CustodiaCustodia.
Custodia · Free guide · 2026 edition

The CMMC Level 1 annual affirmation guide.

The part everyone forgets, the part that costs you the next contract. Here's what it is, who signs, when it's due, and how to renew — in about 15 minutes a year.

Per year
~15 min
To renew
1
Signer

What it is

The CMMC Level 1 annual affirmation is a senior official attesting, in SPRS, that your company continues to meet all 15 safeguarding requirements of FAR 52.204-21. It is required every 12 months. There is no third-party assessor involved at Level 1 — you affirm; DoD trusts; DoD also enforces if you lied.

Who can sign it

The affirming official must be a senior official with authority to attest on behalf of the company. In practice this is:

  • The owner / president, for sole-proprietor or small LLC
  • The CEO or COO, for incorporated small businesses
  • The CIO or CISO, if formally delegated authority

The IT contractor, the part-time MSP, or the office manager cannot sign. The signer must be in a position to bind the company.

When it's due

Within 12 months of your previous affirmation. If your last affirmation was March 15, your next is due by March 14 the following year — not “sometime that quarter.”

If you miss the deadline, your SPRS posting becomes stale. Contracting officers and primes treat a stale posting as if no posting exists. You can renew at any time to refresh the date.

Calendar template

Three reminders to set, today

WhenWhatWho
11 months from last affirmationFirst reminder — start reviewSystem owner
11.5 monthsRun self-assessment & sign attestationAffirming official
11.75 monthsPost new affirmation in SPRSAffirming official

What to review before re-affirming

Don't copy-paste last year's affirmation. The environment changes. Walk through this 10-minute checklist:

  1. Scope changes. New office, new cloud apps, new contracts with FCI? Update the boundary.
  2. People. Has anyone left who had access? Was their access revoked? Were keys/fobs returned?
  3. Devices. Any new laptops or phones holding FCI? Are they on the inventory? Antivirus and updates current?
  4. Cloud apps. Any new SaaS used for federal work? MFA enforced?
  5. Policies. Are all eight policies still current? Re-sign / re-date them annually.
  6. Incidents. Any reportable incidents in the last 12 months? Documented?
  7. Disposal log. Any laptops / drives / phones disposed of? Logged?
  8. Visitor log. Up to date for the last year?
  9. Firewall & network. Any architecture changes? Still segmenting guest Wi-Fi?
  10. Self-assessment. Run the 15-question checklist again. Score MET on all 15.

Sign-off

I affirm that, as of the date below, the company continues to implement all 15 safeguarding requirements of FAR 52.204-21, and that I am authorized to attest on behalf of the company.

Signature
Printed name & title
Date of affirmation
Next affirmation due
Custodia · bidfedcmmc.com · Not legal advice
Resources
SPRS walkthrough →
Where to actually post the affirmation.
Self-assessment checklist →
Re-run the 15 controls before you re-affirm.
Built by Custodia

We give this away because we sell the easy version for $249/mo.

This annual affirmation guideis genuinely complete and yours to keep. If you'd rather have the platform fill it in, collect the evidence, send the renewal reminders, and post your SPRS score for you — that's what we built.

Start the 7-day free trial →Keep going DIY →