On November 10, 2025, the Cybersecurity Maturity Model Certification (CMMC) program became a contractual reality for the defense industrial base. For the first time, cybersecurity compliance is not just an organizational obligation. It is a personal liability for the senior official who signs the annual affirmation in the Supplier Performance Risk System (SPRS).

That person, designated the Affirming Official under 32 CFR § 170.22, is staking their name and career on the accuracy of a statement that their organization continuously meets every applicable security requirement.

This article examines a critical gap in how most defense contractors approach one dimension of that affirmation: vendor and supply chain security. Specifically, we argue that the security questionnaire — the dominant tool used across the defense industrial base for third-party risk assessment — is fundamentally incompatible with the evidence-based assessment methodology that CMMC demands. And we outline what happens to affirming officials who rely on questionnaires when a breach occurs, an audit fails, or the Department of Justice comes calling under the False Claims Act.

The rules of the game have changed. The question is whether your vendor assessment practices have changed with them.

The current state: CMMC Level 2 and NIST 800-171 Revision 2

CMMC Level 2 is built on a foundation of 110 security requirements drawn from NIST SP 800-171 Revision 2, organized across 14 control families. These security requirements are evaluated against 320 assessment objectives defined in NIST SP 800-171A. For the majority of contractors handling CUI critical to national security, an independent Certified Third-Party Assessment Organization (C3PAO) performs that evaluation.

The critical word in that description is evaluated. The CMMC assessment methodology defines an assessment as “the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.” This is a three-part test: correct implementation, operational effectiveness, and desired outcome. Each part demands observable, verifiable evidence.

Supply chain requirements under 800-171 Rev. 2: Present but limited

Here is a fact that surprises many contractors: NIST 800-171 Revision 2 does not include a dedicated Supply Chain Risk Management (SR) control family. The 14 families in Revision 2 address access control, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity, and awareness and training.

Supply chain risk management as a formal discipline is absent from this list. It does not appear as a distinct family until NIST 800-171 Revision 3.

That said, 800-171r2 is not silent on vendor and supply chain obligations. Several requirements within the existing families address how contractors must manage external service providers and the systems they acquire. The System and Services Acquisition expectations require that contractors who rely on external service providers define security requirements for those providers, document roles and responsibilities, and implement ongoing monitoring. Contractors must require that any provider of external system services used for the processing, storage, or transmission of CUI comply with organizationally defined security requirements.

This is meaningful but narrow. It tells you that you must impose requirements on your service providers and monitor them. It does not tell you how to verify that you are meeting those requirements. And that gap — between the requirement to monitor and the method of monitoring — is where the security questionnaire has filled the vacuum by default, not by design.

Flowdown: Where supply chain meets contract law

While 800-171r2 may not have a formal SR family, the CMMC program creates supply chain accountability through its flowdown requirements. Under the final rule, prime contractors must flow down CMMC requirements to all subcontractors and suppliers that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in performance of a subcontract. The required CMMC level for a subcontractor depends on the data sensitivity and the prime’s contract requirements, not the prime’s own certification level.

For most subcontractors handling CUI where the prime holds a Level 2 C3PAO certification, the minimum flowdown requirement is a Level 2 C3PAO assessment. This is not optional and not negotiable. The subcontractor must hold its own certification before the prime can share CUI with it or award the subcontract.

Here is the complication: The Supplier Performance Risk System (SPRS), where assessment results and affirmations are recorded, does not allow prime contractors to view their subcontractors’ data directly. Primes must rely on documentation provided by the subcontractor, such as SPRS screenshots or copies of certificates. This informational asymmetry places the burden of verification squarely on the prime contractor and, by extension, on its affirming official.

The future state with NIST 800-171 Revision 3

Soon, supply chain risk management will become explicit. NIST SP 800-171 Revision 3, finalized in May 2024, introduces three new control families to align with the NIST 800-53 Revision 5 moderate baseline: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR).

This brings the total from 14 families to 17, with 97 requirements (reduced from 110 through consolidation, despite the addition of nine new controls) and 422 assessment objectives (up from 320).

The new SR family includes three specific requirements that fundamentally change the supply chain compliance landscape:

• SR 3.17.1 — Develop a supply chain risk management plan. Contractors must create, periodically review, update, and protect from unauthorized disclosure a formal plan for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, components, and services.
• SR 3.17.2 — Define acquisition strategies and tools for supply chain risk. Contractors must employ contract language, procurement methods, and acquisition strategies that identify, protect against, and mitigate supply chain risks.
• SR 3.17.3 — Implement controls and processes to identify supply chain weaknesses. Contractors must develop mechanisms for finding vulnerabilities and deficiencies in the elements and processes of their supply chain.
  

The timeline: Revision 3 is coming, but Revision 2 is now

The DoD has not yet transitioned CMMC to Revision 3. That transition will require formal rulemaking and is likely years away. The current CMMC Phase 2 rollout, which brings C3PAO certification requirements to most Level 2 contracts, is aligned to Revision 2 and begins enforcement through contract clauses starting in late 2026.

This creates an important strategic reality for affirming officials: you will be assessed against Revision 2 today, but the direction of travel is unmistakable. The DoD is moving toward explicit, auditable requirements for supply chain risk management. Organizations that build their vendor assessment programs solely to satisfy Revision 2’s minimal requirements will face a costly and potentially disruptive overhaul when Revision 3 becomes the standard.

More immediately, the fact that Revision 3 codifies supply chain risk management as a formal control family signals how the DoD interprets the intent of the existing requirements. An affirming official who argues they had no supply chain obligations under Revision 2 will find that argument increasingly untenable as the regulatory environment evolves.

Why security questionnaires will not survive an evidence-based assessment

The security questionnaire is the most widely used tool for vendor risk assessment in the defense industrial base and across regulated industries generally. The typical process is familiar: a prime contractor sends a standardized questionnaire to a vendor, the vendor completes it (or has someone else complete it on their behalf), the prime reviews the responses, and the completed questionnaire is filed as evidence of due diligence.

This approach has a structural problem that no amount of refinement can fix: a questionnaire is a claim, not evidence.

When a vendor checks “Yes” next to “Do you encrypt CUI at rest?”, they are making an assertion. They are telling you what they believe to be true, or what they want you to believe is true, at the moment they complete the form. That assertion has no verifiable connection to the actual state of their systems. It has not been tested. It has not been observed. Any independent artifact has not corroborated it.

Compare this to what CMMC actually demands. The assessment methodology requires that each security requirement be evaluated against determination statements to confirm that the control is implemented correctly, operating as intended, and producing the desired outcome. C3PAO assessors satisfy those determination statements by examining artifacts (policies, configurations, logs, architecture diagrams), interviewing responsible personnel, and testing technical controls.

A vendor’s questionnaire response satisfies none of these assessment methods. It is not an artifact of the vendor’s security program. It is not an interview with their technical staff. It is not a test of their controls. It is a self-reported opinion rendered on a single day.

The 5 failure modes of questionnaire-based vendor assessment

Questionnaire-based vendor assessment fails in predictable ways under CMMC Level 2. It produces stale, self-reported claims instead of verifiable evidence, leaves no defensible artifact trail, and gives affirming officials little support when auditors, investigators, or contracting officers ask how vendor compliance was actually validated.

The details:

• Point-in-time decay

A questionnaire captures a snapshot. Even if every answer is accurate on the day it is completed, that accuracy degrades immediately. Personnel leave, taking institutional knowledge with them. Configurations drift as systems are patched, upgraded, or reconfigured. Subscriptions to security tools lapse. A questionnaire completed in January tells you nothing about the vendor’s security posture in September, yet the affirming official must attest to continuous compliance annually. Continuous compliance requires continuous evidence, not annual snapshots.

• No artifact trail

Under CMMC, organizations seeking assessment must maintain all artifacts and hashes of those artifacts that supported the assessment for six years. The evidence that C3PAO assessors evaluate includes system configurations, access control lists, audit logs, training records, incident response plans, and other verifiable documentation. What artifact does a completed questionnaire produce? A PDF of someone else’s answers. If a vendor’s security failure becomes your security failure because CUI flowed through their environment, the questionnaire provides no evidentiary basis for the affirming official’s attestation.

• Unverifiable claims

Questionnaires rely entirely on the respondent’s honesty and competence. The person filling out the questionnaire may not understand the controls being asked about. They may not have visibility into their own organization’s actual implementation. They may provide aspirational answers that describe planned controls rather than implemented ones. And because the questionnaire provides no mechanism for verification, these gaps are invisible to the recipient.

• The flowdown accountability gap

SPRS already creates an informational asymmetry where primes cannot directly view subcontractor compliance data. If the only additional layer of diligence a prime applies is a questionnaire — which is itself a self-reported claim, structurally identical to the SPRS entry — then the prime has not added an independent verification layer. It has simply doubled down on the same type of unverified assertion. This is a single point of failure dressed up as a process.

• Lack of control-level granularity

CMMC Level 2 has 320 assessment objectives. A typical security questionnaire might contain 50 to 100 questions, many of which bundle multiple controls into a single yes-or-no response. The mapping between questionnaire responses and the specific assessment objectives that a C3PAO will evaluate is loose at best and nonexistent at worst. An affirming official cannot build a reasonable basis for their attestation on a tool that does not even align with the framework they are being assessed against.

The affirming official’s personal liability when evidence fails

The Affirming Official is defined in 32 CFR § 170.22 as the senior-level representative from within each Organization Seeking Assessment who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements.

This is not a ceremonial role. The affirming official must submit an electronic affirmation in SPRS after every assessment (including POA&M closeouts) and annually thereafter. That affirmation states that the organization continues to meet all applicable CMMC requirements. There is no qualified language. There is no “to the best of our knowledge.” It is a binary assertion: we are compliant, or we are not.

The personal nature of this obligation cannot be overstated. The affirmation is not made by “the company” in the abstract. A named individual has the authority and responsibility to know whether it is true. That individual is the one who faces consequences when it is not.

Scenario 1: The failed audit

When a C3PAO conducts a Level 2 certification assessment, they evaluate each of the 320 assessment objectives through artifact examination, interviews, and testing. If they find that a control related to external service provider monitoring is marked as “MET” in the organization’s System Security Plan, but the only supporting evidence is a collection of vendor questionnaires, the assessor has a problem.

The assessor’s job is to determine whether the control is implemented correctly, operating as intended, and producing the desired outcome. A questionnaire does not demonstrate implementation (it is the vendor’s claim, not an observable artifact). It does not demonstrate operational effectiveness (it is a point-in-time assertion, not evidence of ongoing operation). And it does not demonstrate the desired outcome (protecting CUI across the supply chain) because the connection between the questionnaire response and the actual security posture is unverified.

The likely result is a NOT MET finding. Depending on the number and criticality of NOT MET findings, this can result in a Conditional status (with a 180-day remediation window) or in failure to achieve certification. For the affirming official, this means they cannot make the affirmation in SPRS, which means the organization is ineligible for contract award or option renewal.

Scenario 2: The breach

Consider a scenario where a subcontractor suffers a data breach that exposes CUI flowing from the prime contractor’s environment. The prime contractor’s affirming official previously attested to continuous compliance, including the requirement to define security requirements for external service providers and monitor their compliance.

In the aftermath of the breach, the DoD, DIBCAC, or investigating counsel will ask: What evidence did the organization have that the subcontractor was meeting its security obligations? If the answer is a questionnaire that the subcontractor completed 18 months ago, the affirming official’s position is indefensible. The questionnaire did not reflect the subcontractor’s actual security posture at the time of the breach. It was never verified against the subcontractor’s actual controls. And the affirming official had no mechanism to detect the degradation that led to the breach.

The affirmation of continuous compliance requires evidence of continuous compliance. A stale questionnaire is evidence of nothing except that someone filled out a form.

Scenario 3: The False Claims Act

This is where the consequences become existential — both for the organization and the individual.

The False Claims Act (31 U.S.C. §§ 3729–3733) imposes liability on any person who knowingly submits a false claim to the federal government or knowingly makes a false statement material to a false claim. “Knowingly” under the FCA includes not just actual knowledge but also deliberate ignorance and reckless disregard for the truth or falsity of the information. The penalties include treble damages, per-claim fines, and potential debarment from federal contracting.

The CMMC affirmation is a representation to the government that the organization meets all applicable security requirements. If that affirmation is false — because, for example, the organization’s vendor monitoring consisted entirely of unverified questionnaires rather than evidence-based assessment — the affirming official faces FCA exposure on two fronts:

1. Deliberate ignorance: The affirming official knew, or should have known, that a questionnaire is not evidence of control implementation. The CMMC assessment methodology explicitly requires examination, interview, and testing. An affirming official who relies on a tool that satisfies none of these methods has chosen not to know whether their vendors are actually compliant.

2. Reckless disregard: Even if the affirming official believed the questionnaires were adequate, the regulatory framework makes clear that self-reported assertions are insufficient. The entire CMMC program exists because self-attestation under DFARS 252.204-7012 failed to protect CUI. An affirming official who applies the same insufficient methodology to their own supply chain has acted with reckless disregard for the accuracy of their affirmation.

The DoJ has strongly incentivized whistleblowers under the FCA by offering them a percentage of any recovery. This means the risk is not limited to government-initiated investigations. A disgruntled employee, a competitor, or even a subcontractor could file a qui tam action alleging that the affirming official’s attestation was false.

The rules have changed: what affirming officials must do now

The defense industrial base is at an inflection point. For nearly a decade, the expectation that contractors would self-certify their compliance with NIST 800-171 produced inconsistent results and, in many cases, outright noncompliance. CMMC was created because the honor system did not work. The same logic applies to how contractors assess their vendors.

If you are an affirming official or advising one, the path forward requires a fundamental rethinking of vendor assessment practices. This is not about incremental improvement to your existing questionnaire process. It is about recognizing that the tool itself is inadequate for the regulatory environment you now operate in.

The standard has moved to evidence

The shift CMMC represents is a shift from claims to evidence. Every dimension of the assessment methodology — from artifact examination to personnel interviews to technical testing — is designed to verify that what an organization says it does is what it actually does. Your vendor assessment program must operate at the same standard.

This means moving beyond asking vendors what they do and toward mechanisms that allow you to observe, verify, and continuously validate what they do. It means aligning your vendor assessment criteria to the 320 assessment objectives that your own C3PAO will evaluate, not to a generic questionnaire template that maps loosely (if at all) to the NIST 800-171r2 control set.

Continuous monitoring is not optional

The annual affirmation requires that the affirming official attest to continuous compliance. This is a year-round obligation, not a point-in-time exercise. Any vendor assessment methodology that produces a snapshot — whether that snapshot is a questionnaire, a one-time audit, or an annual penetration test — is structurally incompatible with the continuous compliance requirement.

Affirming officials need vendor assessment mechanisms that provide ongoing visibility into vendor security posture and that generate the kind of evidence trail that can withstand scrutiny from a C3PAO, DIBCAC, or the Department of Justice.

Prepare for NIST 800-171 Revision 3 now

While the formal transition to NIST 800-171 Revision 3 may be years away, the direction is clear. The addition of a dedicated Supply Chain Risk Management family with explicit requirements for supply chain risk management plans, acquisition strategies, and weakness identification mechanisms signals that the DoD considers supply chain risk management a core compliance obligation, not an afterthought.

Organizations that build evidence-based vendor assessment programs now will be positioned to meet Revision 3 requirements with minimal disruption. Those who continue to rely on questionnaires will face a costly and compressed remediation effort when the transition arrives.

Protect the Affirming Official

Ultimately, this is about protecting the person who signs the affirmation. The affirming official’s exposure under the False Claims Act is real, personal, and consequential. The best protection for that individual is a defensible, evidence-based compliance program that demonstrates a reasonable basis for every assertion in the affirmation — including assertions about vendor and supply chain security.

A questionnaire does not provide that defense. Evidence does.

CMMC’s bottom line for affirming officials

The CMMC program has fundamentally changed the compliance calculus for every organization in the defense industrial base. It has moved cybersecurity compliance from an organizational promise to a personal attestation backed by evidence, enforced through contract eligibility, and subject to prosecution under the False Claims Act.

For affirming officials, the message is unambiguous: the adequacy of your vendor assessment practices is no longer a matter of preference or industry convention. It is a matter of law. Security questionnaires — unverified, point-in-time, and structurally disconnected from the evidence-based assessment methodology that CMMC requires — will not protect you when the assessment comes, when the breach happens, or when the investigation begins.

The organizations that thrive under CMMC will be the ones that recognized early that evidence-based vendor assessment is not a premium add-on to their compliance program. It is the foundation. And the affirming officials who protect themselves will be the ones who demanded that foundation before they put their name on the line.