Skip to content

CMMC and Continuous Compliance

 

Learn about CMMC Compliance between assessment cycles, annual affirmation, the impact of a merger or acquisition, what triggers a reassessment, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What does continuous CMMC compliance require between assessment cycles? 

 

Summary: Continuous CMMC compliance requires maintaining the full implementation of all 110 NIST SP 800-171 Rev 2 controls, submitting annual affirmations in SPRS, conducting ongoing security monitoring and vulnerability management, updating the System Security Plan to reflect environmental changes, and managing compliance as an ongoing operational function rather than a periodic audit preparation activity. 

Between formal assessment cycles, contractors must: conduct at least annual security assessments of their controls per CA domain control 3.12.1; maintain continuous monitoring activities including vulnerability scanning, log review, and configuration monitoring; patch systems within defined timeframes based on vulnerability severity; conduct annual security awareness training for all personnel; review and update access authorizations as personnel and roles change; update the SSP when systems, cloud services, personnel, or processes change; and respond to and document security incidents. 

Organizations that treat CMMC compliance as a point-in-time certification exercise and allow their controls to decay between assessments risk failing their triennial renewal and losing their certification status, potentially becoming ineligible for contract renewal.

 

What is an annual compliance affirmation and who must submit it? 

 

Summary: An annual compliance affirmation under CMMC is a formal declaration submitted in SPRS by a designated Affirming Official, a senior executive of the Organization Seeking Certification, confirming that the organization’s CMMC self-assessment or certification results on file in SPRS remain accurate and that the organization continues to maintain compliance at the required level. 

For CMMC Level 1 organizations, the annual affirmation is submitted alongside the annual self-assessment results. For CMMC Level 2 self-assessment organizations, it is submitted annually with the self-assessment score. For CMMC Level 2 C3PAO-certified organizations, an affirmation must be submitted in Year 1 and Year 2 of the three-year certification cycle. 

The Affirming Official must be a senior company officer, a CEO, COO, CIO, or equivalent executive who has the authority to legally bind the organization. The AO’s affirmation creates direct personal legal accountability under the False Claims Act for the accuracy of the SPRS compliance record. Signing an affirmation without adequate independent verification of the organization’s actual security posture represents significant personal legal risk.

 

What organizational changes trigger a CMMC reassessment or updated SPRS entry? 

 

Summary: Significant changes to the organizational environment, information systems, or business operations that affect the CMMC assessment scope or the implementation status of security controls trigger an obligation to update the System Security Plan, conduct an internal assessment of the changed environment, and potentially submit an updated SPRS entry reflecting the new compliance status. 

Triggering changes include: deployment of new IT systems, cloud services, or applications within the CUI environment; significant changes to network architecture that alter the assessment boundary; acquisition of a new business unit handling CUI; outsourcing of IT functions to a new MSP; replacement of a major cloud service provider used for CUI; significant changes to personnel, particularly the departure of key security personnel or the AO; and discovery of a security incident resulting in unauthorized access to CUI. 

The DoD’s guidance is that the SPRS entry should reflect the current compliance posture at all times. Allowing a SPRS entry to remain in place following major changes without reassessment creates False Claims Act exposure. 

 

How should an organization manage CMMC compliance after a merger or acquisition? 

 

Summary: Following a merger or acquisition, the surviving or acquiring entity must conduct a comprehensive review of how the transaction affects the CMMC assessment scope, evaluate whether the acquired entity’s systems meet the required CMMC level, and update all CMMC documentation and SPRS entries to reflect the new combined organizational posture. 

If the acquiring organization holds a CMMC Level 2 certification and the acquired entity has systems integrated into the certified environment, those systems must be assessed and brought into compliance before they are used to handle CUI. The existing CMMC certification does not automatically extend to the acquired entity’s systems. 

If the acquired entity operates as a completely separate legal entity with its own CAGE code and distinct systems, the certifications remain separate. The C3PAO that issued the original certification should be consulted regarding whether a delta assessment or full reassessment is required. CAGE code changes, legal entity restructuring, or changes in organizational ownership that affect FOCI status must be reported and assessed for program implications. Organizations undergoing M&A should engage their CMMC consultant or RPO early in the transaction process to assess CMMC implications before closing.

 

What are the most common CMMC compliance failures found during assessments? 

 

Summary: The most common CMMC compliance failures identified in C3PAO assessments and DIBCAC evaluations cluster around five areas: encryption implementation, multi-factor authentication gaps, insufficient documentation, inadequate vulnerability management, and access control deficiencies. 

Encryption (SC domain, 5-point controls): Missing FIPS 140-validated cryptography, either not implemented on portable devices or implemented with non-validated modules, is consistently the most frequently cited high-weight control failure. 

Multi-factor authentication (IA domain): MFA not enforced for all accounts and access methods, particularly for remote access accounts and privileged accounts, is the second most common high-weight gap. Documentation gaps (CA domain): Incomplete, outdated, or inaccurate System Security Plans, missing policies for one or more domains, or lack of evidence artifacts cause failures across multiple controls simultaneously. 

Vulnerability management (RA and SI domains): Organizations conducting infrequent vulnerability scans, lacking formal remediation timelines, or having unpatched critical vulnerabilities in in-scope systems fail RA and SI controls consistently. Access control (AC and IA domains): Over-provisioned user accounts, lack of formal access review processes, shared accounts, and missing account termination procedures are common findings.

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties