	No current affirmation in SPRS = ineligible for award	32 CFR §§170.15, 170.22(b)(1)
Level 2 (Self)	110 requirements (NIST SP 800-171 R2), for CUI	Self-assessment, every 3 years	At assessment, at POA&M closeout, then annually after Final CMMC Status Date	“Assessment will lapse upon failure to annually affirm”	32 CFR §§170.16, 170.22(b)(2)
Level 2 (C3PAO)	110 requirements (NIST SP 800-171 R2), for CUI	C3PAO assessment, every 3 years (results via CMMC eMASS)	At assessment, at POA&M closeout, then annually after Final CMMC Status Date	Assessment lapses upon failure to affirm	32 CFR §§170.17, 170.22(b)(3)
Level 3 (DIBCAC)	110 (NIST SP 800-171 R2) + 24 from NIST SP 800-172	DIBCAC assessment, every 3 years	At assessment, at POA&M closeout, then annually — plus continue the Level 2 (C3PAO) affirmation every year	Assessment lapses; loss of Level 3 eligibility	32 CFR §§170.18, 170.22(b)(4)

The standard most pages get wrong. CMMC Level 2 is currently assessed against NIST SP 800-171 Revision 2, not Revision 3.The DoD has issued a class deviation keeping Revision 2 as the standard you are assessed against today. The DoD’s May 2026 CMMC FAQ says it will incorporate Revision 3 through future rulemaking, and advises closing Rev. 2-to-Rev. 3 gaps in anticipation. Don’t let a vendor assess you against Rev. 3 as if it’s current CMMC right now — it is not.

Who can be the CMMC Affirming Official — and are they personally on the hook?

The Affirming Official is the senior-level representative from within the organization who is responsible for CMMC compliance and has the authority to affirm continuing compliance (32 CFR §170.22). There is no government license or certification for the role — but because the affirmation is a signed legal representation to the federal government, the person who signs carries real responsibility for its accuracy. A consultant can help you prepare; a consultant cannot be your signer.

In practice, pick the person who actually has authority over the in-scope system, the remediation budget, and the decisions that make the statement true — typically a CISO, CIO, VP of IT, COO, or for a small supplier, the owner or CEO. Don’t hand it to a junior administrator just because they can navigate SPRS.

Can an MSP, RPO, or consultant sign for you?

No — not as your Affirming Official, unless that individual genuinely is the authorized senior representative inside your organization. Outside providers can do a lot here: build and maintain your evidence, run readiness reviews, monitor your controls, and walk you through the SPRS screens. What they can’t do is be the OSA’s signer.

Can a C3PAO sign?

No. The C3PAO assesses and reports in the formal assessment path. The affirmation comes from your Affirming Official, not your assessor.

Can the signer be held personally liable?

The False Claims Act reaches both companies and individuals, and the DOJ’s Civil Cyber-Fraud Initiative says it will hold accountable entities or individuals that knowingly misrepresent their cybersecurity. The two cybersecurity cases we cover below were settlements with organizations, not individual officers. But “knowingly” under 31 U.S.C. §3729(b)(1) includes reckless disregard for the truth — so an affirmation signed without verifying your actual compliance is itself the risk. The practical point: accurate honesty beats a flattering status you can’t defend.

When is the CMMC annual affirmation due, and when does the SPRS button appear?

The rule requires an affirmation at four moments: upon a Conditional CMMC Status, upon a Final CMMC Status, after a POA&M closeout when applicable, and annually following a Final CMMC Status Date (32 CFR §170.22). In SPRS, the Affirm button for your annual affirmation becomes available 60 days before the affirmation expiration date.

Initial affirmation

When you first reach your status (Conditional or Final).

Annual affirmation

Every year after your Final CMMC Status Date (the clock you’re counting from, per 32 CFR §170.4).

POA&M closeout affirmation

After you close out a Plan of Action and Milestones, where one applied.

60-day SPRS window

The Affirm button becomes available 60 days before each annual affirmation expiration date. After three years the record flips to “No CMMC Status (Expired).”

Don’t count on a system prompt to save you. Two different clocks are running: the annual affirmation (miss it and the status lapses) and the three-year assessment validity (let it expire and SPRS flips to “No CMMC Status (Expired)” — you’re starting over). Treat the anniversary of your CMMC Status Date as a hard internal deadline.

The 90 / 60 / 30-day Affirming Official runway

Days before expiration	What happens	Owner
90 days	Confirm level/status, status date, and affirmation expiration. Re-verify scope, CUI/FCI flows, CMMC UID, and CAGE codes. Pull your SSP and control evidence. Flag any system, cloud, or provider changes.	Compliance / IT lead
60 days	Confirm PIEE access and SPRS Cyber Vendor User role. Confirm the Affirming Official’s PIEE details. The Affirm button is now live. Assemble the evidence packet; identify any gaps.	Compliance / IAM
30 days	Executive review of the packet. Legal/counsel review if there are material gaps or prior representations in play. Make remediation or provider decisions.	Executive / counsel
Due date	Affirm only if the evidence supports the statement. Retain an internal record of who reviewed what, and when.	Affirming Official

How to submit the CMMC annual affirmation in SPRS, step by step

Annual affirmations are completed entirely in SPRS, generally through the CMMC Assessments tab. The Affirming Official locates the record, reviews it, certifies the statement, and clicks Affirm — and the AO’s identity is pulled from PIEE, not typed in. The signer needs a PIEE account with the SPRS Cyber Vendor Userrole. Based on the DoD’s published Affirming Official Tutorial:

Get access. The Affirming Official needs a PIEE (Procurement Integrated Enterprise Environment) account with the SPRS Cyber Vendor Userrole. Without it, there’s no Affirm action.
Open the report. In SPRS, select Cyber Reports (CMMC & NIST), choose your CAGE and Hierarchy from the drop-down, and run it. An asterisk next to your CAGE confirms you have the right access.
Find the record. Open the CMMC Assessments tab and locate the assessment. For an initial affirmation it shows as Pending Affirmation; for an annual affirmation, the Affirm button sits in the Affirmation Expiration Date column.
Review.Open the record, confirm the details, and continue to the affirmation. The AO’s name, title, and contact come straight from PIEE and can’t be edited on this screen — only in PIEE.
Certify and Affirm. Review the statement, check the certification box, and click Affirm. The record updates and a CMMC Unique Identifier (UID) is assigned.

Before you affirm, make sure it’s actually true.

A clean SPRS submission means nothing if the controls behind it have drifted. If you’re not fully confident a gap assessment would back up your posture today, that’s the thing to resolve before the signature — not after a contracting officer or a whistleblower asks.

Get Matched With Source-Checked CMMC Readiness Providers →

Disclosure: We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis or provider-category recommendations.

What happens if you miss a CMMC annual affirmation?

Missing your annual affirmation can cause your CMMC status to stop being “current,” and for Level 2 and Level 3 it can cause the assessment to lapse. That matters because under DFARS, you are not eligible for contract award without a current CMMC status anda current affirmation in SPRS — and you’re required to maintain both for the life of the contract. A lapse rarely announces itself. It shows up when you can’t be awarded the next option or the next contract.

DFARS 252.204-7021 (contract clause)

Requires you to maintain a current CMMC status for the duration of the contract and to “complete on an annual basis, and maintain as current, an affirmation of continuous compliance” in SPRS for each CMMC UID tied to a system that processes, stores, or transmits FCI or CUI in performance of the contract (Acquisition.gov, clause text).

DFARS 252.204-7025 (solicitation provision)

Makes eligibility explicit before award: you are not eligible unless you have both a current status at the required level in SPRS and a current affirmation of continuous compliance. Both must be current at the time of award.

What “current CMMC status” actually means

“Current” is not “we passed an assessment at some point.” DFARS 252.204-7021 defines it precisely, and the affirmation is half of the definition:

Your status	Assessment age limit	Affirmation requirement	Compliance condition
Conditional Level 2 (Self or C3PAO)	Not older than 180 days	Corresponding affirmation	No changes in compliance since the Conditional status date
Conditional Level 3 (DIBCAC)	Not older than 180 days	Corresponding affirmation	No changes since the Conditional status date
Final Level 1 (Self)	Not older than 1 year	Affirmation not older than 1 year	No changes since the Final status date
Final Level 2 (Self or C3PAO)	Not older than 3 years	Affirmation not older than 1 year	No changes since the Final status date
Final Level 3 (DIBCAC)	Not older than 3 years	Affirmation not older than 1 year	No changes since the Final status date

Read the Level 2 row carefully. Your assessment is good for three years. Your affirmationis good for one. That gap is the whole reason the annual affirmation exists — and the reason a perfectly valid three-year certificate can still leave you ineligible if the affirmation lapsed in between. See how to verify CMMC status in SPRS for what the contracting officer sees.

What happens if you submit an inaccurate affirmation? (The False Claims Act)

Because the affirmation is an explicit, signed certification to the government, a knowingly false affirmation can trigger False Claims Act liability — which carries treble (triple) damages plus per-claim penalties. Under 31 U.S.C. §3729(b)(1), “knowingly” includes actual knowledge, deliberate ignorance, andreckless disregard for the truth — so an affirmation signed without verifying your actual compliance is itself the risk. No data breach is required for liability to attach.

The DOJ has repeatedly pursued defense contractors for cybersecurity misrepresentations — inflated self-assessment scores, missing system security plans, controls that weren’t actually implemented — and the annual affirmation turns a once-fuzzy “implied” certification into an explicit, dated, signed one. The DOJ’s Civil Cyber-Fraud Initiative, launched in October 2021, exists specifically to use the FCA against cybersecurity shortfalls.

Two real, government-confirmed cases

Case	Amount	What the government alleged	The tell-tale detail	Source
U.S. ex rel. Berich v. MORSECORP, Inc. (D. Mass.)	$4.6M (Mar 26, 2025)	Failed to implement all 110 NIST SP 800-171 controls; no consolidated SSP; reported a far-too-high SPRS score and delayed correcting it	Reported SPRS score of 104 (scale runs −203 to 110); a later gap analysis put the real number at −142. The whistleblower — the company’s own head of security — received $851,000.	DOJ Office of Public Affairs
U.S. ex rel. Craig & Koza v. Georgia Tech Research Corp. (N.D. Ga.)	$875,000 (Sep 30, 2025)	Missing antivirus/anti-malware in a DoD research lab; no SSP; a false summary-level assessment score (resolved as allegations, with no determination of liability)	Submitted a “campus-wide” score of 98 that the government said was based on a “fictitious” or “virtual” environment that didn’t reflect any real covered system.	DOJ Office of Public Affairs

The Georgia Tech lesson, in plain terms.A score premised on an environment that doesn’t match operational reality is the exact failure mode the annual affirmation is designed to catch. When you affirm, you’re vouching for the system you actually run— not a model of one. Three habits protect you: verify your SPRS score against a real, current gap assessment; keep your SSP synced to your actual architecture; and document the basis for the affirmation each year.

If you can’t confidently support the affirmation, pause before you sign. Reckless disregard is a low bar to trip over.

Compare CMMC Readiness and Compliance Provider Categories →

What should the Affirming Official verify before signing?

The Affirming Official should never sign from memory. The working standard is to confirm that the assessed scope, CMMC UID, CAGE codes, SSP, POA&M status, security controls, CUI/FCI data flows, external service providers, and any major system changes still support the status being affirmed. If any one of those has drifted since the assessment, that’s a stop-and-check signal.

Evidence area	What to confirm	Red flag before signing	Likely owner
CMMC UID / CAGEs	Correct UID and CAGE codes for the assessed system	New CAGE, new business unit, wrong system tied to the UID	Compliance / contracts
Assessment scope	In-scope FCI/CUI systems still match what was assessed	New CUI flow, new enclave, new cloud storage, new workflow	CISO / IT lead
System Security Plan (SSP)	SSP reflects the architecture and controls you actually run	SSP describes a system that no longer exists	Security / compliance
POA&M	Conditional items closed within the allowed window	Open POA&M past 180 days, or an item that was never POA&M-eligible	Compliance / project owner
Access control	User access reviews, MFA, privileged access	Former employees still active, shared admin accounts, MFA gaps	IT / IAM
Audit & logging	Logs collected, retained, reviewed	Logging disabled or major systems not onboarded	SOC / MSP
Vulnerability & patching	Scans run, findings remediated, exceptions tracked	Critical findings ignored, unmanaged assets	IT / MSP
Incident response	IR plan current; incidents handled and reported	An unreviewed incident that could affect compliance	Security / legal
Cloud / external providers	CSP/ESP still correctly scoped	New MSP or cloud service touching CUI without a scope update	IT / procurement
Training	Required users trained	New CUI users never trained	HR / compliance
Change management	Major changes reviewed for scope impact	Migration, merger, tool swap, or enclave growth never assessed	IT governance
Subcontractors	Flow-down and required status checked	A sub handling FCI/CUI with no current status	Contracts / supply chain

Download the Annual Affirmation Evidence Packet Worksheet.

The same owner-by-owner review above, in a worksheet your team can run every year before the Affirming Official signs.

Download the Evidence Packet Worksheet →

What if your environment changed after the last assessment?

Annual affirmations confirm that network changes have not taken you out of compliance during the certification period, and a significant change within the CMMC Assessment Scope can require a new assessment and affirmation. Routine operational maintenance generally does not. The DoD’s CMMC FAQ addresses this in C-Q12 (what qualifies as a significant change) and F-Q5 (how to handle changes while maintaining compliance).

Probably routine maintenance	Affirming Official judgment call	Likely needs a reassessment review
Routine patch and update cycles	Adding a new SaaS tool that touches in-scope data	A new cloud platform or CUI repository
Ordinary help-desk ticket closures	Replacing a security tool with a different vendor’s	A new MSP/MSSP/ESP handling in-scope systems
Minor configuration changes within the SSP	Expanding the user population with CUI access	Acquisition, divestiture, or new legal entity / CAGE
Like-for-like hardware swaps managed per your SSP	A material change to identity, logging, EDR, or backup	A new CUI type, new program, or enclave boundary expansion
Documented operational plans of action	An incident you haven’t fully assessed for impact	An unresolved control failure affecting the assessed scope

If a real change lands in the third column — new cloud, new MSP, new CUI flow — don’t paper over it with an affirmation. A targeted gap assessment is the defensible path. If your scope or cloud footprint shifted materially, our notes on self-assessment vs. C3PAO and enclave scoping can help you size the impact.

How do POA&Ms and Conditional status affect your affirmation?

A Conditional CMMC Status is time-limited. For Level 2 and Level 3, a POA&M must be closed out within 180 daysof the Conditional CMMC Status Date, and a separate affirmation is required after the POA&M closeout. Level 1 allows no POA&Ms at all. Our Conditional Level 2 POA&M closeout guide covers the full 180-day mechanic.

Status	POA&M allowed?	Closeout deadline	Who performs the closeout	Affirmation trigger
Level 1 (Self)	No	—	—	At the annual self-assessment
Level 2 (Self), Conditional	Yes, limited	180 days	The OSA (self-assessment)	After the closeout self-assessment
Level 2 (C3PAO), Conditional	Yes, limited	180 days	An authorized/accredited C3PAO	After the closeout certification assessment
Level 3 (DIBCAC), Conditional	Yes, limited	180 days	DCMA DIBCAC	After the closeout certification assessment

Do you actually need a C3PAO for the annual affirmation?

No — not merely because an annual affirmation is due. Level 2 (C3PAO) and Level 3 assessments run on a three-year cycle, with annual affirmations handled in-house in between. Confusing the annual affirmation with the periodic assessment is one of the most expensive mistakes a contractor can make.

When you do NOT need a C3PAO

Level 1 annual self-assessment
Level 2 (Self) annual affirmation
Level 2 (C3PAO) annual affirmation, when scope and posture still match
Routine evidence-packet preparation

When a C3PAO IS involved

Your initial Level 2 (C3PAO) certification assessment
A Level 2 (C3PAO) POA&M closeout assessment
Optional limited review before affirming (keep separate from assessor)

One firewall to respect.The Cyber AB Code of Professional Conduct prohibits a C3PAO from providing CMMC consulting or readiness services to an organization it also assesses. If a single vendor offers to “fix you and then certify you” in one breath, slow down. Keep those roles distinct, and verify any assessor’s standing in the official Cyber AB Marketplace before you engage. See our guide to finding an authorized C3PAO.

Not sure whether this is a readiness problem or an assessment problem? A drifted control is a readiness/MSSP problem. Scattered evidence is a GRC problem. A required closeout is a C3PAO problem. They are not interchangeable.

Compare Provider Categories Before You Call the Wrong Firm →

How does the annual affirmation work for primes and subcontractors?

Each prime and each subcontractor is responsible for its own affirmation — a prime does not affirm on behalf of the whole supply chain. DFARS 252.204-7021 requires contractors to flow down the correct CMMC level and to ensure subcontractors complete an affirmation before subcontract award and maintain it annually, for any subcontractor system that processes, stores, or transmits FCI or CUI under the subcontract.

What primes should verify about a sub

Required CMMC level and assessment type for the subcontract
Sub’s current status
Sub’s current affirmation
CMMC UID where required
What information is actually being flowed down

What subcontractors should prepare

Confirmation of current status
CMMC UID where required
Date of the affirmation
Clear scope statement
Review package appropriate for the prime (redacted per security policy)

Our flow-down requirements guide goes deeper on the prime–sub mechanics, including the Level 3 minimum flow-down rule (when a prime contract requires Level 3, the minimum for a sub handling CUI is Level 2 independent assessment unless contractual guidance specifies otherwise).

How much does the CMMC annual affirmation cost?

The annual affirmation itself is cheap.The DoD’s own regulatory cost analysis in the CMMC Final Rule pegs the recurring labor of a Level 2 annual affirmation at $1,459 per yearfor a small entity ($2,712 for a larger one) — those are modeling estimates of staff time, not market prices or provider quotes. The real cost variable isn’t the affirmation. It’s the readiness and remediation work that makes the affirmation true.

CMMC path	Annual affirmation — small entity	Annual affirmation — other-than-small	3-year assessment + affirmation — small entity
Level 1 (Self)	$560	$584	~$6,000 (self-assessment + affirmation)
Level 2 (Self)	$1,459	$2,712	~$37,000 (incl. two annual affirmations)
Level 2 (C3PAO)	$1,459	$2,712	$104,670 (the bulk is the certification assessment, not the affirmations)
Level 3 (DIBCAC)	$1,876	$2,712	DIBCAC assessment cost plus continuing Level 2 maintenance

Cost warning:Don’t let a provider sell you a full C3PAO reassessment as if it’s required every year. The annual affirmation is not the same thing as an annual certification, and conflating the two is how contractors overspend. See our CMMC certification cost breakdown for the full picture. The DoD’s model also assumes you have already implemented NIST SP 800-171 — the $104,670 is what you pay to prove compliance, not to achieve it.

What changed under the final CMMC and DFARS rules?

The CMMC Program rule (32 CFR Part 170) became effective December 16, 2024, and the DFARS acquisition rule that puts CMMC into contracts (DFARS 252.204-7021 and 252.204-7025) became effective November 10, 2025. Together they tie a current CMMC status, your CMMC UIDs, and a current affirmation in SPRS directly to award eligibility and contract maintenance. That’s why the annual affirmation suddenly has teeth it didn’t have a year ago.

Phased rollout: Phase 1 began November 10, 2025 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026, when Level 2 third-party (C3PAO) certification requirements start appearing in applicable solicitations. See our full CMMC deadlines for 2026 and the phased rollout calendar.

Which provider category fits your annual-affirmation situation?

Most annual-affirmation problems are readiness, evidence, security-operations, or scope problems — not formal-assessment problems. The table below routes by problem, not by brand.

Your situation	Best-fit provider category	Why	Cost of guessing wrong
We're not sure the evidence supports the affirmation	Readiness / RPO / vCISO	You need a control and evidence review before signing	Signing on faith — the FCA exposure this whole page is about
Controls work, but evidence is scattered	GRC / evidence-workflow software	You need an audit trail, owners, and recurring evidence	Tools without implemented controls — software alone never satisfies CMMC
Our MSP or cloud setup changed	CMMC-focused MSP/MSSP or enclave provider	You need scope and technical-control validation	Evidence that won’t map to your assessed scope
We hold Conditional Level 2 (C3PAO) status	Authorized/accredited C3PAO for closeout	A formal closeout assessment may be required	Missing the 180-day window and losing Conditional status
We're pursuing Level 3	DIBCAC path, plus Level 2 (C3PAO) maintenance	Level 3 adds DIBCAC requirements and a continuing Level 2 affirmation	Letting the prerequisite Level 2 affirmation lapse
We don't know what kind of help we need	Neutral Get Matched routing	Prevents routing a readiness issue to an assessment-only firm	Calling a C3PAO too early — wasted spend and a possible independence conflict

Get matched with the right CMMC provider category — before you affirm. Tell us your level, scope, status date, and what’s changed since your assessment, and we’ll point you toward source-checked readiness, MSP/MSSP, GRC, enclave, or assessment options based on the problem you actually have.

Get Matched With Source-Checked CMMC Provider Options →

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

What we actually verified for this guide

Last verified: June 15, 2026.

This guide separates three kinds of claims: primary-source regulatory facts, the current state of DoD systems and enforcement, and our editorial conclusions about provider categories. The routing recommendations are clearly labeled as editorial judgment.

32 CFR §170.22— affirmation triggers, content, the Affirming Official role, and SPRS submission (eCFR; Title 32 up to date as of June 3, 2026, last amended March 9, 2026).
32 CFR §§170.15–170.18— level-by-level affirmation and contract-eligibility requirements.
DFARS 252.204-7021— the “current status” definition, annual-affirmation maintenance obligation, CMMC UID requirement, and subcontractor flow-down (Acquisition.gov / eCFR Title 48).
DFARS 252.204-7025— award eligibility tied to current status and current affirmation; effective November 10, 2025.
SPRS Affirming Official Tutorial— the Affirm-button placement, PIEE-sourced AO data, the 60-day availability window, and the “No CMMC Status (Expired)” behavior after three years.
DoD CIO CMMC page— the level table and the “assessment will lapse upon failure to annually affirm” language.
DoD CMMC FAQ (Revision 2.3, May 2026)— affirmation required at all levels; Rev. 2 class deviation; Phase 1/Phase 2 timing; Level 3-to-subcontractor flow-down.
DOJ press releases— the MORSECORP ($4.6M) and Georgia Tech Research Corporation ($875,000) settlements.
DoD CMMC Final Rule cost analysis— affirmation cost figures, presented as DoD modeling estimates.

We re-check these sources at least quarterly. See our editorial standards and corrections policy for how we handle updates.

CMMC annual affirmation FAQ

Is the CMMC annual affirmation required every year?: Yes. An affirmation is required at every CMMC level — at each assessment, after a POA&M closeout where applicable, and annually after your Final CMMC Status Date. The assessment cycle differs by level (Level 1 annually; Level 2 and Level 3 every three years), but the affirmation is annual across the board.
Is the affirmation submitted in SPRS?: Yes. Under 32 CFR §170.22, all CMMC affirmations are entered electronically in SPRS, the DoD’s Supplier Performance Risk System. The Affirming Official needs a PIEE account with the SPRS Cyber Vendor User role.
Who is the CMMC Affirming Official?: A senior-level representative from within your organization who is responsible for CMMC compliance and has the authority to affirm continuing compliance. There is no government license for the role, but the signature is a legal representation, so the signer needs evidence behind it.
Do we need a C3PAO every year for the annual affirmation?: No — not just because the affirmation is due. Level 2 (C3PAO) and Level 3 assessments are generally every three years, with annual affirmations handled in-house in between. A C3PAO is required for the certification assessment itself and certain Level 2 closeouts.
What happens if we miss the annual affirmation?: For Level 2 and Level 3, the assessment can lapse. Under DFARS 252.204-7021 and 252.204-7025, you are not eligible for award without a current CMMC status and a current affirmation in SPRS, which you must maintain for the life of the contract.
Will SPRS remind me before it’s due?: Don’t count on it. The annual affirmation runs on your CMMC Status Date anniversary, and the safest practice is a recurring internal reminder at least 30 days out. The Affirm button becomes available in SPRS 60 days before the affirmation expiration date — but tracking the deadline is your responsibility, not the system’s.
What if our POA&M is still open?: Conditional status carries a 180-day closeout requirement for Level 2 and Level 3. If the POA&M is not successfully closed in that window, the Conditional status for that system expires. A separate affirmation is also required after closeout. Level 1 allows no POA&Ms.
Does Level 1 require an annual affirmation?: Yes. Level 1 requires an annual self-assessment and an annual affirmation covering the 15 safeguards in FAR 52.204-21.
Does Level 3 require both a Level 2 and a Level 3 affirmation?: Yes. For Level 3, the Level 2 (C3PAO) affirmation must continue to be completed annually in addition to the Level 3 (DIBCAC) affirmation, to maintain eligibility for Level 3 contracts.
Is CMMC Level 2 assessed against NIST SP 800-171 Revision 2 or Revision 3?: Revision 2 today. The DoD has issued a class deviation keeping Revision 2 as the assessment standard and has said it will incorporate Revision 3 through future rulemaking, so contractors should close Revision 2-to-Revision 3 gaps in anticipation.
Can an MSP or RPO help prepare the evidence?: Yes — outside providers can build and maintain your evidence, run readiness reviews, and support SPRS navigation. What they can’t do is be your Affirming Official. That signer must be the authorized senior representative inside your organization.
Can the same C3PAO remediate us and then assess us?: No. The Cyber AB Code of Professional Conduct prohibits a C3PAO from providing CMMC consulting or readiness services to an organization it also assesses. Keep readiness and formal assessment separate, and verify any assessor in the official Cyber AB Marketplace.
Is this legal advice?: No. This is educational regulatory analysis for defense contractors, published by an independent trade publication on CMMC 2.0 and DIB compliance. For questions about specific representations, claims, or disputes, consult qualified counsel.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options — without routing a readiness problem to an assessment-only firm.

Get Matched →Browse Provider Categories →