Skip to content

Insights

Why Choose CMMC Annual Compliance Assessments?

Key Takeaways

  • Reduces False Claims Act Risk: Annual CMMC compliance assessments provide independent validation, reducing the risk of the affirming official submitting inaccurate attestations that could lead to significant legal and financial penalties.
  • Ongoing Compliance Is Required: Even after achieving CMMC Level 2 certification, organizations must continuously monitor and maintain compliance due to annual affirmation requirements and evolving system environments.
  • Improves Readiness for Certification: Regular assessments help identify gaps or changes early, reducing the risk of failing the triannual certification and avoiding disruptions in contract eligibility.
  • Strengthens Assurance and Continuity: Partnering with a C3PAO for annual assessments builds confidence in compliance status, ensures smoother future assessments, and supports a consistent, well-documented compliance posture.

Avoiding False Claims Act Risks

Defense Industrial Base (DIB) contractors and subcontractors who are subject to Cybersecurity Maturity Model Certification (CMMC) must submit annual attestations according to their required level of CMMC compliance. This is stated within the codification at 32 CFR Section 170.22, where it says that, “the OSA’s Affirming Official must affirm, in SPRS, compliance with the CMMC Status: upon completion of any self-assessment, certification assessment, or POA&M closeout assessment (as applicable), and annually following a Final CMMC Status Date.”

The required CMMC annual affirmations carry a risk of prosecution under the False Claims Act. The False Claims Act states that any person who knowingly submits, or causes to submit, false claims to the government is liable for three times the government’s damages plus a penalty that is linked to inflation. A CMMC annual compliance assessment is a great method to reduce this risk. An annual CMMC compliance assessment provides greater assurance to those charged with ensuring CMMC compliance within an organization. It provides the affirming official an independent validation of the CMMC self-assessment or can be used in place of a self-assessment.

Why Annual Compliance Reviews?

Once an organization has passed a CMMC Level 2 certification assessment, they get to take it easy until the next certification assessment in three years, right? Not quite. Once a CMMC Level 2 certification assessment is passed, organizations must still remain vigilant about changes to their environment until the following certification assessment. As important as it is for the Department of War (DoW), it is equally important for the Affirming Official and the Defense Industrial Base (DIB) bidding on or fulfilling DoW contracts that require CMMC compliance.

CMMC annual compliance assessments can give an organization peace of mind by building confidence that an organization’s environment remains compliant with CMMC regulations. Being consistently aware of changes to an organization’s information systems is key to mitigating any false claims from being made. The annual CMMC compliance assessment can highlight changes in the environment that may impact the organization’s SPRS score and possibly their certification status. Those organizations that are required to obtain a triannual CMMC Level 2 certification benefit from having their CMMC Third Party Assessor Organization (C3PAO) perform the CMMC annual compliance assessment. This reduces the risk of failing a certification assessment resulting in a gap in their CMMC compliance.

McKonly & Asbury’s CMMC Annual Compliance Assessment

McKonly & Asbury (M&A) offers a CMMC compliance assessment conducted without any consultation or guidance. Clear explanations of why an assessment objective are not met are provided along with opportunities for re-evaluations of Not Met assessment objectives. Not providing consulting services on how to implement assessment objectives allows M&A to remain independent and thus qualify to provide your organization C3POA services. M&A provides three-year contracts; these include the CMMC annual compliance assessments in the two intervening years plus the CMMC Level 2 certification assessment for a fee that is prorated over three years.

These contracts allow both parties to maintain a working relationship between the triannual CMMC Level 2 certification assessments. The C3PAO gains the benefit of being updated annually on any implemented changes in anticipation of the next certification assessment. The Organization Seeking Assessment (OSA) gains the comfort of being able to coordinate with a C3PAO when preparing their yearly affirmations that are required by the DoW. Both of which lead to a smoother assessment process going forward.

Please contact Partner Dave Hammarberg, LCCA or Director Elaine Nissley, LCCA for more information about obtaining C3PAO services to meet the CMMC Level 2 Certification requirements or additional questions.

About the Author

Matthew Wolfe

Matthew Wolfe joined McKonly & Asbury in 2025 and is currently an Advisory Senior with the firm’s CMMC team.

Related Services

SOC & Technology Consulting

Subscribe to Our Newsletter

Related Insights

View All Insights
  Contact Us