HomeGuides › Annual Affirmation

The CMMC Annual Affirmation — What You're Signing

Your assessment isn't the finish line. Every year, a senior official has to put their name on a statement that you still meet all 110 — and that signature now carries real legal weight.

A lot of contractors treat the assessment as the end. It isn't. CMMC requires an annual affirmation — and because it's a formal representation to the government, a careless one can be more dangerous than a low score. Here's what it is and why it deserves attention.

What the affirmation is

After your assessment — whether self-assessment or a C3PAO certification — a senior company official must submit an affirmation in SPRS stating that your organization continues to meet all applicable requirements. Then they must do it again every year. The C3PAO assessment itself recurs every three years, but the affirmation is annual, and it's a personal attestation by a named official.

In short: the assessment is a point-in-time snapshot; the affirmation is your yearly promise that the snapshot is still true. If your environment drifts away from compliance and you affirm anyway, you've made a false statement to the government.

Why this is now a real risk

The affirmation ties CMMC to the False Claims Act (FCA). Affirming compliance you don't actually have — or letting your score quietly decay and re-affirming anyway — is exactly the kind of misrepresentation the FCA targets, and the Department of Justice has made cybersecurity a stated enforcement priority.

The cautionary tale: in March 2025, a defense contractor agreed to pay $4.6 million to settle FCA allegations tied in part to letting its SPRS score go stale after it knew it had dropped. Compliance drift between assessments now has financial teeth — the affirmation is where that risk lives.

How to stay safe

  1. Treat compliance as ongoing, not a project. The score you affirm has to stay true all year, not just on assessment day.
  2. Re-check before you affirm. Re-run your self-assessment and update your SSP/POA&M before a senior official signs — don't affirm from memory.
  3. Watch for drift. New systems, lapsed MFA, an expired FIPS module, a disabled log source — any of these can quietly move you out of compliance between assessments.
  4. Make the affirming official informed. The person signing should understand what they're attesting to. It's their name on it.

Re-check your score before you re-affirm

The fastest way to confirm you still meet the bar is to re-run all 110. Free, ~10 minutes.

Calculate your SPRS score →

Bottom line

The annual affirmation turns CMMC from a one-time hurdle into a year-round responsibility — and a personal one for whoever signs. Keep your SSP current, re-check your score before each affirmation, and make sure the person signing knows it's true. Both tools are free. (This is general information, not legal advice — consult counsel on FCA exposure.)