32 C.F.R. § 170.22

Current through November 30, 2024
Section 170.22 - [Effective 12/16/2024] Affirmation
(a)General. The OSA must affirm continuing compliance with the appropriate level self-assessment or certification assessment. An Affirming Official from each OSA, whether a prime or subcontractor, must affirm the continuing compliance of their respective organizations with the specified security requirement after every assessment, including POA&M closeout, and annually thereafter. Affirmations are entered electronically in SPRS. The affirmation shall be submitted in accordance with the following requirements:
(1)Affirming Official. The Affirming Official is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA's compliance with the CMMC Program requirements and has the authority to affirm the OSA's continuing compliance with the specified security requirements for their respective organizations.
(2)Affirmation content. Each CMMC affirmation shall include the following information:
(i) Name, title, and contact information for the Affirming Official; and
(ii) Affirmation statement attesting that the OSA has implemented and will maintain implementation of all applicable CMMC security requirements to their CMMC Status for all information systems within the relevant CMMC Assessment Scope.
(3)Affirmation submission. The Affirming Official shall submit a CMMC affirmation in the following instances:
(i) Upon achievement of a Conditional CMMC Status, as applicable;
(ii) Upon achievement of a Final CMMC Status;
(iii) Annually following a Final CMMC Status Date; and
(iv) Following a POA&M closeout assessment, as applicable.
(b)Submission procedures. All affirmations shall be completed in SPRS. The Department will verify submission of the affirmation in SPRS to ensure compliance with CMMC solicitation or contract requirements.
(1)Level 1 self-assessment. At the completion of a Level 1 self-assessment and annually thereafter, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 1 (Self).
(2)Level 2 self-assessment. At the completion of a Level 2 self-assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self). An affirmation shall also be submitted at the completion of a POA&M closeout self-assessment.
(3)Level 2 certification assessment. At the completion of a Level 2 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (C3PAO). An affirmation shall also be submitted at the completion of a POA&M closeout certification assessment.
(4)Level 3 certification assessment. At the completion of a Level 3 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 3 (DIBCAC). Because C3PAOs and DCMA DIBCAC check for compliance with different requirements in their respective assessments, OSCs must annually affirm their CMMC Status of Level 2 (C3PAO) in addition to their CMMC Status of Level 3 (DIBCAC) to maintain eligibility for contracts requiring compliance with Level 3. An affirmation shall also be submitted at the completion of a POA&M closeout certification assessment.

32 C.F.R. §170.22

89 FR 83214 , 12/16/2024