.jpg?ext=.jpg)
What the SPRS CMMC Affirmation Says
In a previous blog post we talked about the False Claims Act and how it relates to self-assessment and self-affirmation reports in the Supplier Performance Risk System (SPRS). You may still harbor doubts about whether a false claim in SPRS can lead to serious circumstances. A quick look at the affirmation statement reveals the reason why this is such a point of focus among C3PAOs and the rest of the CMMC ecosystem.
What You Are Signing
If you are the Affirming Official (AO), you have the responsibility of affirming everything your organization enters into the SPRS database as true.
“The affirming official (AO) is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC program requirements and has the authority to affirm the OSA’s continuing compliance with the security requirements for their respective organizations. (32CFR§170.4).”
When submitting your SPRS score the affirming official must self-affirm the organization’s compliance with 32CFR§170 with the below statement:
Submission of this assessment result or affirmation indicates that [AO Name] as the Affirming Official responsible for Cybersecurity Maturity Model Certification (CMMC) for [OSA name] , has reviewed and approved of the submission and attests that the information system(s) within [or covered by] the scope of this CMMC assessment IS/ARE compliant with the CMMC requirements as defined in 32CFR §170. Misrepresentation of this CMMC compliance status to the Government may result in criminal prosecution, including actions under section 1001, Title 18 of the United States code, civil liability under the False Claims Act, and contract remedies as determined appropriate by the contracting officer.
This submission statement is very clear on the penalties that can follow an improper reported score.
What This Means for Your Organization
The OSA’s senior leadership, and especially the affirming official, must be involved in the organization’s CMMC compliance journey. Affirming officials must understand they bare the personal liability involved in signing the self-affirmation statement. And every team members must understand the actual results of the assessment, what controls have permissible Plans of Action and Milestones (POAMs), and what the organization is reporting as a final score. Reporting a real score that is less than the required 110 is a better path than reporting an inflated (false) 110 score which may have civil and criminal implications for the organization and the affirming official.
What Questions Do You Have?
Do you have questions about SPRS, CMMC assessments, POAMs, or anything else discussed here? Feel free to contact us. We are happy to help!