Affirmation by a Senior Official
Effective: December 16, 2024
32 CFR 170.22 requires a named Affirming Official, defined at 32 CFR 170.4 as the senior level representative responsible for ensuring the contractor's compliance with the CMMC Program requirements who has the authority to affirm its continuing compliance, to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.
Who must comply
Every contractor subject to CMMC at any level, for as long as the CMMC requirement applies.
What it requires
- 01Designate as the Affirming Official the senior level representative who is responsible for ensuring compliance with the CMMC Program requirements and has the authority to affirm continuing compliance (in practice, usually an owner or officer).
- 02Conduct an initial affirmation in SPRS immediately following the initial self-assessment or certification.
- 03Submit an annual affirmation thereafter, at least every 12 months from the prior affirmation date.
- 04Submit an additional affirmation following any C3PAO certification or recertification event at Levels 2 or 3.
- 05Retain documentation supporting the affirmation in case of audit or investigation.
Key points
- The affirmation is a binding statement to the federal government. The named official, not just the company, can be exposed under the False Claims Act for knowingly false affirmations.
- Treat the affirmation as a board-level event each year, not a back-office checkbox.
Related clauses
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
- 32 CFR 170.15CMMC Level 1 Self-Assessment and Affirmation Requirements
32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by the company's Affirming Official.
- 31 U.S.C. § 3729False Claims Act, Civil Liability for Knowingly False Claims
31 U.S.C. § 3729, the False Claims Act, imposes civil liability, including treble damages and per-claim penalties, on anyone who knowingly presents a false or fraudulent claim for payment to the federal government. "Knowingly" includes actual knowledge, deliberate ignorance, and reckless disregard, which is why a knowingly false CMMC senior-official affirmation can trigger FCA exposure.
Related terms
Read more in the Library
- The CMMC Annual Affirmation: The One Thing That Breaks DIY Compliance, 2026
Year-one DIY CMMC is easy. Year two is where most contractors quietly lose compliance. Here's how to not be one of them.
- The CMMC False Claims Act Risk: What's Real, What's Hype (2026)
FCA exposure on CMMC is real, but not in the way most vendors describe it. Here's what actually triggers it at Level 1, and what doesn't.