Every CMMC self-assessment and C3PAO certification requires an affirmation from a senior official of the organization. This is not a formality. It is a legally consequential attestation that creates personal and organizational liability under the False Claims Act.
The CMMC affirmation must be signed by a senior official of the organization who has the authority to commit the company to compliance representations. This is typically a C-level executive, VP, or director-level individual. The signer must have been briefed on the actual compliance status and must have the organizational authority to attest to the accuracy of the SPRS submission. Delegating the signature to someone without adequate knowledge or authority does not reduce liability.
Organizations are required to update their SPRS score and affirmation when material changes occur that affect their compliance posture. Continuing to rely on a stale affirmation when the organization knows its compliance status has changed creates FCA exposure. The affirmation is not a point-in-time safe harbor — it creates an ongoing obligation to maintain the accuracy of the representation.
Yes. The affirmation is a direct, signed attestation tied to an individual. Under the False Claims Act, individuals who make or cause false claims can face personal civil liability including treble damages and per-claim penalties. The individual executive who signs an inaccurate affirmation is personally exposed, independent of any corporate liability.
Many contractors treat the affirmation step as a box to check at the end of the assessment process. That framing is a mistake. Understanding what the affirmation actually means, who should sign it, and what the legal exposure looks like is essential for any executive involved in a DoD contracting organization.
The CMMC affirmation is a formal statement by a senior official of the organization that:
The affirmation is recorded in SPRS alongside the assessment results. It is tied to a specific assessment date and a specific score. When the assessment is renewed, a new affirmation is required.
The affirmation requirement is codified at 32 CFR §§ 170.22 and 170.23 for Level 1 and Level 2 organizations respectively.
The affirmation must be made by a "senior official" of the organization. The regulation defines this as someone who is authorized to legally commit the organization to a compliance representation. In practice, this means:
The affirmation cannot be delegated to a security analyst, IT Frequently Asked Questions
The CMMC affirmation must be signed by a senior official of the organization who has the authority to commit the company to compliance representations. This is typically a C-level executive, VP, or director-level individual. The signer must have been briefed on the actual compliance status and must have the organizational authority to attest to the accuracy of the SPRS submission. Delegating the signature to someone without adequate knowledge or authority does not reduce liability.
Organizations are required to update their SPRS score and affirmation when material changes occur that affect their compliance posture. Continuing to rely on a stale affirmation when the organization knows its compliance status has changed creates FCA exposure. The affirmation is not a point-in-time safe harbor — it creates an ongoing obligation to maintain the accuracy of the representation.
Yes. The affirmation is a direct, signed attestation tied to an individual. Under the False Claims Act, individuals who make or cause false claims can face personal civil liability including treble damages and per-claim penalties. The individual executive who signs an inaccurate affirmation is personally exposed, independent of any corporate liability.
manager, or consultant. It must come from someone with the organizational authority to make a binding compliance representation on behalf of the company.
This design is intentional. The DoD wanted executives personally on the hook for compliance representations, not just security teams. When a CEO or President signs an affirmation, they are personally attesting to the accuracy of the compliance claim.
Level 1 organizations: Affirmation is required annually, tied to the annual self-assessment cycle. Each year, after completing the self-assessment and submitting the score to SPRS, the senior official must re-affirm.
Level 2 organizations (self-assessment path): Affirmation is required at the time of each self-assessment submission and annually thereafter.
Level 2 organizations (C3PAO path): Affirmation is required when the C3PAO assessment is complete and the result is entered in eMASS. Annual affirmations are then required throughout the three-year certification period.
The annual affirmation is not just a renewal of the original statement. It is an affirmation that the compliance status has been maintained and that nothing material has changed in a way that would affect the stated compliance level. If a significant security incident occurred, if major systems were added, or if a control was removed, the annual affirmation cannot honestly be made without addressing those changes.
The False Claims Act (31 U.S.C. § 3729) is the enforcement mechanism that gives CMMC affirmations their legal teeth.
Under the FCA:
- Any contractor who knowingly submits or causes to be submitted a false claim to the government faces civil liability
- Damages are treble: the government recovers three times its actual damages plus civil penalties per claim
- The Act has a qui tam provision that allows private individuals to file lawsuits on behalf of the government and receive a portion of any recovery
The FCA applies to CMMC affirmations because those affirmations are part of the contract award process. When a contractor affirms CMMC compliance as part of a contract solicitation response or maintains a false affirmation in SPRS while performing under a government contract, and that contractor is receiving payments under that contract, each contract payment may be a false claim.
The Aerojet Rocketdyne settlement illustrates the risk. A former employee alleged that the company misrepresented its cybersecurity compliance posture on DoD and NASA contracts. The settlement reached $9 million. The legal theory: cybersecurity compliance is a material condition of the contracts, and misrepresenting compliance status is a false claim against the government.
The Supreme Court's 2016 decision in Universal Health Services v. United States confirmed the "implied certification" theory, meaning that when a contractor submits a claim for payment while failing to disclose a material violation of a statutory or regulatory requirement, that can constitute a false claim even if the contract itself was not specifically conditioned on compliance.
In practical terms: if your organization submits an affirmation saying your CMMC score is 95 out of 110 when your actual posture is 65 out of 110, and you continue receiving payments on DoD contracts while maintaining that false affirmation, you are exposed.
A critical question that many organizations have not thought through: what do you do when something changes after you have affirmed?
If a significant change occurs that affects your compliance status, the affirmation you made no longer accurately represents your current posture. The regulation requires that status changes be updated in SPRS. Sitting on a known change while continuing to affirm a compliance level you no longer maintain is the scenario that creates FCA liability.
Changes that typically require a status update:
The correct action when compliance status changes is to update SPRS to reflect the current state, document the change and the remediation plan in the POA&M, and re-affirm after remediation brings the organization back to the required level.
Understanding the difference between an OPA (Other Than Satisfied/Accepted) item and a POA&M item matters for the affirmation.
An affirmation does not claim that every single control is perfectly implemented. It affirms that the assessment was conducted properly and the results accurately reflect the current state, including any open POA&M items. Having items on a POA&M does not prevent affirmation, as long as:
What an affirmation cannot cover is undisclosed gaps. If the assessment missed controls that are not implemented, and the affirmation represents those controls as Met, that is misrepresentation regardless of whether a formal POA&M exists.
Know what you are affirming. Before signing the affirmation, review the assessment results. Understand the basis for the score. Ask your security team or RPO to brief you on the methodology used, the controls that are Met, and the gaps documented on the POA&M. You should not be surprised by the contents of what you are affirming.
Ask about the prohibited controls. Specifically ask whether any of the six prohibited controls are Not Met. If they are, the affirmation should not be made until either the controls are remediated or the SPRS submission reflects the resulting No Status condition.
Understand the ongoing obligation. Affirming today is not a one-time event. You are committing to annual re-affirmations. Establish an internal process to ensure that material changes to the environment or compliance status are escalated for decision before they create misrepresentation.
Document the basis for the affirmation. Keep a record of the assessment results, the methodology, and the evidence basis for the compliance representation at the time of each affirmation. If a question ever arises about the accuracy of a prior affirmation, documentation demonstrating a good-faith compliance effort based on a professional assessment is your defense.
Engage legal counsel for the first affirmation. For organizations new to CMMC affirmations, having counsel review the affirmation process, the FCA exposure, and the organization's current compliance posture is a prudent step before the first senior official signature.
Questions about the affirmation process or the legal exposure it creates? NR Labs prepares organizations and their leadership for the affirmation step as part of our CMMC readiness engagements, including executive briefings on compliance status before the senior official signature. Contact us to talk through your situation.
