The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Compliance

How Long Is CMMC Certification Good For?

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified against primary sources:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.

How long is CMMC certification good for? Three years at Level 2 and Level 3 — but only while your status stays under three years old, nothing changes in your compliance, and your annual affirmation in the Supplier Performance Risk System (SPRS) is current. Level 1 is annual, not three years. And a conditional status lasts just 180 days while you close your Plan of Action and Milestones (POA&M). That’s the short answer, and for most contractors it’s enough to stop the panic.

But “three years” is exactly where sharp companies get burned. The certificate isn’t the thing the government checks when it awards you work — your current status is. And the annual affirmation almost everyone forgets is the quiet mechanism that keeps that status alive, or lets it die on the vine.

The 60-second version (validity by status)

CMMC status validity summary by level
CMMC statusGood forAnnual affirmation?The watch-out
Level 1 (Self-Assessment)1 yearYesAnnual — no POA&M allowed
Final Level 2 (Self-Assessment)3 yearsYesAffirmation does not reset the clock
Final Level 2 (C3PAO)3 yearsYesRecertify before the 3-year date
Final Level 3 (DIBCAC)3 yearsYesYou must keep Level 2 (C3PAO) current too
Conditional Level 2 or 3180 daysYes, as applicableClose the POA&M or it expires

Sources: 32 CFR Part 170 §§ 170.15–170.18, § 170.21, § 170.22; DFARS 252.204-7021. Full matrix with citations below.

This page is for you ifyou already have (or are close to) a CMMC status and you need to know what’s still valid, when your affirmation is due, whether a conditional status is about to lapse, or when to start planning your reassessment.

This is not your starting point ifyou don’t yet know whether your contract involves FCI or CUI, or which CMMC level your contract requires. Start with our CMMC levels and scope guide, then come back here to plan the clock.

➤ First move, 60 seconds: find your status type in the matrix below, then confirm your exact CMMC Status Date in SPRS. Those two facts unlock every deadline on this page. (We show you where to find them in the dates section.)

How long is CMMC certification good for, by level?

CMMC validity depends on your status type, not on the word “certified.” A Final Level 2 (Self or C3PAO) status and a Final Level 3 (DIBCAC) status are current for three years. Level 1 (Self-Assessment) is current for one year. A Conditional status at Level 2 or Level 3 is current for only 180 days while you close eligible POA&M items. All of these also require an annual affirmation in SPRS to stay current between assessments.

The CMMC Status Validity Matrix

Full CMMC status validity matrix with governing sources
CMMC statusWho assesses itHow long it’s currentAnnual affirmation?Conditional (POA&M) windowGoverning source
Level 1 (Self) — for FCIYou (the OSA)1 yearYesNone — no POA&M permitted at Level 132 CFR §170.15; §170.22
Final Level 2 (Self) — CUI, self-assessment requiredYou (OSA)3 yearsYesIf started Conditional: 180 days from the Conditional Status Date to close POA&M items32 CFR §170.16; §170.21; §170.22
Final Level 2 (C3PAO) — CUI, C3PAO assessment requiredAn accredited C3PAO3 yearsYesIf started Conditional: 180 days from the Conditional Status Date to close POA&M items32 CFR §170.17; §170.21; §170.22
Final Level 3 (DIBCAC) — contracts requiring Level 3DCMA DIBCAC3 yearsYes (affirm both Level 3 and Level 2)If started Conditional: 180 days from the Conditional Status Date to close POA&M items32 CFR §170.18; §170.22
Conditional Level 2 or 3OSA, C3PAO, or DIBCAC depending on path180 daysYes, as applicableYou must close the POA&M in the window — some requirements can’t be deferred at all32 CFR §170.21; DFARS 252.204-7021

The required CMMC level is set by the solicitation, not by a checklist. Under DFARS 252.204-7025, the solicitation states the level and assessment type, and it applies before award for each contractor information system that will process, store, or transmit FCI or CUI. Your status is reported and checked in SPRS, the government’s Supplier Performance Risk System. For Level 2 (C3PAO) and Level 3 (DIBCAC), results move through the CMMC instance of eMASS before posting to SPRS.

Level 1 is annual, not three years. Level 1 covers contractors who handle only Federal Contract Information (FCI). Under 32 CFR §170.15, Level 1 is a self-assessment you redo every year, with an annual affirmation, and no POA&Ms are allowed. If someone tells you Level 1 is “good for three years,” they’re wrong.

Level 2 is the three-year status most people mean. Level 2 applies to contractors that process, store, or transmit CUI, and it maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. Whether your contract requires a self-assessment or a C3PAO assessment, the reassessment cycle is three years.

A C3PAO issues your Certificate of CMMC Status — the Cyber AB does not.A Certificate of CMMC Status is issued only when the assessment is conducted by a C3PAO or DCMA DIBCAC — a self-assessed status does not come with one. For a Level 2 (C3PAO) assessment, the accredited C3PAO conducts the assessment and issues the certificate; results flow through eMASS to SPRS under 32 CFR §170.17.

Level 3 is three years, but Final Level 2 (C3PAO) has to stay current for Level 3. Under 32 CFR §170.18, Level 3 adds 24 selected requirements from NIST SP 800-172 (Feb. 2021) on top of the Level 2 baseline, and it’s assessed by DCMA DIBCAC. A Final Level 2 (C3PAO) status is a prerequisite for Level 3 assessment, and the rule requires a Level 2 (C3PAO) certification to remain current throughout the Level 3 period of performance. That means managing two validity clocks simultaneously.

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required level, FCI/CUI handling, assessment type, cloud environment, and contract timeline.

Map your situation with Find My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details.

Where do I find my CMMC Status Date and CMMC UID?

Your CMMC Status Date is the date your CMMC status results were submitted to SPRS or the CMMC instance of eMASS — it is not the date of a later POA&M closeout. Your CMMC UID is the ten-character identifier SPRS issues for each contractor information system that will process, store, or transmit FCI or CUI. Both live in SPRS. If you can’t find them, verify them in SPRS before you rely on any deadline.

Every date on this page counts from your CMMC Status Date, so it’s worth getting exactly right. Log into SPRS through the Procurement Integrated Enterprise Environment (PIEE) and pull your CMMC record for each assessed information system. You’re looking for two things: the CMMC Status Date(your clock’s start) and the CMMC UID(the identifier a contracting officer ties to your award). The Federal Register is explicit that the clock runs from your Conditional or Final Status Date — not from any later event. We cover the verification steps on our CMMC status verification guide.

How to count your own dates (no tool required)

Once you have your CMMC Status Date, the math is simple:

  • Annual affirmation— due within one year of your Final CMMC Status Date, and every year after. Set a reminder for ~11 months to give yourself margin.
  • Recertification— your next assessment must be completed before the three-year mark from your CMMC Status Date (one year if you’re at Level 1).
  • POA&M closeout— if you’re Conditional, count 180 days from your Conditional CMMC Status Date. That’s your hard deadline.

➤ Don’t know your CMMC Status Date?Check SPRS or your Certificate of CMMC Status first — every deadline on this page depends on that one date being right. Then, if you want a second set of eyes on your renewal plan, compare provider categories with Find My CMMC Path. Do not submit CUI, drawings, or sensitive contract details.

Does the annual affirmation renew your CMMC certification?

No. The annual affirmation keeps your existing status current— it does not restart the three-year Level 2 or Level 3 clock, and it does not turn Level 1’s one-year cycle into a three-year one. Under 32 CFR §170.22, the affirmation is a statement submitted electronically in SPRS by a senior official, attesting that your organization has implemented and will maintain the required CMMC practices. Without a current affirmation, your status is not current — regardless of when the underlying assessment happened.

A three-year CMMC status is not a three-year vacation.

The status buys you three years before the next assessment— it does not buy you three years of ignoring compliance. Every year in between, someone senior at your company has to put their name on a formal SPRS statement that your controls are still in place. If your environment drifted and that statement isn’t true, you have a problem that a valid-looking status won’t fix.

Who signs it? 32 CFR §170.22 calls this person the Affirming Official— the senior-level representative of the organization with the authority to affirm continuing compliance. The rule doesn’t require a specific title, but it does require real authority. This is not a job for a junior IT admin.

When is it required? 32 CFR §170.22 lists four triggers: upon achieving a Conditional CMMC Status (where applicable), upon achieving a Final CMMC Status, at POA&M closeout, and then annually following your Final CMMC Status Date.

What should you confirm before anyone signs?The affirmation is only as good as what’s behind it. Before you sign, verify that:

  • Your assessed scope still matches where FCI and CUI actually live today.
  • Cloud tenant, MSP/MSSP, and file-sharing changes are documented.
  • Your System Security Plan (SSP) is current.
  • No POA&M items are quietly stale or past due.
  • Your evidence is still retrievable and your control owners are still assigned.
  • Subcontractor flow-down is tracked.

We keep the signature mechanics and the SPRS steps on our dedicated CMMC annual affirmation page. The point here is simpler: the affirmation is the thing keeping your three years alive.

➤ Build your affirmation and renewal calendar.Note your CMMC Status Date, then set two reminders now — one at ~11 months for your next affirmation, one at ~30 months to start recertification. If you’d rather have help mapping the work, see what a Level 2 readiness program involves.

What does “current CMMC status” actually mean at award?

In procurement language, the gate isn’t “Are you certified?” — it’s “Do you have a currentCMMC status at the required level, with a current affirmation?” DFARS 252.204-7021 defines a Final Level 2 or Level 3 status as current when it is not older than three years, there have been no changes in compliance since the CMMC Status Date, and it is paired with an affirmation not older than one year. A conditional status is current only when it’s not older than 180 days. Contracting officers verify that current status in SPRS before award and at other contract actions.

This is the distinction that turns “how long is my certificate good for” into a business risk. You can feel certified and still fail the check if your affirmation lapsed, your conditional window closed, or your environment changed.

Why option years and extensions matter. The CMMC Program Rule (32 CFR Part 170) took effect , and the DFARS acquisition rule took effect . As the requirement phases into more solicitations, a company that “got certified” early can still hit a current-status check when an option is exercised or a contract is extended. If your affirmation aged past a year in the meantime, that’s the moment it bites.

Don’t confuse CMMC status with your SPRS NIST 800-171 score

Many contractors already have a NIST SP 800-171 DoD Assessment score in SPRS from DFARS 252.204-7019 / 252.204-7020 — and assume that score is their CMMC certification. It isn’t. They’re two different records that happen to live in the same system and share a three-year horizon, which is exactly why they get conflated. Here’s the clean split:

CMMC status vs. NIST SP 800-171 DoD Assessment score comparison
CMMC StatusNIST SP 800-171 DoD Assessment score
Governing rule32 CFR Part 170; DFARS 252.204-7021DFARS 252.204-7019 / 252.204-7020
What it isYour CMMC level result — Conditional or FinalYour NIST 800-171 implementation score (max 110)
Who produces itYou (self), a C3PAO, or DCMA DIBCACYou (Basic self-assessment) or DCMA DIBCAC (Medium/High)
Where it livesSPRS (via CMMC eMASS for C3PAO/DIBCAC paths)SPRS
How long it’s current3 years (Level 2/3); 1 year (Level 1); 180 days (conditional)Not more than 3 years old

If your only SPRS record today is a self-scored 800-171 number, you have a score — not a CMMC Status. They are not interchangeable on a solicitation that requires CMMC. The DFARS 252.204-7019 requirement hasn’t gone away; it now sits alongside CMMC on solicitations that require both.

When does the three-year CMMC clock start?

The three-year clock runs from your CMMC Status Date — the date tied to your assessment result in SPRS — not from the day a consultant declares the project “done.” If your status started as Conditional, 32 CFR §170.17 ties the three-year reassessment window to the original Conditional CMMC Status Date. Closing your POA&M to reach Final does not hand you a fresh three-year clock. The Federal Register says it directly: the CMMC Status Date is not based on the date of a POA&M closeout assessment.

Example: Final Level 2 (C3PAO)

If your CMMC Status Date is , your next C3PAO reassessment must be completed before , and you should file annual affirmations at roughly the one-year and two-year marks. Don’t wait until month 35 — C3PAO scheduling isn’t instant.

Example: Conditional Level 2

If your Conditional CMMC Status Date is , your POA&M closeout deadline is 180 days later — on or about . Miss it and the conditional status expires. Close it and you become Final, but your three-year reassessment window still counts from that original July 2, 2026 date.

Example: Level 1

If your Level 1 self-assessment is dated , treat it as good for one year and plan to reassess and re-affirm before .

How long is a conditional CMMC status good for?

A Conditional Level 2 or Level 3 status is current for 180 days. During that window you must close your POA&M; if you don’t, 32 CFR §170.17 states the Conditional status expires — and if it expires during a period of performance, standard contractual remedies can apply and you can become ineligible for new awards requiring that level until you achieve a new status.

How the 180-day closeout plays out depends on your path:

  • Conditional Level 2 (Self-Assessment):you remediate the open items and complete a POA&M closeout self-assessment within the window, then affirm again in SPRS.
  • Conditional Level 2 (C3PAO):your C3PAO performs a POA&M closeout certification assessment and posts the result to eMASS within 180 days of your Conditional CMMC Status Date. Close it, and you move to Final Level 2 (C3PAO).
  • Conditional Level 3 (DIBCAC): DCMA DIBCAC conducts the closeout for Level 3 items on the same 180-day timeline.

Can you even get conditional status? Not always

A conditional status isn’t a “we’ll fix it all later” pass. Under 32 CFR §170.21, the eligibility rules are strict:

  • Level 1: no POA&M, ever. Every Level 1 requirement must be fully met.
  • Level 2: you must hit the 0.8 threshold— your assessment score divided by the total Level 2 requirements has to be at least 0.8, which works out to a minimum score of 88 out of 110.
  • Only 1-point requirements can be deferred.Every 3-point and 5-point requirement must be fully implemented at the time of assessment. There’s one narrow exception: CUI Encryption (SC.L2-3.13.11) can go on a POA&M if encryption is employed but not yet FIPS-validated.
  • Some foundational items can’t be deferred at all— for example, your System Security Plan (SSP, CA.L2-3.12.4) must be in place at assessment.
  • Level 3: the same 0.8 rule applies— you need at least 20 of the 24 Level 3 requirements met to be eligible for Conditional Level 3.

The practical implication: don’t assume a conditional status is a given. If your gaps sit in high-value controls, you may not qualify for the 180-day window at all. We break down the full excluded-controls list on our conditional status and POA&M closeout page.

➤ Check your 180-day math.If you’re holding a conditional status, count 180 days from your Conditional CMMC Status Date and put it in front of leadership today — before you request new quotes or assume you’re award-ready. If closing the gaps needs outside help, compare readiness provider categories. Do not submit CUI or sensitive contract details.

What can make a CMMC status expire early?

A three-year status can become unusable before the three-year mark if you miss the annual affirmation, if a conditional POA&M window closes without closeout, if your organization stops maintaining compliance, if your assessed scope no longer matches your real CUI environment, or if a later government re-evaluation changes your result. DFARS 252.204-7021 builds a “no changes in compliance” condition into the definition of a current status. Three years is the ceiling, not a guarantee.

A missed affirmation. No current affirmation means no current status, even inside your three-year window (32 CFR §170.22).

Compliance drift. Your controls were in place on assessment day and then eroded. Common triggers: a new cloud tenant, a new MSP, a new CUI file-sharing workflow, a new remote-access pattern, or a new ERP/CAD/PLM system that touches CUI. If it changes how CUI is protected, it changes your posture.

Scope drift.CMMC scope has to reflect where FCI and CUI are processed, stored, or transmitted. If CUI shows up outside your assessed boundary — a personal inbox, a shadow file share, a legacy server — your assessment no longer describes your reality.

A later government re-evaluation. 32 CFR §170.17 is explicit: if a subsequent DCMA DIBCAC assessment shows compliance has not been achieved or maintained, those results take precedence over any pre-existing CMMC Status. Under DFARS 252.204-7020, DIBCAC retains authority to assess.

Does CMMC validity work differently for subcontractors?

Yes — a subcontractor is not covered by a prime’s CMMC status. If your organization handles FCI or CUI under a flowed-down requirement, you are your own Organization Seeking Assessment (OSA): you need your own status at the applicable level and your own annual affirmation. DFARS 252.204-7021 requires primes to flow the correct CMMC level down to subcontracts, and it requires subcontractors to maintain their own affirmations of continuous compliance in SPRS.

Prime vs. subcontractor responsibility.The prime flows down the requirement; the subcontractor’s own environment, scope, status type, and affirmation are what count for the subcontractor. A prime’s Level 2 certificate does not certify its supply chain.

What primes should ask subcontractors for. Keep it to the facts a decision needs: status type, CMMC Status Date, last affirmation date, whether the status is Final or Conditional, the assessed scope boundary, and whether any CUI is actually exchanged. Ask through a secure channel.

What subcontractors should never put in a web form. Your status type and dates are fine to discuss. Never submit CUI, drawings, contract numbers, export-controlled technical data, or sensitive scope details into any intake form.

“Good for” vs “how long it takes”: two different clocks

“How long is CMMC good for” (validity: three years at Level 2/3) and “how long does CMMC take” (preparation: often many months to over a year to become assessment-ready) are different questions with different answers. This page is about validity. If you’re asking about preparation time instead, that depends on your starting security posture, the size and complexity of your scope, and C3PAO scheduling availability. Our how-long-does-CMMC-take guide is the right page for that question.

One planning note: because Level 2 and Level 3 statuses run on a three-year cycle, the C3PAO or DIBCAC assessment is a recurring cost, not a one-time one — separate from the year-round internal cost of staying compliant. We track current cost ranges on our CMMC cost page; the takeaway here is to budget for the cycle, not a single event.

Is CMMC certification for the company or the individual?

Both terms exist, and people mix them up. Your organization’s CMMC status is tied to your contractor information system(s), your CMMC Assessment Scope, and your CMMC UID(s) — not to a person — and it follows the cadence on this page for that assessed scope. Separately, the individual credentials — CMMC Certified Professional (CCP), CMMC Certified Assessor (CCA), and CMMC Certified Instructor (CCI) — are also valid for three years from issuance under 32 CFR §§170.11–170.13, but those belong to people in the CMMC ecosystem, not to your company’s status.

Why this matters: if you go looking in the regulation and land on the sections about assessor and professional certifications, you’ll see “valid for 3 years from the date of issuance” and might think it’s talking about your company. It isn’t. Those three-year clocks govern the consultants and assessors. Your company’s clock is the one in the validity matrix above, and it attaches to an information system in SPRS, identified by a CMMC UID.

Does CMMC Level 2 still use NIST SP 800-171 Revision 2?

Yes. For the current CMMC rule, Level 2 maps to the 110 requirements in NIST SP 800-171 Revision 2, and Level 3 adds 24 selected requirements from NIST SP 800-172 (Feb. 2021). NIST has published a newer revision of 800-171 (Revision 3), but the CMMC Program Rule in 32 CFR Part 170 continues to name Revision 2 — and that’s what governs unless and until DoD amends the rule. Don’t swap Revision 3 into a CMMC Level 2 plan on your own.

Why this matters for renewal planning.When you prepare for reassessment, you build against the version the rule names — currently Revision 2. NIST publications get updated on their own schedule; what binds you is the version incorporated by reference into 32 CFR Part 170. This is a live item to watch, which is why we date it: verified against the rule and DoD’s CMMC materials as of . If DoD moves CMMC to a new revision, we’ll update this page.

What to do 12, 6, and 3 months before your CMMC status expires

Treat CMMC renewal as an operating cycle, not a one-time certificate event. Twelve months out, confirm your dates and re-check your scope and evidence. Six months out, close material gaps and choose the right provider category. Three months out, lock your assessment schedule and confirm your affirmation timing. Starting late is the mistake most likely to compress your options, because C3PAO availability isn’t guaranteed.

12 months out

  • Confirm your status type and CMMC Status Date, and your last affirmation date.
  • Re-check your FCI/CUI scope against where data actually lives now.
  • Flag any new systems, cloud tenants, or providers that moved your boundary.
  • Refresh your SSP, asset inventory, network diagrams, and evidence map.

6 months out

  • Close material control gaps before an assessor sees them.
  • Decide which provider category you need — readiness, managed security, GRC workflow, a CUI enclave, or a C3PAO for the formal assessment.
  • Mind the independence line: a firm that remediates you generally cannot be the C3PAO that assesses that same engagement. CMMC’s conflict-of-interest requirements (see 32 CFR §170.8 and §170.9) require assessor independence.

3 months out

  • Confirm your assessment schedule with your C3PAO (or your DIBCAC path for Level 3).
  • Validate your SPRS status and affirmation.
  • Freeze avoidable architecture changes.
  • Make sure evidence owners know exactly what they own.

Final 30 days

Don’t let anyone sign the affirmation casually — confirm the current environment still matches the assessed scope, and escalate unresolved drift to leadership before signing.

➤ Map your provider category before you request quotes.

If your renewal date is close, tell us your level, scope, environment, and timeline through The Defense Compliance Report’s Find My CMMC Path tool and we’ll point you to the provider category you likely need — not a named-provider ranking — before you spend time with the wrong type of firm.

Find My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details.

Which CMMC provider category do you need before renewal?

If you need readiness or remediation, start with a Registered Provider Organization or Registered Practitioner (RPO/RP), a CMMC-focused Managed Security Service Provider (MSSP), a virtual CISO, a GRC platform, or a CUI enclave — depending on the gap. If you’re already assessment-ready and your contract requires a Level 2 (C3PAO) assessment, a C3PAO belongs in the formal-assessment lane, not the remediation lane. The two lanes must stay separate, and matching yourself to the wrong one is how contractors waste months and budget.

Our decision logic here is The CMMC Path Framework— the way we map your required CMMC level, FCI vs. CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider categoryyou need. It routes to a category, never a named provider, and it isn’t a score, a ranking, or compliance advice.

  • RPO / RP— best for readiness planning, scoping support, SSP and POA&M documentation, and assessment preparation.
  • MSP / MSSP / vCISO— best when the gap is operational security ownership: managed controls, monitoring, endpoint, identity, and logging. Also the usual home for Microsoft Government Cloud and secure-environment questions.
  • GRC platform— best when evidence, SSP/POA&M workflow, and continuous affirmation-readiness are the bottleneck. Software alone does not make you compliant.
  • CUI enclave— best when your current environment is too broad or too expensive to bring entirely into scope, and you want to concentrate CUI in a controlled boundary.
  • C3PAO— best when you’re ready for the formal Level 2 third-party assessment your contract requires. Don’t route remediation work to a C3PAO as if assessment and implementation are the same engagement.

Get matched with source-checked provider options.

Tell us your required level, FCI/CUI scope, assessment type, cloud environment, and timeline, and The Defense Compliance Report’s Find My CMMC Path tool maps you to a provider category — not a named-provider ranking.

Find My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details.

What we actually verified for this page

We built this page against primary sources, not secondary summaries. Here’s exactly what we checked and where.

Sources we read, verified :

  • 32 CFR Part 170 (CMMC Program Rule), Subparts C and D — §170.15 (Level 1), §170.16 (Level 2 Self), §170.17 (Level 2 C3PAO), §170.18 (Level 3 DIBCAC), §170.20 (standards acceptance / DIBCAC High), §170.21 (POA&M), §170.22 (Affirmation), and §§170.11–170.13 (individual credentials), on the eCFR.
  • DFARS 252.204-7021 (Contractor Compliance With CMMC Level Requirements), DFARS 252.204-7025 (Notice of CMMC Level Requirements), and DFARS 252.204-7019 / 252.204-7020 (NIST SP 800-171 DoD Assessment), on Acquisition.gov.
  • The CMMC Program Rule preamblein the Federal Register (published October 15, 2024; effective December 16, 2024) — including its statement that the CMMC Status Date is not based on the POA&M closeout date.
  • DoD CIO CMMC materials and the CMMC Assessment Guide (Level 2) — for the Level 2 (NIST SP 800-171 Rev. 2) and Level 3 (plus 24 NIST SP 800-172 requirements) mapping, and the definition of CMMC Status.

What we confirmed:the three-year validity for Final Level 2 and Level 3; the one-year Level 1 cycle; the annual affirmation requirement and its four triggers; the 180-day conditional/POA&M window; the 0.8 (88-point) conditional threshold and the SC.L2-3.13.11 encryption exception; that the clock counts from the CMMC Status Date, not POA&M closeout; that a Certificate of CMMC Status is issued only for C3PAO/DIBCAC assessments; that a pre-rule DCMA DIBCAC High Assessment with a perfect score and no open POA&M is granted Final Level 2 (C3PAO) status for three years from the original assessment date (§170.20); and that Level 2 currently maps to NIST SP 800-171 Revision 2.

The eCFR is continuously updated; we re-verify these sections quarterly and on any Federal Register action. See our editorial standards and corrections policy.

Frequently asked questions

How long is CMMC Level 2 certification good for?

A Final Level 2 status — whether earned by self-assessment or a C3PAO assessment — is current for three years, provided you keep an annual affirmation current in SPRS and there are no changes in compliance. A Level 2 C3PAO assessment must be completed within three years of your CMMC Status Date under 32 CFR §170.17.

Is CMMC Level 1 good for one year or three years?

One year. CMMC Level 1 is a self-assessment for FCI-only environments, redone annually with an annual affirmation, and no POA&Ms are permitted, under 32 CFR §170.15.

Does the annual affirmation renew CMMC certification?

No. The annual affirmation keeps your status current within its existing validity period; it does not reset the three-year Level 2 or Level 3 clock, and it does not extend Level 1’s one-year cycle. The affirmation is a senior official’s statement in SPRS under 32 CFR §170.22.

How long is conditional CMMC status good for?

A Conditional Level 2 or Level 3 status is current for 180 days, during which you must close your POA&M. If the items aren’t closed in the window, the conditional status expires under 32 CFR §170.17, and some requirements can’t be placed on a POA&M at all under §170.21.

What happens if my CMMC certification expires?

If your status is no longer current, you can become ineligible for new awards requiring that level, and standard contractual remedies can apply during an active period of performance. DFARS 252.204-7021 treats a status as current only when it’s within its validity window, paired with an affirmation not older than one year, and there are no changes in compliance.

Does a DCMA DIBCAC High Assessment or Joint Surveillance count toward the three-year clock?

It can. Under 32 CFR §170.20, an organization that earned a perfect score with no open POA&M on a DCMA DIBCAC High Assessment conducted before the rule’s effective date is granted Final Level 2 (C3PAO) status, valid for three years from the date of that original assessment. Eligible assessments include those conducted through Joint Surveillance, and the scope must match.

Do we need a C3PAO assessment every year?

No. The Level 2 (C3PAO) reassessment cycle is every three years, not annual. What is annual is the affirmation in SPRS.

Where is CMMC status checked, and where do I find my CMMC Status Date?

Your CMMC status and CMMC Status Date are in SPRS (the Supplier Performance Risk System), accessed through PIEE. SPRS is also the procurement-facing view a contracting officer checks. For Level 2 (C3PAO) and Level 3 (DIBCAC), results reach SPRS through the CMMC instance of eMASS.

Is my SPRS NIST 800-171 score the same as my CMMC certification?

No. A NIST SP 800-171 DoD Assessment score under DFARS 252.204-7019/7020 and your CMMC Status under 32 CFR Part 170 are two different records that both live in SPRS. A self-scored 800-171 number is not a CMMC Status.

Can the same firm prepare us and assess us?

Be careful. CMMC’s conflict-of-interest requirements (32 CFR §170.8 and §170.9) require assessor independence, so a firm that prepared or remediated your environment generally cannot be the C3PAO that assesses that same engagement. Keep readiness and formal assessment in separate lanes.

Does CMMC Level 2 use NIST SP 800-171 Revision 2 or Revision 3?

Revision 2. The current CMMC rule (32 CFR Part 170) names NIST SP 800-171 Revision 2 for Level 2’s 110 requirements. Revision 3 exists but doesn’t govern CMMC unless DoD amends the rule — recheck whenever DoD updates the program.

When should we start renewal planning?

Start about 12 months before your status expires if your environment is complex, your CUI scope changed, or you need remediation before reassessment. C3PAO scheduling is not instant, and DFARS checks your current status around award, option exercise, and extension.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path →

Do not submit CUI, drawings, contract numbers, or sensitive scope details in any form. This page is educational research, not legal, contractual, or compliance advice — confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

Primary sources we read

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Editorial limits:We are not the Cyber AB, DoD, DCMA DIBCAC, NIST, or any government agency. We do not guarantee certification outcomes, and this is educational research — not legal, contractual, or compliance advice. The contract clause and your CUI handling set your level, not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.