Compliance|

You Sign the SPRS Affirmation Alone Now

The CMMC suspension removed the third-party assessor — but the annual SPRS affirmation of NIST 800-171 compliance survives untouched. Here's what that means for whoever signs it.

SPRSNIST 800-171CMMC SuspensionFalse Claims ActCompliance

When DoD suspended CMMC Phase II on July 13, the headline most contractors heard was "no more audits." The detail that matters more is what the suspension didn't touch: the annual affirmation of continuous compliance in SPRS, signed by a named affirming official — personally.

What the assessor was actually for

A C3PAO assessment was expensive, slow, and — per DoD's own math of 100,000 companies to roughly 100 assessors — never going to happen for most of the industrial base. But it did one thing quietly worth a great deal: it shared the burden of your compliance claim. A third party examined your environment and co-signed the conclusion.

That co-signer no longer exists. As of July 13, whatever your company asserts about its security posture, it asserts alone. Under Secretary Michael Duffey was precise about what changed:

"We're not relaxing any standards by any means. We expect businesses to adhere to the standards that NIST has outlined. What we're removing is the bureaucracy of the third-party assessment."

The standard stands. The verifier is gone.

The affirmation is a representation to the government

A self-assessment score in SPRS, and the annual affirmation behind it, is a representation to the federal government. The False Claims Act is the mechanism by which representations to the government get tested. That's the whole risk shape — we'll let you finish the thought, and you should finish it with your own counsel, not with a vendor's blog post.

The practical question it leaves is simple. Someone at your company signs that affirmation every year, with their name on it. What are they signing on the basis of?

If the answer is "our team's word," that's the gap. Not because your team is dishonest — because a claim of continuous compliance needs a continuous record behind it, and most contractors have never built one. The point-in-time audit was going to paper over that; a snapshot every three years was never proof of continuous anything, but at least it was a document. Now there's no snapshot either.

"Dynamically maintaining" — DoD's own words

DoD CIO Kirsten Davies, at the same briefing:

"Investing in and dynamically maintaining robust cybersecurity remains a critical non-negotiable priority. This action does not eliminate the legal requirement for our industry partners to protect federal data."

Dynamically maintaining. Not achieving, not certifying — maintaining, continuously. The CIO of the Department of Defense described a continuous standard in the same breath as cancelling the point-in-time audit.

What a defensible signature rests on

A signature you can defend rests on evidence that was generated contemporaneously, in the ordinary course of operating — not assembled after a letter arrives. That distinction matters more than most contractors realize. A binder built after the subpoena invites the question of what was left out. A machine-generated, hash-chained, tamper-evident log — produced continuously, before anyone asked — doesn't.

This is especially acute for AI usage, because it's the one area where the record is most likely to be empty. Engineers are pasting CUI-adjacent material into ChatGPT, Claude, and Copilot today — unlogged, unbounded, unrecoverable. The honest answer to "has controlled data left your environment?" is currently we don't know, and "we don't know" is the worst possible answer to that question in every venue where it gets asked.

The one thing you can't fix later

A control gap can be remediated in Q4. An evidence gap cannot — you can't go back and generate logs for usage that already happened. Every ungoverned month is a permanent hole in the record, sitting in exactly the period a prime's flowdown inquiry, a DIBCAC assessment, or a diligence team will ask about.

The affirmation isn't going anywhere. The question is whether, next time it's signed at your company, it rests on a record or on a hope.

Need help with AI governance?

Book a 30-minute call. We'll tell you exactly where your risk is and how to fix it.

Book a Call