Affirmation by a Senior Official
Effective: December 16, 2024
32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.
Who must comply
Every contractor subject to CMMC at any level, for as long as the CMMC requirement applies.
What it requires
- 01Designate a senior official with authority to bind the organization as the Affirming Official.
- 02Conduct an initial affirmation in SPRS immediately following the initial self-assessment or certification.
- 03Submit an annual affirmation thereafter, at least every 12 months from the prior affirmation date.
- 04Submit an additional affirmation following any C3PAO certification or recertification event at Levels 2 or 3.
- 05Retain documentation supporting the affirmation in case of audit or investigation.
Key points
- The affirmation is a binding statement to the federal government. The named official, not just the company, can be exposed under the False Claims Act for knowingly false affirmations.
- Treat the affirmation as a board-level event each year — not a back-office checkbox.
Related clauses
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
- 32 CFR 170.15CMMC Level 1 Self-Assessment and Affirmation Requirements
32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by a senior official with authority to bind the organization.
- 31 U.S.C. § 3729False Claims Act — Civil Liability for Knowingly False Claims
31 U.S.C. § 3729, the False Claims Act, imposes civil liability — including treble damages and per-claim penalties — on anyone who knowingly presents a false or fraudulent claim for payment to the federal government. "Knowingly" includes actual knowledge, deliberate ignorance, and reckless disregard, which is why a knowingly false CMMC senior-official affirmation can trigger FCA exposure.
Related terms
Read more in the Library
- The CMMC Annual Affirmation: The One Thing That Breaks DIY Compliance — 2026
Year-one DIY CMMC is easy. Year two is where most contractors quietly lose compliance. Here's how to not be one of them.
- The CMMC False Claims Act Risk: What's Real, What's Hype (2026)
FCA exposure on CMMC is real — but not in the way most vendors describe it. Here's what actually triggers it at Level 1, and what doesn't.