Most CMMC programs are built to pass a date. The certification assessment is treated as the deliverable. The C3PAO arrives, the System Security Plan is dusted off, the artifacts are produced, the score is uploaded, and the organization exhales. The certificate is the trophy.
Then the assessor leaves, and the posture that earned the score starts decaying the same afternoon.
This is the structural error underneath most CMMC compliance tooling decisions. The market frames the choice as "which assessment tool do I buy." The real choice is whether you are buying a snapshot or building a system that survives the snapshot expiring. Those are not two versions of the same product. They are two different problems, and most teams are spending money on the first while the regulation is quietly grading them on the second.
Why does a passing CMMC assessment expire the moment the assessor leaves?
CMMC certifies implementation status on the day of the assessment. A Level 2 certification assessment, conducted by an authorized CMMC Third-Party Assessment Organization, scores your environment against the NIST SP 800-171 Revision 2 security requirements and uploads the result. That score reflects the state of your controls during the active assessment period. It does not reflect the state of your controls next Tuesday.
The regulation is explicit that the certificate is not the end of the obligation. After a Level 2 certification assessment, and annually following a Final CMMC Status Date, the Affirming Official must submit a CMMC affirmation in the Supplier Performance Risk System attesting to continuing compliance with all of the security requirements. The Affirming Official is defined as the senior representative responsible for ensuring continuing compliance, and the affirmation is a personal attestation that the posture still holds.
Read those two facts together. The assessment is point-in-time. The affirmation is continuous. You certify once, on a date, and then you are required to swear annually that nothing has drifted. The DoD also reserves the right to send DCMA DIBCAC to reassess, and those results take precedence over any pre-existing CMMC Status, flipping you to out-of-compliance in SPRS if adherence has not been maintained.
So the certificate does not expire because of a calendar. It expires because the environment it measured keeps moving and the regulation keeps asking whether you have kept up.
What is the real difference between point-in-time certification and a continuous compliance posture?
A point-in-time certification answers one question: were the controls in place on assessment day. A continuous compliance posture answers a harder one: can you demonstrate, on any day, that the controls are still in place and tied to the requirement that demands them.
The difference is not effort. It is architecture.
A point-in-time program treats evidence as something you assemble for an event. Screenshots get collected, a spreadsheet gets reconciled, a consultant stitches it into a narrative, and the whole apparatus is shelved until the next cycle. The state lives in people's heads and in files named final_v3.
A continuous posture treats evidence as something the system holds standing. Every control maps to a requirement. Every requirement traces to source text. Every change is dated. The question "are we still compliant" becomes a query against current state rather than a project that re-mobilizes the consultant.
CMMC makes this distinction operational in two places.
→ The POA&M closeout. If your assessment leaves Not Met requirements on a Plan of Action and Milestones, the closeout assessment must happen within 180 days of the Conditional CMMC Status Date, or the Conditional status expires. That is a continuous obligation with a hard clock attached, not a thing you handle at renewal.
→ The annual affirmation. Each year after a Final status, the Affirming Official re-attests continuing compliance in SPRS. A point-in-time program has nothing to attest from except memory. A continuous posture has a defensible record.
Buy a one-off assessment or build a standing control system — which problem are you actually solving?
Here is where the buy-vs-build question gets miscast. Teams think they are deciding between vendors. They are actually deciding which problem they believe they have.
If you believe CMMC is an event, you buy an assessment. You hire a consultant, you license a checklist tool that mirrors the 800-171 control families, you produce the artifacts, you get the score. The tool's job ends when the assessor signs off. This is a real purchase and it solves a real problem: getting through the door of an assessment.
But CMMC is not an event. It is a standing condition of doing business with the Department of Defense, rolled out across four implementation phases, and re-affirmed every year by a named official who is personally on the hook for the attestation. The problem you actually have is maintaining a defensible state continuously, across reassessment, affirmation, contract flow-down, and any DCMA DIBCAC review the government chooses to initiate.
You cannot buy your way out of a continuous problem with a point-in-time product. You can only build the standing system, or rent one that already works that way.
This is the distinction between a checklist and a posture. A checklist tells you what was true. A posture lets you prove what is true. The first is a snapshot you purchase. The second is infrastructure you operate. Most CMMC tooling sold today is the first wearing the language of the second.
Why do spreadsheet-and-consultant CMMC programs break at reassessment and affirmation time?
The spreadsheet-and-consultant model works exactly once. It gets you to the first certificate. Then it breaks, predictably, at three seams.
It breaks at reassessment. When the next assessment cycle arrives, the spreadsheet is stale. The environment changed, people left, the consultant's narrative no longer matches reality, and you are re-doing the discovery work you already paid for. The DCMA DIBCAC High Assessment path that converts to a Level 2 Final status carries a validity period of three years, which means the clock is always running toward a moment when the whole apparatus has to be rebuilt rather than refreshed.
It breaks at affirmation. The annual affirmation asks the Affirming Official to attest continuing compliance. If your compliance state lives in a spreadsheet last touched at certification, the official is attesting to a document, not to reality. That is precisely the exposure the affirmation is designed to surface. Affirmations are submitted in SPRS and verified by the Department, and the senior official's name is on each one.
It breaks at evidence integrity. CMMC requires that the artifacts used as evidence be retained for six years from the CMMC Status Date, and for certification assessments the artifact files must be hashed with a NIST-approved algorithm so they can be proven unaltered. A folder of screenshots cannot satisfy a six-year integrity obligation. That is a data-management requirement, and spreadsheets are not a data-management system.
Each of these failures has the same root cause: the program stored a snapshot when the regulation required a system.
How does treating regulation as structured data change the buy-vs-build math?
The reason continuous CMMC feels impossibly expensive is that most teams are doing it by hand on top of tools that were built for snapshots. The cost is not the requirement. The cost is the manual re-mapping every time anything moves.
Change the math by treating the regulation as structured data rather than as managed documentation.
When 800-171 requirements are modeled as obligations, and each obligation traces to a verbatim quote from the source text, and each obligation binds to the controls and evidence that satisfy it, the continuous work collapses.
→ A control changes. You see which obligations it affects, not a vague sense that "something in 800-171 moved."
→ The affirmation comes due. The evidence for continuing compliance is a query against current state, not a re-collection project. The audit pack is a query, not a project.
→ A DCMA DIBCAC reassessment lands. You produce the dated, source-grounded record rather than reconstructing the story.
→ A new contract flows CMMC down to you, alongside whatever else applies. Answer once, satisfy many, because the same control evidence resolves against every framework that demands it.
This is the buy-vs-build inversion. You do not build a CMMC tool. You build, or rent, a compliance data model that already holds CMMC as one of many regulations, source-grounded, with no AI hallucinations because every obligation is anchored to the legal text rather than generated from a prompt. The marginal cost of staying continuous drops to near zero, because the system is doing the mapping the consultant used to do by hand.
What does source-grounded, continuous CMMC readiness look like in practice?
It looks like a standing posture rather than a periodic scramble.
Your organizational profile determines that CMMC Level 2 applies, alongside the rest of your regulatory exposure. The NIST SP 800-171 requirements materialize as obligations, each traced to its section in the source text. Existing evidence in your stack is referenced where it already satisfies a requirement, and new evidence is requested only where the gap is real, so the reviewer's job becomes review-and-confirm rather than collect-everything.
When the Affirming Official has to attest continuing compliance, the attestation is backed by dated, traceable state, not by faith in a six-month-old spreadsheet. When the POA&M clock is running toward its 180-day closeout, the open items are tracked against owners with timestamps. When DCMA DIBCAC exercises its right to reassess, the artifact trail is intact and hashed for its six-year retention.
Risks bind to obligations, obligations bind to requirements, requirements bind to source text. Every line is traceable. Dashboards do not disagree with the underlying data because they are built from it. That is the difference between audit readiness as a state you maintain and audit readiness as a thing you manufacture under deadline.
This is what audit readiness, evidence management, and regulatory mapping look like when they are one connected system rather than three disconnected tools. A posture you can defend in front of a regulator, a board, or a contracting officer.
See how Aigis turns CMMC from a point-in-time scramble into a posture you can defend continuously — audit readiness, evidence management, and regulatory mapping as one connected graph at aegis-grc.com.
FAQ: CMMC tooling, annual affirmations, and continuous monitoring
Does a CMMC certification expire, and how often do I reassess?
The certification reflects your implementation status as assessed on a specific date. CMMC also requires an annual affirmation of continuing compliance after a Final CMMC Status Date, and the DoD reserves the right to conduct a DCMA DIBCAC reassessment whose results take precedence over any existing status. The DCMA DIBCAC High Assessment conversion path carries a three-year validity period. Practically, the certificate is a point-in-time result wrapped in a continuous obligation, so treating it as a one-time event understates what the regulation actually asks.
What is the annual affirmation and who signs it?
After a Level 2 self-assessment or certification assessment, and annually following a Final CMMC Status Date, the Affirming Official, the senior representative responsible for continuing compliance, must submit a CMMC affirmation in SPRS attesting that all security requirements remain met. It is a personal attestation, which is why a stale spreadsheet is a liability rather than evidence.
Should I buy a point-in-time CMMC assessment tool or build a continuous posture?
If your only goal is passing one assessment, a point-in-time tool gets you through the door. But CMMC is a standing condition with annual affirmations, POA&M closeout clocks, and reassessment rights, so a snapshot tool leaves you re-doing the work at every seam. Building or renting a continuous posture is the lower-total-cost answer once you account for reassessment, affirmation, and evidence retention obligations.
How does continuous monitoring change CMMC evidence collection?
When obligations from NIST SP 800-171 are modeled as structured data bound to controls and evidence, the annual affirmation and any reassessment become a query against current, dated state rather than a fresh collection project. Evidence already in your stack is referenced where it satisfies a requirement, and CMMC's six-year hashed-artifact retention is handled by the data layer rather than a shared drive.


