Home β€Ί CMMC FAQs β€Ί Assessments
Assessments β€” Official DoD FAQ

How Frequently Will CMMC Assessments Be Required?

πŸ’Ό
Need help preparing for your CMMC assessment? Jun Cyber provides readiness assessments and gap analysis.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (C-Q1)

Level 1 self-assessments will be required on an annual basis, and assessments for CMMC Levels 2 and 3 will be required every three years. An affirmation of continued compliance is required for all CMMC levels at the time of assessment and annually thereafter.

In-Depth Analysis

Assessment Frequency by Level

  • Level 1: Annual self-assessment + annual affirmation
  • Level 2: Assessment every 3 years (self or C3PAO) + annual affirmation
  • Level 3: Assessment every 3 years (DIBCAC) + annual affirmation

The Annual Affirmation Requirement

Regardless of your CMMC level, you must submit an annual affirmation confirming continued compliance. This is a formal attestation by a senior official in your organization that your security posture has been maintained since the last assessment.

What Triggers a New Assessment

Outside the regular cycle, a new assessment may be required if:

  • A significant change to your environment occurs (see the significant change FAQ)
  • Your POA&M closeout assessment reveals unmet requirements
  • The DoD contracting officer requests verification
  • You expand your assessment scope to cover additional systems

Planning Ahead

Build assessment preparation into your annual cybersecurity calendar. For Level 2 C3PAO assessments, start preparing at least 6-12 months before your assessment expires. C3PAO availability is limited, and scheduling can take time β€” especially as more contractors enter the pipeline.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

About CMMC

When Will CMMC Assessments Be Required for Department Contracts?

β†’ Assessments

What Qualifies as a Significant Change Requiring CMMC Reassessment?

β†’ Assessments

Are CMMC Assessment Results Made Public?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’