CMMCDocs.comHome / Glossary / Three-Year Recertification
Three-Year Recertification
Also known as: Recertification cycle ยท CMMC recertification
CMMC Level 2 certifications expire after three years and require a full re-assessment by a C3PAO to renew.
Under CMMC 2.0, a Level 2 certification issued by a C3PAO is valid for three years. At the end of the three-year period, the contractor must undergo a full recertification assessment to renew their certification status.
The recertification assessment is conducted the same way as the initial assessment: a C3PAO reviews the SSP, assesses each of the 110 NIST SP 800-171 requirements against the assessment objectives in NIST SP 800-171A, samples evidence, conducts interviews, and renders a determination.
Between certifications, the contractor must submit annual senior official affirmations in SPRS attesting that the certification remains accurate and that the security posture has not materially degraded. CMMCDocs is built around the recertification cycle: it does not just help you get certified, it keeps your SSP, evidence, and POA&M current so the next assessment is incremental rather than a fire drill.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account