Skip to Content

How to File and Maintain Your SPRS Affirmation of Continuous Compliance

The annual affirmation is short, electronic, and signed by one named official. It is also one of the clearest sources of False Claims Act exposure in the entire program.
June 27, 2026 by
How to File and Maintain Your SPRS Affirmation of Continuous Compliance
William Yeack (YGI Solutions)

Achieving a Cybersecurity Maturity Model Certification (CMMC) status is a milestone. Maintaining it is an obligation that continues for the life of every covered contract. The mechanism for that ongoing obligation is the affirmation of continuous compliance, submitted in the Supplier Performance Risk System (SPRS) by a named official. This guide explains what the affirmation requires and why it deserves more care than its brevity suggests.

Know who can sign

The affirmation is submitted electronically by an Affirming Official, a senior representative of the organization with the authority to attest on its behalf. This is not a clerical task to delegate to whoever has SPRS access. The person who signs is attesting, on the record, that the organization continues to meet the requirements associated with its CMMC level.

Understand what you are attesting to

The affirmation states continuous compliance, and the program's definition of current requires confirming that there have been no changes in compliance since the organization achieved its CMMC status. That single word, current, creates an ongoing monitoring duty. You are not affirming that you were compliant on the day of assessment. You are affirming that nothing has lapsed since.

Track the cadence for your level and path

The affirmation is maintained on an annual basis for each CMMC unique identifier covering systems that process, store, or transmit Federal Contract Information or Controlled Unclassified Information. Assessment cadence differs by level and path: Level 2 self-assessments and third-party assessments operate on a three-year assessment cycle with annual affirmations, while Level 3 assessments are conducted by the government. Map each contract to the level it requires, and keep an affirmation current for every applicable identifier.

Mind the plan of action deadline

Where an assessment leaves open items, they are tracked in a plan of action and milestones. Those items generally must be closed within one hundred and eighty days. Failing to close a plan of action item in time, or missing an annual affirmation, can render the organization ineligible for award or option renewal. The affirmation does not stand alone. It sits on top of a remediation clock.

See exactly what your framework will take.

YGI can help you achieve FedRAMP.

Book a Call

Build a monitoring rhythm, not an annual scramble

Because the affirmation asserts continuous compliance, the only sound way to support it is continuous monitoring. An organization that reconstructs its posture once a year, the week before the affirmation is due, is signing an attestation it cannot fully stand behind. Continuous control monitoring, with evidence collected as configurations change, turns the affirmation from a risky annual guess into a routine confirmation of a known state.

Why this is worth a managed approach

The affirmation is the point where a compliance program meets personal and corporate legal accountability. The signature is short. The exposure is not. YGI Solutions helps organizations stand up the continuous monitoring and evidence discipline that lets an Affirming Official sign with confidence, and we keep the affirmation, the assessment cadence, and the plan of action clock aligned so that none of them quietly slips.

Share
FedRAMP 20x Explained: From Authorizations to Certifications
The first substantial redesign of federal cloud authorization since 2011 changed the language, the evidence, and the operating model. Here is what actually changed, and why.