Achieving a Cybersecurity Maturity Model Certification (CMMC) status is a milestone. Maintaining it is an obligation that continues for the life of every covered contract. The mechanism for that ongoing obligation is the affirmation of continuous compliance, submitted in the Supplier Performance Risk System (SPRS) by a named official. This guide explains what the affirmation requires and why it deserves more care than its brevity suggests.
Know who can sign
The affirmation is submitted electronically by an Affirming Official, a senior representative of the organization with the authority to attest on its behalf. This is not a clerical task to delegate to whoever has SPRS access. The person who signs is attesting, on the record, that the organization continues to meet the requirements associated with its CMMC level.
Understand what you are attesting to
The affirmation states continuous compliance, and the program's definition of current requires confirming that there have been no changes in compliance since the organization achieved its CMMC status. That single word, current, creates an ongoing monitoring duty. You are not affirming that you were compliant on the day of assessment. You are affirming that nothing has lapsed since.
This is where False Claims Act risk lives
Knowingly submitting a false or inaccurate affirmation carries significant legal exposure, including under the federal False Claims Act. An affirmation that drifts out of step with your actual posture is not a paperwork error. It is a representation to the government.
Track the cadence for your level and path
The affirmation is maintained on an annual basis for each CMMC unique identifier covering systems that process, store, or transmit Federal Contract Information or Controlled Unclassified Information. Assessment cadence differs by level and path: Level 2 self-assessments and third-party assessments operate on a three-year assessment cycle with annual affirmations, while Level 3 assessments are conducted by the government. Map each contract to the level it requires, and keep an affirmation current for every applicable identifier.
Mind the plan of action deadline
Where an assessment leaves open items, they are tracked in a plan of action and milestones. Those items generally must be closed within one hundred and eighty days. Failing to close a plan of action item in time, or missing an annual affirmation, can render the organization ineligible for award or option renewal. The affirmation does not stand alone. It sits on top of a remediation clock.
Build a monitoring rhythm, not an annual scramble
Because the affirmation asserts continuous compliance, the only sound way to support it is continuous monitoring. An organization that reconstructs its posture once a year, the week before the affirmation is due, is signing an attestation it cannot fully stand behind. Continuous control monitoring, with evidence collected as configurations change, turns the affirmation from a risky annual guess into a routine confirmation of a known state.
Why this is worth a managed approach
The affirmation is the point where a compliance program meets personal and corporate legal accountability. The signature is short. The exposure is not. YGI Solutions helps organizations stand up the continuous monitoring and evidence discipline that lets an Affirming Official sign with confidence, and we keep the affirmation, the assessment cadence, and the plan of action clock aligned so that none of them quietly slips.