The senior-official affirmation, decoded.

The affirmation is not a checkbox. It is an attestation.

The CMMC final rule, codified at 32 CFR Part 170 in late 2024 and operationalized through DFARS 252.204-7021, requires a senior-official affirmation in the Supplier Performance Risk System (SPRS) at the conclusion of every assessment and at every annual reaffirmation. The affirmation is signed by a single named officer with authority to bind the organization.

The text the senior official is signing is short. It is also, under 31 U.S.C. § 3729: the False Claims Act: sufficient on its own to ground individual liability. The Department of Justice has been explicit, in the 2021 Civil Cyber-Fraud Initiative announcement and in the settlements that followed, that misrepresentations about cybersecurity compliance in connection with federal procurement are FCA-actionable. The affirmation is the connective tissue that makes the doctrine apply to your specific contract.

Every CCFI settlement traces to one signature.

The pattern across the public CCFI settlements between 2022 and 2025 is consistent enough to be useful. The DOJ does not: yet: pursue the technical staff who failed to enable a control. It pursues the senior officer whose signature represented that the control was enabled.

The senior official in each case did not write the technical falsehood. They signed for it. Knowledge or reckless disregard, in FCA doctrine, is enough.

What we package before a senior official signs.

An affirmation is defensible to the degree that the senior official can show, at the moment of signing, what they relied upon. That reliance has to be documented or it does not exist. We package a one-binder reliance file, prepared by the assessor and reviewed by counsel, that contains exactly six things:

1. The assessment report

   The C3PAO or self-assessment report, with the boundary diagram and asset inventory it relied on, dated and version-stamped.

2. The POA&M with closure dates

   Every plan-of-action item, owner, due date, and the implementation evidence that closed it. Open POA&M items at the moment of signing are themselves a §04 issue: see below.

3. The flow-down evidence

   For every subcontractor in scope: a signed acknowledgment that DFARS 7012, 7019, 7020, 7021 flowed down, and an SPRS score on file for them where applicable.

4. The cloud equivalency package

   For every cloud service holding CUI: the FedRAMP-Moderate authorization or the assessor-validated equivalency body of evidence required by DoD's December 2023 memo.

5. The incident-reporting workflow

   Named DoD reporting account, tested route to DC3, and the dated tabletop or live test that exercised it inside the assessment period.

6. Counsel's reliance memo

   A short memo from inside or outside counsel stating what the senior official is relying upon and where each reliance is documented in the binder. Two pages, signed.

If any of the six is missing on the day of the signature, the signature should not happen. Reliance you cannot document is reliance you cannot invoke.

Four sentences a senior official should never sign.

Across the affirmations we have reviewed in 2025–2026, four phrasings recur in vendor-template language that the senior official is asked to adopt verbatim. Each is, in our reading, indefensible at the FCA level:

Phrase 01

"All controls are fully implemented across all in-scope systems." This is the language most often cited in CCFI settlements. It survives only if every POA&M is closed at signature; and POA&M items, by definition, mean it isn't.

Phrase 02

"Subcontractors have implemented equivalent controls." A senior official cannot affirm a control state for an entity they do not operate. The defensible language is "subcontractor flow-down has been executed and SPRS scores received where applicable."

Phrase 03

"This environment meets FedRAMP Moderate." Unless there is an active P-ATO or assessor-validated equivalency body of evidence, this is the cloud-configuration pattern from §02.

Phrase 04

"Cybersecurity incidents are reported within 72 hours." A senior official can affirm a workflow exists; they cannot affirm a future behavior. Defensible language: "an incident-reporting workflow exists, has been tested in this period, and meets the 72-hour requirement of DFARS 7012."

The fix is to rewrite the affirmation language, in counsel-reviewed form, before the senior official enters SPRS.

POA&M items as affirmation risk.

CMMC 2.0 permits a 180-day POA&M for a defined subset of practices at conditional Level 2 certification. POA&M items are not automatically a §04 problem; they are a §04 problem when the affirmation language overstates them. The defensible position, for an organization signing while a POA&M is open, is to enumerate the open items, attach owners and dates, and have the senior official sign an affirmation that names them.

• Each open POA&M item: practice ID, gap statement, mitigation in place, owner, closure date.
• Affirmation text that says "with the exception of the POA&M items at Appendix B."
• Quarterly tracker that shows POA&M closure with evidence references.

If your packet does not name the open POA&M items in the affirmation itself, the FCA risk is not on the assessor. It is on the signer.

Three positions we are willing to retract.

• If the DOJ issues a CCFI policy update that materially narrows the FCA reach into self-affirmations: for example, a knowledge-element clarification: §02 softens.
• If CMMC's 32 CFR 170 is amended to allow a delegated affirmation by a compliance officer rather than a binding senior official, §03's reliance file becomes lighter.
• If the seven-figure CCFI settlement pace of 2024–2025 does not continue through 2026, §01's instrument framing may be over-strong for low-tier contractors.

None of these are likely in 2026.