January 15, 2025

Reading Time: 4 minute(s)

CMMC Final Rule: 5 Key Concerns Around the Annual Affirmation of Compliance

January 15, 2025

Table of Contents

Under the Cybersecurity Maturity Model Certification (CMMC) final rule, which takes effect on December 16, 2024, the US Department of Defense (DoD) requires contractors and subcontractors to legally assert their level of CMMC compliance both when bidding on contracts and annually throughout the life of the contract. The person making this yearly compliance declaration is designated as the “Affirming Official.”

As this article explains, this new compliance affirmation requirement is more stringent than CMMC requirements proposed previously. Read on to quickly learn what’s new and how the changes could impact your business.

Concern 1: Who should make the compliance affirmation?

The CMMC final rule defines an Affirming Official (previously called the “senior official”) as follows:

The Affirming Official is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations.

The individual that a contractor designates as the Affirming Official must be a senior employee with the ability to confirm the company’s ongoing/continuous compliance with applicable CMMC contract requirements. This person is held legally responsible for validating and reporting to the DoD on compliance status at designated intervals in the contract cycle (see below).

Concern 2: When do contractors need to submit affirmations to DoD?

The CMMC final rule states:

When CMMC requirements are applied to a solicitation, Contracting officers will not make award, exercise an option, or extend the period of performance on a contract, if the offeror or contractor does not have the passing results of a current certification assessment or self-assessment for the required CMMC level, and an affirmation of continuous compliance with the security requirements in the Supplier Performance Risk System (SPRS) for all information systems that process, store, or transmit FCI or CUI during contract performance.

An affirmation is required:

When answering a solicitation in anticipation of winning a contract.

Annually thereafter while the contract is in force, following the Conditional or Final CMMC Status Date (the date that CMMC status results were initially submitted).

Upon reporting results of a CMMC self-assessment in the DoD’s Supplier Performance Risk System (SPRS) database.

Upon completion of a third-party CMMC certification or triennial recertification assessment.

Upon completion of a Plan of Action & Milestones (POA&M) closeout assessment.

The Affirming Official must make the affirmation electronically in SPRS alongside their company’s CMMC compliance scores and other performance data.

Concern 3: What are the legal implications of a CMMC compliance affirmation?

By submitting a CMMC compliance affirmation, the Affirming Official is attesting on behalf of the organization that they meet all applicable CMMC requirements, notwithstanding permissable POA&Ms (see below). Making an affirmation later deemed false could have significant legal ramifications not only for the company but also for the affirming executive—as it could constitute a violation of the sharp-edged False Claims Act.

Per the Department of Justice (DoJ) Civil Cyber-Fraud Initiative, both individuals and businesses can be prosecuted under the False Claims Act. DoJ has shown through numerous prosecutions and settlements totaling millions of dollars that it will aggressively wield the False Claims Act to ensure that government contractors meet their contractual and regulator commitments, especially around cybersecurity and cyber incident reporting.

Moreover, the DoJ has strongly incentivized whistle-blowers under this legislation by offering them significant financial benefits for coming forward. The government’s hope is that senior management across the US defense industrial base (DIB) will take this threat of prosecution seriously and help drive verifiable CMMC compliance to which they can safely attest.

Concern 4: What constitutes CMMC Level 2 compliance?

As the DoD has been saying to its supply chain since December 2017, organizations that handle CUI must implement the 110 controls in NIST 800-171 Rev. 2. This “advanced” degree of cybersecurity maturity aligns with CMMC Level 2 certification.

The great majority of DIB orgs will be required to undergo a compliance assessment from an authorized CMMC third-party assessment organization (C3PAO) pursuant to CMMC Level 2 certification. But the CMMC final rule reduces the risk of noncompliance in these specific ways:

Organizations can achieve conditional CMMC compliance while deferring implementation of select non-critical controls (worth 1 point in SPRS) using POA&Ms for up to 180 days pending Final CMMC Status.

To submit a CMMC compliance assessment with POA&Ms in place, a contractor must maintain a base score in SPRS of at least 88 out of 110.

Critical NIST 800-171 controls (those worth 2 or 3 points in SPRS) are not eligible for POA&M deferral and must be implemented at assessment time.

A business can complete a new self-assessment and submit a new affirmation of compliance in SPRS at any time.

Concern 5: Does CMMC now require continuous compliance?

Unlike getting your driver’s license renewed, CMMC compliance is not a “one and done” point-in-time attestation. Instead, CMMC mandates a yearly affirmation of “continuous compliance” across the three-year interval between certification renewal audits.

To track continuous compliance, DIB orgs must develop the capability to record and manage documentation, operational artifacts, and other compliance data for CMMC controls. Vendors may offer some help with this as regards the control(s) their solution covers. The goal is to efficiently show objective evidence of ongoing compliance that meets the information needs of an auditor or other stakeholder.

Data that fails to show ongoing operation of controls will be insufficient for CMMC certification or to justify a compliance affirmation. If you are unsure of your compliance status, consider engaging an objective and qualified third party to validate your cybersecurity posture, legally justify your compliance affirmation, and identify any red flags ahead of an external audit.

“Winging it” with any CMMC compliance affirmation is taking unacceptable and unnecessary legal and business risks.

What’s next?

For more guidance on this topic, listen to Episode 145 of The Virtual CISO Podcast with guest Sanjeev Verma, Chairman and co-founder at PreVeil.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

CMMC Final Rule: 5 Key Concerns Around the Annual Affirmation of Compliance

Concern 1: Who should make the compliance affirmation?

Concern 2: When do contractors need to submit affirmations to DoD?

Concern 3: What are the legal implications of a CMMC compliance affirmation?

Concern 4: What constitutes CMMC Level 2 compliance?

Concern 5: Does CMMC now require continuous compliance?

What’s next?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

CMMC Final Rule: 5 Key Concerns Around the Annual Affirmation of Compliance

CMMC Final Rule: Does My MSP or CSP Need to be CMMC Compliant?

CMMC Final Rule: What is the Final Word on Flowdown?

CMMC Final Rule: When Do We Need to be Ready?

Cybersecurity Contingency Planning 101

TX-RAMP Versus StateRAMP—Which is Right for My Business?

The Rising Threat from Targeted “Data Ransom” Attacks—and How to Protect Your Business

Four Major Reasons Why Up To 60% FedRAMP Efforts Fails – And How To Prevent Them.

What is AZRAMP and Does My Business Need to Comply?

What are the New CMMC 2.0 Flowdown Requirements to Manage Defense Supply Chain Cyber Risk?

What is Swarm AI and How Can It Advance Cybersecurity?

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

Registered Practitioners Versus Certified CMMC Professionals: What’s the Difference for DIB Orgs Seeking CMMC Compliance?

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

How can we help you?

Services

Compliance

Insights

Pivot Point Security