If you have been working toward CMMC certification or you have already achieved it, one of the most common questions that comes up is simple: how often does this actually have to happen?
It is a fair question, and the answer is more straightforward than most compliance content makes it sound. This post walks through exactly how the assessment cycle works at each level, what the annual affirmation requirement means in practice, and what staying compliant looks like between assessments. By the end, you will have a clear picture of the timeline and what your organization needs to do to stay on track.
The Core Idea: CMMC Is Built Around Ongoing Accountability
Before getting into the specific timelines, it helps to understand the philosophy behind CMMC’s design.
The Department of Defense did not build CMMC as a one-time certification event. The program was designed to confirm that defense contractors consistently protect Federal Contract Information and Controlled Unclassified Information throughout the life of their contracts, not just during an assessment window. That intention is reflected throughout 32 CFR Part 170, the federal regulation that governs the CMMC program.
What that means practically is that your cybersecurity environment needs to stay healthy year-round. Security controls need to keep working. Documentation needs to stay current. Policies need to be followed. That is not a burden unique to CMMC it is just good security practice formalized into a compliance framework.
The good news is that the structure is predictable. Once you understand the cycle, you can plan for it. There are no surprises if you know what to expect.
Level 1: Annual Self-Assessment
CMMC Level 1 applies to organizations that handle Federal Contract Information provided to or generated for the government under a contract not intended for public release.
Level 1 is built around the 17 safeguarding practices in 32 CFR § 170.15, which incorporate the 15 basic requirements from FAR 52.204-21. These cover foundational security practices: controlling who has access to your systems, protecting against malware, securing physical access, properly disposing of media, and keeping systems up to date.
The assessment cycle: Level 1 is self-assessed every year. Your organization conducts the assessment internally, scores your results using the methodology in 32 CFR § 170.24, submits the score to SPRS, and a senior company official affirms compliance. No third-party assessor is involved.
What this looks like in practice: Once a year, you sit down and honestly evaluate whether your practices are in place and working. You record your score, submit it to SPRS, and a senior leader signs off. If everything is solid, this is not a major undertaking. The organizations that find it stressful are usually the ones that have not been paying attention throughout the year, which is exactly why ongoing maintenance matters.
If you are at Level 1 and your practices are in good shape, the annual cycle is manageable. The key is treating the assessment as a validation of something you are already doing, not as a scramble to catch up.
Level 2: Every Three Years, With Annual Check-Ins
CMMC Level 2 applies to organizations that handle Controlled Unclassified Information. This is the level that applies to the large majority of defense contractors in the supply chain. If your work involves engineering drawings, technical specifications, export-controlled data, manufacturing process information, or similar categories of sensitive defense information, Level 2 almost certainly applies to you.
Level 2 is built around all 110 security requirements in NIST SP 800-171 Revision 2, covering everything from access control and multifactor authentication to incident response, configuration management, and audit logging.
The assessment cycle: For most contracts, Level 2 requires a formal certification assessment conducted by an accredited Certified Third-Party Assessment Organization every three years. That assessment results in a CMMC Status of either Final Level 2 or Conditional Level 2, which is recorded in SPRS and on a Certificate of CMMC Status issued by the C3PAO. The full requirements for this process are at 32 CFR § 170.17.
For certain lower-risk contracts, a Level 2 self-assessment is permitted under 32 CFR § 170.16. The solicitation language and the DFARS clause 252.204-7021 will tell you which track applies to your specific contract.
The annual affirmation: Here is where a lot of organizations get confused. Even though the formal assessment happens every three years, there is an annual requirement in between. Under 32 CFR § 170.22, a senior company official must submit an annual affirmation to SPRS confirming that your organization continues to meet the security requirements within your assessment scope.
Think of it this way: the three-year C3PAO assessment is the formal certification. The annual affirmation is the confirmation that nothing material has changed and that your controls remain in place. If your environment is healthy and well-maintained, the affirmation is straightforward. It becomes complicated only if controls have deteriorated or the environment has changed significantly without proper management.
What this looks like in practice: In Year 1, you complete your C3PAO assessment and receive your certification. Year two, your senior official reviews the compliance posture and submits an affirmation confirming continued compliance. Year three, same thing. In year four, you go through the formal C3PAO assessment again. That is the cycle.
The organizations that handle this well are the ones that treat compliance as a continuous operational function rather than a project that spins up before assessments and winds down after. If your security controls are working, your documentation is up to date, and your team understands their responsibilities throughout the year, the annual affirmation is not difficult. It is confirmation of something that is already true.
What the Annual Affirmation Actually Means
It is worth spending a moment on this because the affirmation requirement is one of the most frequently misunderstood parts of the CMMC framework.
The affirmation is not a checkbox. Under 32 CFR § 170.22, it is a formal statement by a senior company official a CEO, president, or other empowered leader that the organization continues to meet all requirements within its CMMC Assessment Scope. That statement is submitted to SPRS and becomes part of the official record.
What this creates is executive-level accountability for compliance between assessments. Leadership is not just signing a form; they are affirming the actual state of the security environment. That is a meaningful responsibility, and it is one of the reasons that building strong compliance processes between assessments benefits everyone in the organization, not just the IT team.
The practical implication is that maintaining good records, keeping documentation current, and validating controls throughout the year make the affirmation a straightforward rather than a stressful process. Organizations that have been paying attention throughout the year can affirm with confidence. Organizations that do not need to work harder to verify their posture before a senior leader is willing to put their name on the statement.
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and determine the steps required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
Level 3: Every Three Years, With Government-Led Assessment
CMMC Level 3 applies to a smaller group of contractors those working on the Department of Defense’s highest-priority programs that face elevated cybersecurity threats from sophisticated, nation-state-level adversaries.
Level 3 builds on everything in Level 2 and adds enhanced security requirements drawn from NIST SP 800-172. Before an organization can pursue Level 3, it must first achieve Final Level 2 certification from a C3PAO. Level 3 is not a starting point; it is a step beyond an already-certified Level 2 environment.
The assessment cycle: Level 3 assessments are conducted by DCMA DIBCAC rather than a private-sector C3PAO, reflecting the elevated sensitivity of the programs involved. The full requirements governing this process are at 32 CFR § 170.18. The cycle is every three years, with the same annual affirmation requirement that applies at Level 2.
What this looks like in practice: Level 3 environments operate at a higher level of maturity by design. The security capabilities expected at this level, including more advanced monitoring, detection, and response capabilities, are intended to be part of how the organization operates day to day, not a compliance posture maintained only for assessment purposes. If you are in the Level 3 population, your security program likely already reflects that level of operational maturity.
Staying Compliant Between Assessments: What Actually Matters
The question contractors ask most often is not really “how often are assessments required.” The real question is: “What do I need to do between assessments to make sure the next one goes smoothly?”
The answer is less complicated than it sounds.
Keep your System Security Plan current. Your SSP describes how your organization implements each security requirement across the systems within your assessment scope. When your environment changes, new systems, new cloud services, new vendors, the SSP needs to reflect those changes. An SSP that accurately describes your environment is one of the most valuable things you can have going into an assessment.
Manage changes thoughtfully. When you add a new system, change a cloud provider, bring on a new vendor, or modify your network, take a moment to evaluate whether that change affects your CUI environment or your security controls. This is what the CMMC Assessment Guide Level 2 describes as security impact analysis, and it is one of the 110 requirements your organization is assessed against. A quick evaluation before making a change is far easier than discovering a compliance gap after the fact.
Know what is in your assessment scope. The DoD CIO CMMC Scoping Guide Level 2 provides clear guidance on which assets fall inside your assessment boundary and which do not. Understanding your scope and keeping it accurate as your environment evolves is one of the most practical things you can do to maintain compliance between assessments.
Maintain your evidence. Assessors evaluate controls through three methods: reviewing documentation, interviewing personnel, and technically testing that controls work as described. Having organized, current evidence that maps to each security requirement means you are never caught off guard. Organizations that collect evidence continuously tend to have smoother assessments than those that scramble to pull it together in the weeks leading up to them.
Stay current with SPRS. Your SPRS record is what contracting officers and prime contractors check when evaluating your eligibility. Making sure your score is current, your affirmations are submitted on time, and your record accurately reflects your compliance status keeps you visible and eligible in the market.
A Simple Timeline to Keep in Mind
If you are at Level 2 with a C3PAO certification, here is what your compliance calendar looks like:
Year 1: Complete your C3PAO assessment. Receive Final Level 2 certification. CMMC Status recorded in SPRS. Certificate of CMMC Status issued.
Year 2: Submit annual affirmation confirming continued compliance. Maintain controls, documentation, and scope accuracy throughout the year.
Year 3: Submit annual affirmation. Continue ongoing maintenance. Begin planning for reassessment in the coming year.
Year 4: Complete C3PAO reassessment. Certification renewed for the next three-year cycle.
That structure is predictable and manageable. Organizations that build it into their operational calendar rather than treating each event as a surprise find the process far less disruptive over time.
Frequently Asked Questions
How long is a Level 2 certification valid? Under 32 CFR § 170.17, Level 2 C3PAO certification is valid for three years from the assessment date, provided annual affirmations under 32 CFR § 170.22 are submitted on time.
What happens if I miss the annual affirmation? Missing the annual affirmation can affect your contract eligibility. Your CMMC Status in SPRS reflects whether affirmations are current, and contracting officers verify this during the award process.
Does a three-year certification mean I can ignore compliance for three years? No. The certification reflects your status at the time of assessment. Annual affirmations require a senior official to confirm continued compliance each year. Maintaining the security controls and documentation that made certification possible is what keeps that affirmation accurate.
What is the difference between a self-assessment and a C3PAO assessment at Level 2? A self-assessment under 32 CFR § 170.16 is conducted internally by your organization. A C3PAO certification assessment under 32 CFR § 170.17 is conducted by an independent accredited third party. Which one applies to your organization depends on what your specific contract requires. Look for the language in DFARS 252.204-7021 and DFARS 252.204-7025.
Can DCMA DIBCAC audit my organization even if my certification is current? Yes. Under 32 CFR § 170.16, DCMA DIBCAC retains authority to review any contractor’s CMMC posture at any time. A current certification does not insulate your organization from a DIBCAC review.
Final Thought
CMMC is not as complicated as it can sometimes appear. The assessment cycle is structured and predictable. Level 1 is annual. Level 2 and Level 3 run on three-year cycles with annual affirmations in between. The organizations that handle it best are the ones that treat compliance as a normal part of how they operate not as a project that only matters when an assessment is approaching.
If your security controls are working, your documentation reflects your actual environment, and your team understands their responsibilities, staying compliant between assessments is a matter of staying organized and paying attention. You do not need to be in a constant state of audit preparation. You need to be doing the things you were already assessed on, consistently, throughout the year.
That is what CMMC compliance looks like when it is working the way it was designed to
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.