How long is a CMMC Level 2 certification valid?

A CMMC Level 2 certification assessment is valid for three years, but it is not set-and-forget. Each year you must submit an affirmation in SPRS, signed by a senior official, attesting that you continue to meet the requirements. So a three-year certificate carries an annual obligation in between.

What is the annual affirmation after certification?

After you achieve certification, a senior company official must affirm in SPRS each year that your organization still meets the CMMC requirements. The affirmation is a formal attestation with real consequences for accuracy — letting compliance lapse while affirming continued compliance creates significant legal and contractual exposure. Treat the annual affirmation as a yearly checkpoint, not a formality.

Do I have to reassess if I add 800-171 controls beyond my enclave?

Generally no. Certifying a tightly scoped enclave and later extending NIST SP 800-171 practices to more of your business does not, by itself, force a new assessment. Your certification covers the assessed scope; improving security outside that boundary is good practice. A new assessment is typically driven by your three-year cycle, a contract that requires a different scope, or a material change to your certified environment — not by voluntarily raising your baseline.

How do I keep from drifting out of compliance?

Treat your System Security Plan as a living document, run change control so new systems and tools enter scope deliberately, keep monitoring and audit logging active, and re-score yourself periodically rather than waiting for the next assessment. Configuration drift, staff turnover, and new SaaS tools are the usual ways a compliant environment quietly becomes non-compliant between assessments.

You Passed CMMC Level 2 — Now What? Staying Compliant | NIST 800-171 & CMMC Level 2

You scoped your environment, implemented the controls, wrote the SSP, and passed your C3PAO assessment. Congratulations — that's genuinely hard. Now here's the part nobody celebrates: a certification is a snapshot of one moment, and your environment starts changing the next day. Staying certified is a different discipline than getting certified.

A certification has a shelf life

A CMMC Level 2 certification assessment is valid for three years — but it comes with a yearly string attached. Each year, a senior official must submit an affirmation in SPRS attesting that your organization continues to meet the requirements. So the real picture is a three-year certificate plus an annual affirmation in between.

The affirmation is not paperwork theater. Affirming continued compliance while your environment has quietly fallen out of compliance creates serious legal and contractual exposure. Treat each annual affirmation as a real checkpoint that you can stand behind.

The annual affirmation, in plain terms

Think of the affirmation as a yearly "still true?" on the claims you made at assessment. Before a senior official signs it, you want confidence that:

The controls that were in place at assessment are still in place and still working.
Any items on a POA&M have been closed on schedule (or are being tracked honestly).
Your SSP still describes reality — not the environment you had a year ago.

The cleanest way to walk into an affirmation with confidence is to re-score yourself first. See the annual affirmation guide for the cadence.

Don't let your environment drift

Most organizations don't fail by making a big risky decision. They drift: a new SaaS tool gets adopted, an admin leaves, a firewall rule gets loosened "temporarily," a laptop joins the network outside the documented process. Each change is small; together they pull you out of the posture you certified. Guard against it with a few habits:

Keep your SSP a living document. When the environment changes, the SSP changes. Control 3.12.4 requires it, and an out-of-date SSP is the first thing that unravels at reassessment.
Run change control and continuous monitoring. Controls like ongoing security assessment (3.12.3) exist precisely to catch drift. Keep audit logging on and reviewed.
Manage scope deliberately. New systems should enter your CUI scope on purpose, with the controls applied — not by accident.

Enclave vs enterprise: a common post-certification question

Many small contractors certify a tightly scoped enclave — a walled-off slice of the business where CUI lives — because it's faster and cheaper than hardening the whole company. After passing, a natural worry sets in: was that the right call, or should we have done the whole enterprise?

For most, the enclave was the right call. A certification covers the scope you assessed, and your customers generally just need to see that you hold the certification. Importantly, extending good 800-171 practices to the rest of your business later does not force a new assessment — improving your overall security posture is encouraged, not penalized. A fresh assessment is typically driven by your three-year cycle, a contract that demands a different scope, or a material change to the certified environment.

Rule of thumb: don't reassess prematurely. Raising your baseline company-wide is good security and good business, but it isn't a trigger for a new C3PAO assessment on its own. Let your three-year cycle and your contracts drive reassessment timing.

Re-score before every affirmation

The simplest way to affirm with confidence is to run your numbers again. Free, all 110 controls, about 10 minutes — no signup, no sales call.

Re-check your SPRS score free →

A simple post-certification rhythm

Quarterly: a light internal check — any new systems, tools, or people that changed your scope? Update the SSP.
Annually: re-score against the 110 controls, close or re-baseline any POA&M items, then submit the affirmation in SPRS with confidence.
Every three years: reassessment with a C3PAO — start preparing 6–12 months early, given the assessor queue.

After certification — frequently asked

How long is a Level 2 certification valid?

Three years — with an annual affirmation in SPRS, signed by a senior official, required each year in between.

What is the annual affirmation?

A yearly attestation in SPRS that you still meet the CMMC requirements. It carries real legal weight, so make sure it's actually true before you sign — re-score yourself first.

Do I have to reassess if I extend 800-171 beyond my enclave?

Generally no. Your certification covers the assessed scope; improving security elsewhere is encouraged. Reassessment is driven by the three-year cycle, a contract's scope requirements, or a material change — not by voluntarily raising your baseline.

How do I avoid drifting out of compliance?

Keep the SSP current, run change control and monitoring, keep audit logging active, and re-score periodically. Drift comes from small unmanaged changes, not big decisions.