Centrend

Menu
Facebook Twitter Instagram Linkedin

Defense contractors

Defense contractors reviewing CMMC annual affirmation requirements in SPRS with cybersecurity dashboards, locks, and compliance symbols

CMMC Annual Affirmation SPRS: What Contractors Must Do

Cybersecurity /

CMMC Annual Affirmation SPRS does not end when your assessment is done.For many contractors, the next risk is quieter and easier to miss. Your annual affirmation in SPRS is now part of what keeps your CMMC status alive. If it is missing, outdated, or scoped wrong, your certification may still exist on paper but your award eligibility can slip away in real life. This is where many otherwise prepared contractors stumble. Why the annual affirmation matters now Under the CMMC final rule, the Department of Defense is not only checking whether you earned a CMMC status. It is also checking whether you are actively affirming that you continue to meet the requirements. That affirmation lives in SPRS. It confirms, each year, that: If that affirmation is not current at the time of award, the government may not be able to legally move forward, even if your assessment is still within the three-year window. What the affirming official is actually saying The annual affirmation is not a casual checkbox. The affirming official is stating that: That statement is made under penalty of false claims. It needs to be taken seriously. This is why last year’s affirmation, or one tied to an old scope, is not enough. Where contractors get tripped up Most issues are not technical. They are administrative and timing related. Common gaps we see: These gaps often surface late, during proposal reviews or right before award. That is the worst time to discover them. How to check your SPRS status the right way Before you bid on a CMMC-tagged opportunity, pause and confirm: If any one of those answers is unclear, your eligibility is at risk. Why this matters even more in early 2026 The annual affirmation can lapse quietly.After the New Year, teams are catching up, priorities shift fast, and compliance items can get buried under “back to work” noise. At the same time: If your affirmation is missing, outdated, or tied to the wrong scope, it can slow down an award decision or push your bid out before evaluation even starts. A simple monthly habit that prevents problems Instead of treating SPRS as a once-a-year task, build a small routine: This keeps your CMMC story consistent across SPRS, your SSP, and your proposals. How Centrend helps contractors stay aligned Centrend works with defense contractors to make sure CMMC status, affirmations, and scope all tell the same story, especially heading into busy award cycles. We help teams: If you want a quick outside view, Centrend can walk your team through a short CMMC Annual Affirmation Review and flag anything that needs attention before your next opportunity. Final question to ask your team If a contracting officer checked your SPRS record today, would your CMMC status and annual affirmation clearly support an award? If you are not sure, now is the right time to look.

CMMC Annual Affirmation SPRS: What Contractors Must Do Read More »

Centrend graphic showing NIST SP 800-171 Revision 3 vs CMMC certification in a modern IT office, highlighting updated security requirements, aligning with NIST, and new assessment procedures.

CMMC Level 2 vs NIST 800-171 Rev 3: Contractor Essentials

Cybersecurity /

CMMC Level 2. You keep hearing two messages at once: At the same time, the CMMC final rule is in place and showing up in real solicitations with award and assessment requirements for Level 2. No surprise that many defense contractors are asking a simple but urgent question: “Are we supposed to follow NIST 800-171 Rev 2 or Rev 3 for CMMC Level 2 right now?” If you guess wrong, you can end up with gaps in the version that assessors actually use, which can hurt both your SPRS score and your CMMC award eligibility. This post gives you a clear answer and a practical way forward. The confusion: two versions, one set of contracts Here is the situation in plain language: Recent articles aimed at defense contractors spell it out: So right away you can see the split: That is the source of the headache. What NIST 800-171 Rev 3 really changed NIST did not scrap Rev 2. It cleaned it up. Key points from NIST and expert explainers: DoD has also published Organization Defined Parameters (ODPs) for Rev 3 controls. These give concrete values for things like log retention, lockout thresholds, and other “tunable” settings in the new version. In other words, Rev 3 is the direction of travel for federal CUI protection, and DoD is already shaping how it will be used. But that still does not mean it is the CMMC Level 2 scoring baseline today. What CMMC Level 2 really checks today The CMMC final rule and most public mappings are still clear: Current guidance for contractors and MSPs still says: So if a C3PAO comes in to do a Level 2 assessment on a CMMC tagged contract: This is the part that “defense contractors must follow right now” for contract and award purposes. What defense contractors must follow right now Putting it together: So the practical answer: Right now, if you want to pass CMMC Level 2 and protect your DoD contract eligibility, you must be able to show a solid, evidence backed implementation of NIST 800-171 Rev 2 across your in scope systems. Rev 3 is “next”, not “instead of” Rev 2. How to use Rev 3 without breaking your CMMC audit You do not have to choose Rev 2 or Rev 3. The smart move is to use both in a controlled way. Step 1 – Lock in Rev 2 as your scored baseline This is the version that controls your SPRS score, DFARS 7012/7020/7021 posture, and CMMC assessment results today. Step 2 – Build a simple Rev 3 “overlay” instead of a rewrite For Rev 3: Then add a short overlay column to your internal tracking: This lets you prepare for the shift without throwing away the Rev 2 structure that CMMC Level 2 still uses. Step 3 – Use DoD’s ODP memo to tune settings, not to change your baseline DoD’s April 2025 memo sets Organization Defined Parameters for Rev 3. That gives you clear numbers for things like: You can borrow those values to sharpen your own settings even while your audit baseline is still Rev 2. This is a safe way to “future proof” your environment without stepping outside CMMC’s current scoring model. What this means for your next 12 months In the next year, most defense contractors will juggle three things at once: A simple way to talk about this with leadership: That is a very different message than “we have to start over for Rev 3.” Turning version confusion into a CMMC strength CMMC, NIST 800-171, and DFARS are not going to get simpler on their own. But this part can be clear: The contractors who stay ahead will be able to say: That is a strong, calm story to bring into both capture meetings and assessments. How Centrend can help your team right now Centrend can help defense contractors: If you want a focused working session, we can walk your team through a short Rev 2 vs Rev 3 CMMC Readiness Review and leave you with a practical action list for the next 90 days. Learn more about how Centrend’s Cybersecurity Services help defense contractors stay secure and CMMC ready.

CMMC Level 2 vs NIST 800-171 Rev 3: Contractor Essentials Read More »

CMMC holiday cybersecurity readiness graphic with a Christmas tree, data center, and two defense contractors reviewing a laptop.

CMMC Holiday Cybersecurity Readiness for Defense Contractors

Cybersecurity, IT Support, IT Tech Tips, Managed Services /

CMMC Holiday Cybersecurity Readiness. The holiday season is when your team slows down. Attackers see that as an open door. Government alerts and real incidents show the pattern: ransomware and major cyber events often hit on holidays and weekends, when staff is thin and response is slower. This year, that risk lines up with the CMMC final rule and new DFARS clauses showing up in real DoD awards. CMMC is now live in select contracts, and any gap can hit you twice: it hurts your eligibility and it increases the damage if an incident lands during a busy season. So the question is simple: if a serious cyber event hit on a holiday, would your CMMC story hold up under real pressure? This post gives you a clear way to test that before the next long weekend. Why holidays are a stress test for your CMMC program For most defense contractors, the holiday pattern looks like this: Threat actors know this. CISA and other groups have warned that attacks during holidays and weekends are often slower to detect, take longer to contain, and cause more damage.  From a CMMC view, this hits the same control families you already have to meet: These come straight from NIST SP 800-171, which CMMC Level 2 is built on. A holiday incident is not only about stopping the attack. It is also about whether your controls still work when people are out and whether you can prove that to an assessor or contracting officer later. The holiday risk that CMMC does not forgive CMMC Holiday Cybersecurity Readiness. Now layer in where CMMC is today. The final rule and the DFARS “clause rule” are in effect, with a phased rollout into new contracts. Key points that matter for the holidays: If that 180 day window runs through Thanksgiving, Christmas, New Year, and the usual vacation stretch, you cannot afford to “take a break” from your plan. The clock does not stop because your team is on holiday. A holiday lens on your CMMC controls Here is a simple way to look at your CMMC program through a holiday lens. Treat each section as a short talk with your IT, security, and contracts leads. 1. Who is watching when most people are out? Link to controls: Incident Response, Audit and Accountability Ask: CISA and many surveys show that even a small delay in seeing and handling a holiday attack can multiply the damage. Your holiday coverage plan should not live only in one person’s head. 2. Can people reach CUI systems safely from where they actually are? Link to controls: Access Control, Identification and Authentication, System and Communications Protection During holidays, people work from: Check: CMMC Level 2 expects you to manage who connects, from where, and how traffic is protected.  If your rules are strict on paper but ignored during busy periods, that gap will show. 3. If ransomware hit on a holiday, how would recovery really go? Link to controls: Contingency Planning, System and Information Integrity, Media Protection Ransomware during a holiday is one of the scariest cases. Government advisories highlight that many organizations take longer to respond and recover if the incident starts when key staff is away. Ask: CMMC and NIST 800-171 both expect working backup and recovery, not just a line in a plan.  4. Does your conditional status or POA&M plan survive the holiday calendar? If you are relying on Conditional CMMC Status for Level 2 or 3, your holiday planning is not just about risk. It is also about deadlines. By rule, conditional status: After that, you risk losing that status.  Holiday view: If the calendar looks tight, move work earlier in the season, not later. 5. Will your logs and evidence tell a clear story after the holidays? A holiday incident often becomes a test case. Assessors, primes, or the government may ask what happened, how you responded, and how your plan lined up with your policies and SSP. Tie this back to: Good questions: NIST 800-171 and CMMC Level 2 expect not only technical controls but also documentation and traceability. A short holiday CMMC readiness plan You do not need a huge project before the next break. Even a focused plan over a few weeks helps a lot in CMMC Holiday Cybersecurity Readiness. 1st Week Review and map 2nd Week Fix fast gaps 3rd Week Align evidence and status 4th Week Run a small holiday drill By the end of this short plan, you have something powerful: You can show that your CMMC program still works when staff is thin, when people are remote, and when attackers are most likely to try their luck. Turning holiday risk into a strength in your CMMC story CMMC Holiday Cybersecurity Readiness is not only about passing an audit. It is about showing that your team can protect FCI and CUI in real conditions, including during the busy, distracted, and under staffed weeks of the year.  Holiday cyber events are a harsh test. They stress: Defense contractors that will feel confident in the next wave of CMMC contracts will be able to say: How Centrend can help your team before the next holiday If you want help turning these ideas into action, Centrend can: A short working session now can save you from a long and painful incident later, and it gives you stronger evidence for your next CMMC assessment and DoD bid. Book Your CMMC Holiday Cyber Readiness Call Today

CMMC Holiday Cybersecurity Readiness for Defense Contractors Read More »

Scroll to Top