Home Resources Maintaining Certification
After Certification · 12-minute read · Operational

Maintaining Your CMMC Certification

Certification is the start of the compliance lifecycle, not the end. This is the operational picture for the three-year certification period: annual affirmations, POA&M lifecycle, change management, continuous monitoring, and the recertification planning that begins long before the three-year mark.

The Three-Year Cycle

A CMMC Level 2 (C3PAO) certification is valid for three years from the date of issuance, contingent on the contractor meeting ongoing maintenance obligations. The three-year window is not a holiday from compliance — it is a period during which several recurring obligations apply, any of which can affect the validity of the certification.

TimeActivityTrigger
Year 0Initial certification grantedC3PAO assessment + PMO certification decision
Year 0–1Initial POA&M items closed (if conditional certification)180-day window from the conditional CMMC status date (per 32 CFR § 170.21) — this is sometimes the same as the formal certification date but not always
Year 1First annual senior official affirmation in SPRSOne year from certification
Year 1+Annual SSP review and updateRecurring
Year 1+Annual security awareness training cycleRecurring per AT family policy
Year 1+Annual risk assessment, IR plan tabletop, policy reviewRecurring per RA, IR, CA family policies
Year 2Second annual senior official affirmation in SPRSTwo years from certification
Year 2.5Recertification preparation begins; engage C3PAO for next assessment~6 months before certification expiration
Year 3Recertification assessment; new certificate issuedBefore original certificate expires

Throughout the three years, additional triggers can require off-cycle action: significant environmental changes, cyber incidents, regulatory updates, contract changes that alter scope. The certification is not "set and forget."

Annual Senior Official Affirmation

Each year of the three-year certification period, an authorized senior official of the contractor must affirm in SPRS that the contractor continues to meet the CMMC requirements at the certified level. The affirmation obligation is established explicitly by the CMMC Final Rule at 32 CFR §§ 170.16 and 170.17 (covering Level 1 self-assessment and Level 2 self-assessment / certification affirmations respectively). False affirmations expose the senior official to False Claims Act liability (31 U.S.C. §§ 3729–3733) and, separately, can result in administrative action under the CMMC Program including suspension or revocation of certification.

Two distinct SPRS-related obligations exist and are sometimes confused:

  • NIST SP 800-171 self-assessment posting (DFARS 252.204-7019) — the older obligation, which requires contractors to post a current self-assessment summary score in SPRS.
  • CMMC annual affirmation (32 CFR §§ 170.16 / 170.17) — the new obligation introduced by the CMMC Final Rule, an annual senior-official attestation that the contractor continues to meet the certified CMMC level.

Both flow into SPRS, but they are different attestations covering different content.

The affirmation requires the senior official to confirm that:

  • The contractor continues to implement all 110 NIST SP 800-171 Rev 2 requirements (or whatever level applies)
  • Any open POA&M items remain appropriate for the certification level (some POA&M items are not permitted at certification — see the POA&M lifecycle section)
  • The SSP remains current and accurately reflects the operational environment
  • No significant changes to the environment have occurred that would invalidate the certification
  • Cyber incidents have been reported as required

Practical implementation: the senior official should not affirm without first reviewing the SSP, the POA&M, and a brief from the ISSO confirming the operational state. The affirmation is a legal representation; reading documents you sign matters.

The affirmation creates personal exposure. The senior official affirming is making a representation under penalty of False Claims Act exposure (31 U.S.C. §§ 3729–3733) and under the CMMC Final Rule at 32 CFR §§ 170.16 and 170.17. False affirmations — affirming compliance that does not exist, affirming an SSP that is materially out of date, affirming that POA&M items remain appropriate when they have lapsed — can result in personal liability beyond the corporate consequences, plus administrative action against the certification itself.

POA&M Lifecycle

The Plan of Action and Milestones (POA&M) is the living tracker of compliance gaps and their remediation plans. Throughout the certification period, items are added (when new gaps are identified), worked (during remediation), and closed (when remediation completes and is validated).

Key rules to know:

  • Conditional certification has a 180-day clock. Items on POA&M at the time of conditional certification must be closed within 180 days. Failure to close within the window can result in the certification being downgraded to "not certified" status.
  • POA&M eligibility is sharply limited. Per the CMMC Final Rule and the DoD Assessment Guide for Level 2: only requirements scored at 1 point are eligible for POA&M, with one explicit exception — SC.L2-3.13.11 (CUI Encryption) may be on POA&M when encryption is employed but is not FIPS-validated (counted as 1 or 3 points in that case). All 5-point requirements (and 3-point requirements other than that single exception) must be fully implemented at certification. Of the 110 requirements, 47 are POA&M-eligible; even with maximally permitted POA&M items the contractor must achieve a SPRS score of at least 88 to qualify for conditional certification.
  • POA&M items added during the three-year period must be tracked. If a new gap is identified through internal assessment, monitoring, or audit findings, it must be added to the POA&M with a credible remediation plan.
  • POA&M items have target completion dates. Missing target dates without re-baselining the POA&M and documenting the reason creates a finding for the recertification assessment.

POA&M maintenance is the most common area where contractors lose ground during the three-year cycle. An unmaintained POA&M — items added years ago and never closed, target dates missed and never updated, no record of who owns each item — signals to assessors that the compliance program is not actively managed.

Operational practice: review the POA&M at least monthly. Review responsibility should be assigned to the ISSO (or equivalent named role). Each POA&M item should have an owner, a current status, a target completion date, and recent activity. Closed items should be documented with the closure evidence — what was done and how it was validated.

Change Management for In-Scope Systems

Changes to in-scope systems can affect compliance posture. The 800-171 Configuration Management family (CM) requires formal change control; maintaining certification requires that the change control process actually catches changes that have CMMC impact.

Categories of change to track:

  • System additions. A new server, new endpoint, new cloud service added to the in-scope environment. Each addition must be reviewed for CMMC impact: does it require new evidence, new policy coverage, new assessor scrutiny at recertification?
  • System retirements. Removing a system from scope. Confirm CUI is migrated or destroyed properly, that asset inventory is updated, that any associated user access is terminated.
  • Configuration changes. A change to firewall rules, a change to access control policies, a change to the audit log retention configuration. Significant changes must follow the change control process and be reflected in the SSP.
  • Personnel changes. A new ISSO, a new System Owner, a turnover in the IR team. Roles must be reassigned and documented; new role-holders must be briefed and trained.
  • Vendor changes. A new MSP, a switch from one CSP to another, a new specialty vendor with system access. Each change requires re-evaluation of the inheritance and shared-responsibility model.
  • Architectural changes. Migrating from one enclave platform to another (e.g., M365 commercial to GCC High), changing network segmentation, restructuring the boundary. These almost always trigger off-cycle re-assessment.
  • Organizational changes. M&A activity, divestiture, change of legal entity. Existing certifications do not automatically transfer through corporate transactions; the PMO must be notified and may require re-assessment.

The test for whether a change requires more than routine handling: would the change have come up in your initial assessment? If yes, it likely requires SSP update, POA&M consideration, and possibly notification to the PMO.

Continuous Monitoring

NIST SP 800-171 Rev 2 requires that the contractor "monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls" (3.12.3). The CMMC level 2 implementation expects this to be a real, operational program — not a once-a-year review.

Continuous monitoring · operational practice

What ongoing monitoring includes

  • Audit log review: Periodic (typically weekly) review of audit logs for indicators of anomaly, with documented findings
  • Vulnerability scanning: Monthly authenticated scans of in-scope systems with remediation tracking through the POA&M
  • Patch compliance monitoring: Continuous tracking of patch deployment status; investigation of systems falling out of compliance
  • Access review: Quarterly review of authorized users, with terminated employees confirmed removed and inactive accounts disabled
  • Configuration drift monitoring: Comparison of current system configurations against documented baselines, with remediation of drift
  • Vendor compliance monitoring: Annual review of vendor evidence (SOC 2 reports, CRM updates, attestations) and ad-hoc review of vendor incident notifications
  • Security alert monitoring: Ongoing review of vendor and threat-intelligence security advisories with assessment of applicability to in-scope systems
  • Incident detection and response: Operational capability to detect and respond to incidents, with documented response activity

The continuous monitoring program produces evidence that you'll rely on at recertification. The same evidence the initial assessment looked at — vulnerability scans, access reviews, audit logs, patch reports — should be available continuously, not generated specifically for an assessment window.

Annual SSP Review

The SSP is required to be reviewed and updated at least annually. The annual review is not a perfunctory exercise — it is the documented confirmation that the SSP continues to accurately reflect operational reality.

The annual review should:

  • Walk through every section of the SSP and confirm it remains accurate
  • Update any control implementation statements where the implementation has changed
  • Refresh the system inventory, network architecture diagrams, and authorized user roster
  • Update the inherited control documentation for any cloud or vendor changes
  • Update the interconnection list for any vendor or external system changes
  • Confirm POA&M cross-references remain accurate
  • Update the document control metadata (version, effective date, next review date)
  • Be approved by the System Owner

The output: an updated SSP with revision history showing the annual review was performed. An SSP last updated three years ago, while the certification is still active, is a finding waiting to happen at recertification.

Maintaining SPRS

The Supplier Performance Risk System (SPRS) holds the contractor's NIST 800-171 self-assessment score. Maintaining SPRS during the certification period involves:

  • Annual senior official affirmation as described above
  • Updating the score if it changes — most commonly because POA&M items have closed (improving the score) or because new gaps have been identified (lowering the score)
  • Maintaining accurate organizational information — CAGE code, point of contact, scope description
  • Updating after significant environmental changes — if an enclave change or vendor change materially affects implementation, the SPRS posting should reflect the current state

The SPRS posting is publicly visible to government contracting personnel. Inaccurate or stale SPRS data signals that the contractor is not actively maintaining compliance — and may affect contract opportunities even before recertification.

Re-Assessment Triggers

The three-year certification is the default validity period, but certain events can trigger an earlier re-assessment requirement:

  • Significant change to the environment. A material change in scope, architecture, or boundary that affects the original assessment basis. Examples: changing enclave platforms, migrating to a different cloud provider, adding a major new in-scope system, organizational restructuring that changes who handles CUI.
  • Cyber incident with material impact. A reportable incident that suggests material gaps in the certified controls may trigger PMO review and, in serious cases, suspension of certification pending demonstrated remediation.
  • Loss of key control inheritance. If a vendor relationship that you depend on for control inheritance ends without replacement (the CSP loses its FedRAMP authorization, the MSP loses its security capability), the certification may be invalidated for the affected scope.
  • Regulatory update requiring new control coverage. A change to the underlying NIST 800-171 standard or to the CMMC requirements may require demonstration of compliance against the new standard before the next normal recertification.
  • M&A activity. Mergers, acquisitions, divestitures, and similar transactions can affect the certification. PMO notification is generally required; re-assessment may be required depending on the nature of the change.
  • Contract action. A new contract requiring a higher CMMC level than your current certification. You cannot simply assert the higher level — you must achieve it through assessment.

The bias should be toward over-notification rather than under-notification. If a change is significant enough that you're uncertain whether it triggers re-assessment, raise it with the C3PAO and (where applicable) the CMMC PMO. The PMO publishes guidance on what constitutes a significant change.

Recertification Planning

Recertification is not a routine activity to be planned at the last minute. The next assessment should begin formal planning approximately six months before the current certificate expires.

~6 months before expiration

Engage your C3PAO

  • Initial conversation with the prior C3PAO (or a new C3PAO if you've decided to change)
  • Scoping discussion — confirm the in-scope environment is similar to (or different from) the prior assessment
  • Pricing and timeline discussion
  • Statement of Work negotiation
~4 months before expiration

Internal readiness review

  • Comprehensive internal walkthrough of the SSP — confirm it reflects current reality
  • Evidence package audit — confirm all evidence is current and accessible
  • POA&M closure — confirm any open items have credible remediation status or are appropriately deferred
  • Mock interviews with control family owners
  • Identification and remediation of any gaps surfaced during readiness review
~2 months before expiration

Document submission

  • Submit current SSP, POA&M, policy library, and supporting evidence to the C3PAO
  • Coordinate logistics for fieldwork (room, network access, scheduling)
  • Brief personnel who will participate in the assessment
~1 month before expiration

Assessment fieldwork

  • The recertification assessment itself, similar in structure to the initial assessment
  • Fieldwork is sometimes shorter than the initial assessment if the environment has been stable, but not assumed to be
  • See the Assessment Day Playbook for the operational picture
Before original expiration

New certificate issued

  • The C3PAO submits the ROC with certification recommendation; the PMO issues the new certificate before the original expires
  • The new certification begins a new three-year cycle
  • Any remaining POA&M items from the previous cycle should be addressed in the new SSP

Organizations that allow their certification to lapse — by failing to begin recertification planning early enough — face a material problem: an active CMMC certification may be a contractual prerequisite for the contracts they hold or pursue. A lapse can trigger contract performance issues even if the underlying security posture is strong.

Run recertification as a project, not an event. Assign a named owner, build a project plan with milestones, allocate the time of the personnel who will participate, and treat the timeline as a hard constraint. Recertification with three months of preparation is harder and more expensive than recertification with six months.

Authoritative References

32 CFR Part 170 (CMMC Final Rule)
The CMMC Program rule itself — including §§ 170.16 and 170.17 establishing the annual affirmation obligations for Levels 1 and 2
DoD CIO CMMC Program Office
Authoritative source for certification maintenance requirements and the rolling clarifications around significant change, re-assessment triggers, and ESP relationships
SPRS
The Supplier Performance Risk System where the annual senior official affirmation is recorded and the NIST 800-171 score is maintained
NIST SP 800-171 Rev 2
The 110 requirements that must continue to be met throughout the certification period — particularly the CA family on continuous monitoring
DFARS 252.204-7012
The 72-hour cyber incident reporting obligation that continues throughout the certification period
The Cyber AB
CMMC Accreditation Body — guidance on assessment expectations and the C3PAO ecosystem you'll re-engage for recertification
31 U.S.C. §§ 3729–3733 (False Claims Act)
The statute that creates personal exposure for false annual senior official affirmations

Related resources: The Assessment Day Playbook applies to recertification as well as initial certification. The evidence library guide describes the artifacts that must be continuously maintained, and the policy library guide covers the documents that must be reviewed annually.