← Custodia

The CMMC Annual Affirmation: The One Thing That Breaks DIY Compliance — 2026

Most DIY CMMC contractors do the first year fine — then forget the annual affirmation. Here's why it matters, when it's due, and the 10-point review to do before re-signing.

By David Fuentes· Compliance Officer, CustodiaMay 13, 20265 min read

CMMC Level 1 isn't a one-time thing. It's a yearly cycle: review, refresh, sign, post. The annual affirmation is the single artifact that keeps your bid-ready status alive in SPRS. Skip it and your status quietly goes stale.

Why the annual is the hardest part

  • There is no built-in reminder from DoD — the burden is on you.
  • It's 11 months after the work that made it easy to remember.
  • It requires the affirming official, who is usually the busiest person in the company.
  • The review work is real (not just a signature), so it can't be done in five minutes the night before.

The three-reminder calendar (steal this)

Set three calendar reminders today, on the affirming official's calendar:

  1. 11 months after posting: “CMMC annual affirmation due next month — start review.”
  2. 11.5 months after posting: “CMMC annual review due in 2 weeks — block 1 hour.”
  3. 11.75 months after posting: “CMMC annual: do not let this slip past today.”

Three reminders feels like overkill until you're the person who almost missed it.

The 10-point review

Before re-signing, walk through:

  1. Did anyone in scope leave the company? Were their accounts revoked?
  2. Did anyone new join who handles FCI? Are they listed in the worksheet?
  3. Did we add or remove cloud apps in scope?
  4. Did the network change (new firewall, new ISP, new office)?
  5. Is MFA still enforced everywhere? Spot-check.
  6. Is endpoint antivirus / Defender still active on every in-scope device?
  7. Are patches current? Spot-check 2–3 devices.
  8. Did we have any security incidents this year? Are they documented?
  9. Are the 8 policies still accurate? Re-sign with this year's date.
  10. Does the SSP still reflect reality? Update anything that drifted.

Get the printable guide

The Custodia annual affirmation guide includes the calendar template, the 10-point review checklist, and the sign-off block, all on a printable page: Open the annual affirmation guide →

Or follow the full DIY path: The Free DIY CMMC Level 1 Handbook.

FAQ

When is the annual affirmation due?

Within one year of the previous affirmation. If you posted on June 15, 2025, the next affirmation is due by June 15, 2026. There is no DoD-wide due date — your clock starts on the day you posted.

What happens if I miss it?

Your SPRS record goes stale. Primes who check your status will see an expired affirmation and treat you as non-compliant. Contracting officers may exclude you from awards until you re-affirm.

Does the same person have to sign each year?

Not necessarily — the affirming official can change (new CEO, new delegated CIO). But it must still be a senior official authorized to bind the company.

Do I have to redo the SSP and scoping every year?

You have to review them and update anything that changed. If nothing changed, the review itself is the deliverable — usually a single line: 'Reviewed 2026-06-15, no material changes.'

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)