Most of the conversation around CMMC has been about getting certified: 

• “What are the requirements?” 
• “How do I meet the controls?” 
• “Why do I have to do this?”

That focus makes total sense. CMMC is new, can be confusing, and is directly tied to whether you get to keep doing business in the DoD supply chain. So naturally, everyone has been obsessed with clearing that first hurdle and getting the golden piece of paper known as a Level 2 CMMC Certification. 

But did you know there are other requirements as part of the three-year certification? That’s right — CMMC certification is not a one-time event. Instead, it’s a three-year cycle. Now that moreorganizations are getting certified, Years 2 and 3 are where they’re starting to quietly take on risk. But what are the requirements? 

What are the Year 2 and Year 3 requirements?

Once you pass a Level 2 C3PAO assessment and receive a Final Status Date, your three-year certification clock begins.  

Congrats! You did it! You can now retire and run off into the sunset! Right?!?… right? 

While Year 1 brings the third-party assessment, Years 2 and 3 look different. There is no required third-party assessment in those years. Instead, the organization must submit an annual affirmation, signed by a senior official, that states that the organization has implemented and continues to maintain all applicable CMMC requirements for the environment in scope. This affirmation is submittedinto SPRS and is used to determine whether your CMMC status remains current and eligible for contract use. 

I know what you’re saying out loud to yourself right now:  

“This sounds familiar. You’re talking about annual affirmations like the ones we used to do as part of DFARS 7012/7019? The ones that the DoD proved didn’t work, thus forcing their hand in creating the exact program we’re discussing today, CMMC?” 

Yeah, let’s talk about that.  

The uncomfortable context everyone avoids 

Let’s say this more plainly:  

The entire reason CMMC exists is because the DoD determined that self-attestation does not work. 

For years, contractors self-attested to NIST 800-171 compliance as part of DFARS 7012/7019/7020 clauses. The government reviewed scores, ran spot checks, and investigated incidents as they popped up. What they found was not great — most self-attestations were anywhere from inaccurate to flat out wrong. 

And even worse, it was reported again and again that sensitive DoD information was getting into the hands of our adversaries. That’s right — the entire reason we care about protecting this information in the first place was happening with the self-attestation model.   

So independent verification became necessary. That is the justification for CMMC.  

So, you have to ask yourself: 

If self-attestation failed at scale before, why aren’t more people freaking out about the risks of self-attestation in Years 2 and 3 of their CMMC Certification? 

Outlining the risks involved

In a three-year span, a lot changes: 

• People leave and join your organization 
• Systems evolve and technology changes 
• Vendors change and supply chains shift 
• Threats evolve and new vulnerabilities emerge  
• Policies update and regulations tighten  

Compliance doesn’t usually fail loudly. It erodes slowly. By the time the annual affirmation is due, your people, processes, and technology have absolutely changed. The question becomes whether your compliance and documentation have changed with it. 

That is where risk compounds. But what really is the risk? 

Introducing: The False Claims Act 

On top of the fact that you risk drifting out of compliance (let’s not forget how wrong self-attested SPRS scores have proven to be), there is a much larger risk at play: an inaccurate affirmation can create exposure under the False Claims Act. 

The Department of Justice has already demonstrated a willingness to pursue cybersecurity-related misrepresentations tied to federal contracts. Yes, the Department of Justice has time (Raytheon $8.4M) and time (MorseCorp $4.6M) and time (Penn State $1.25M) again come after organizations who have incorrectly claimed compliance under the self-attestation model. 

Contractors have paid real money for overstating compliance with NIST 800-171.CMMC does not replace that risk, it reduces the risk by having a vetted third party (C3PAO) perform a review of your compliance to the controls you will sign off on meeting. And if you are the affirming official whose name is signed off on that attestation? There is the possibility of personal liability in these cases. 

“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors,” said Special Agent in Charge William Richards of the Air Force Office of Special Investigations Procurement Fraud Office, Andrew AFB, Md. “AFOSI, alongside our investigative partners and the Department of Justice, will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.” 

How to buy down the risk in Years 2 and 3

The CMMC rule does not require a mid-cycle third-party assessment. But organizations that take cybersecurity, legal exposure, and executive accountability seriously don’t rely on memory and optimism for two years. They validate. 

The most effective way to do that is through an interim C3PAO assessment. Having a CMMC third-party assessment organization come and validate your controls as MET/NOT MET before you attest to meeting them can: 

• Identify compliance drift while it is still manageable  
• Give the affirming official something concrete to rely on when signing an annual legal statement 
• Create a defensible narrative if an audit, investigation, or inquiry ever occurs 

Being able to say, “we hired an independent assessor to validate our posture before signing,” is very different from, “we assumed we were fine.” 

It’s not about perfection — it’s about due diligence.  

Key takeaway 

CMMC is not a one-time trophy. It is a commitment. The program exists because self-attestation alone did not work, yet Years 2 and 3 still rely on it.  

That means you should be wary of treating those years casually. You should be intentional and avoid the risks that existed with the previous self-attestation model because those annual affirmations are legal representations tied to contracts, money, and accountability. With your name on the line, you should know exactly what you are signing and feel confident in what you’re attesting to. 

In a world where cybersecurity representations are being scrutinized harder than ever, that matters.