Help Center / The annual affirmation

The annual affirmation

CMMC requires a senior official to affirm continuing compliance after every assessment and at least annually thereafter. Bastion captures that affirmation, tracks its cadence, and exports a ready-to-sign statement.

On this page

  1. What the affirmation is (32 CFR 170.22)
  2. Who is the Affirming Official
  3. Record an affirmation
  4. The cadence reminder
  5. Export the affirmation statement
  6. What the statement says

1. What the affirmation is (32 CFR 170.22)

Under 32 CFR 170.22, an Affirming Official must affirm the organization's continuing compliance with the assessed security requirements — and must do so after every assessment (including a POA&M closeout) and at least annually thereafter. The affirmation is entered in SPRS. It's a formal statement of ongoing compliance, not a one-time box-check.

Affirming false information can carry liability under applicable law, including the False Claims Act. The Affirming Official should be a senior representative with the authority and knowledge to make the statement truthfully.

2. Who is the Affirming Official

The Affirming Official is a senior representative of your organization (the OSA — Organization Seeking Assessment) with authority to affirm continuing compliance. In Bastion you record their name and title. Both are required before you can record an affirmation.

3. Record an affirmation

Open the Handoff tab. The affirmation section sits under the readiness strip.
Enter the Affirming Official's name and title. These save as you type.
Click "Record affirmation (today)." Bastion stamps the affirmation with today's date and captures the current SPRS score. (If name or title is missing, it'll prompt you to fill them in first.)
Re-post it in SPRS. Bastion does not connect to SPRS — transcribe the affirmation into SPRS via PIEE yourself.

Recording sets the affirmation date and computes the next-due date (one year later). The affirmation is stored per profile, so each system you assess has its own.

4. The cadence reminder

The Handoff tab shows a live annual affirmation banner that reflects where you are in the cycle. Bastion computes the next-due date as the affirmation date plus 365 days and warns you as it approaches.

StateWhenWhat the banner says
NoneNo affirmation recorded (or missing name)"No affirmation on record. An Affirming Official must affirm after every assessment and annually thereafter (32 CFR 170.22)."
CurrentMore than 60 days until due"Affirmation current — next due [date] (in N days)."
Due soonWithin 60 days of due"Affirmation due in N day(s) ([date]). Plan your annual re-affirmation."
ExpiredPast the due date"Affirmation expired N day(s) ago (due [date]). Re-affirm now and re-post in SPRS."

When you re-affirm (click "Record affirmation" again), the clock resets to a fresh 365-day cycle from the new date.

5. Export the affirmation statement

Click "⬇ Affirmation statement (MD)" on the Handoff tab to download a formal, ready-to-sign affirmation as Markdown. The affirmation is also included as the final section of the full C3PAO handoff bundle.

6. What the statement says

The exported statement includes a field table (organization, CAGE code, in-scope system, assessment type, SPRS score affirmed, Affirming Official name and title, affirmation date, next affirmation due) and a formal affirmation paragraph in the Affirming Official's voice. It affirms that, as of the affirmation date, the organization has implemented and continues to maintain compliance with the applicable NIST SP 800-171 Rev 2 requirements for the in-scope system, that open requirements are tracked on the POA&M, and that the affirmation must be re-submitted in SPRS after any subsequent assessment or POA&M closeout and at least annually. It includes a signature/date line and a note that this is a self-assessment / preparation artifact, not a CMMC certification.

Next: The C3PAO handoff bundle Back to Help Center