Questions about CUI? We've got a guide for you. Learn More
    Breaking News: DFARS 7021 is here! Get the latest information on when it will be in contracts.

    What Triggers a New CMMC Certification? Understanding "Significant Change" in 32 CFR Part 170

    Learn what triggers a new CMMC assessment and how to manage significant changes to maintain compliance and secure your defense contracts.

    By
    3 Minutes Read

    Suppose you've already gone through the process of obtaining your Cybersecurity Maturity Model Certification (CMMC). In that case, you might wonder: What could trigger the need for a new assessment before your three-year certification expires? 

    According to 32 CFR (and the CMMC Level 2 Scoping Guide), the answer is this: A "significant change" to your environment will require a new CMMC assessment. 

    But what exactly is a significant change? 

    Let's break down what that means and what you should watch for.

    What Is a "Significant Change" Under CMMC? 

    While "significant change" may seem vague, it's a cornerstone of determining whether your current certification still holds up.

    Suppose your organization undergoes a substantial shift in its IT environment, systems, or business processes that could affect how Controlled Unclassified Information (CUI) is protected. In that case, you might need to reassess your compliance.

    As the CMMC L2 Scoping Guide puts it, a significant change is an "architectural or boundary changes to the previous CMMC Assessment Scope."

    They state that examples of significant changes could include: 

    • Major expansion to your network architecture 
    • Mergers, acquisitions, or structural reorganization

    Screenshot 2025-10-06 at 5.04.14 PM

    Remember: The assessment is based on the environment that was certified. If that environment changes materially, you must evaluate whether your security posture has changed too. 

    Who Decides What's a "Significant Change"? You Do Or the DoD Will 

    Ultimately, it's your responsibility as an organization to determine what qualifies as a significant change in your environment.

    If you don't, the Department of Defense (DoD) will answer you, and likely their interpretation will be far more rigid. The DoD relies on NIST standards to evaluate security controls, which means their threshold for what counts as significant is typically much stricter. This can lead to more frequent assessments and added compliance burdens.

    The bottom line: Define "significant change" yourself thoughtfully and defensibly. Because if you ask the DoD to decide for you, you may get more scrutiny than you bargained for.

    Use NIST 800-37 Rev 2 as your rubric; it's a solid framework for assessing whether a change affects your security posture enough to warrant a reassessment.

    Why It Matters Within the Three-Year Window 

    CMMC certifications are valid for three years, but that doesn't mean you're in the clear for the full duration. If a significant change occurs, a reassessment may be necessary even if your certification hasn't expired. 

    This protects not just your contract eligibility, but also the integrity of your systems and data. The Department of Defense (DoD) and other federal entities expect defense contractors to maintain a compliant cybersecurity environment throughout the certification period. 

    How to Know If You Need a Reassessment 

    Start by asking: 

    • Has our CUI boundary changed? 
    • Do we still meet our new environment's 110 NIST SP 800-171 requirements? 
    • How would this change impact our original System Security Plan (SSP)? 
    • Would a reasonable assessor agree that this is the same previously certified environment? 

    If the answer to any of these is "no" or "I'm not sure," it's worth a deeper look and possibly reaching out to a C3PAO or consultant.

    Is we change MSP/MSSPs, do we have to get a new CMMC certification?

     

    If you're already CMMC-certified, and you decide to switch Managed Service Providers (MSPs) or Managed Security Service Providers (MSSPs), it is very likely that you'll be required to undergo a new CMMC assessment.

    The mere act of changing vendors does not automatically trigger a reassessment.

    However, a new MSP will almost certainly implement new tools, processes, and technology stacks that significantly change the architecture or boundary of the certified environment.

    Since the security posture verified during your initial assessment is no longer accurate, the change would likely necessitate a reassessment to verify that the new boundary and controls meet your required CMMC level.

    If you're going to switch service providers, it's generally better to do so before your CMMC assessment.

    If you want to switch providers after your assessment, talk with your new MSP/MSSP about what you can expect to change and compare that with your internal documentation of what constitutes a significant change based on the guidance of 32 CFR and the CMMC Level 2 Scoping Guide.

    Final Thoughts: Keep It Simple, Stay Compliant 

    • CMMC certifications last for three years unless a significant change occurs. 
    • Significant change = anything that materially alters your certified environment. 
    • When in doubt, consult your documentation and consider reassessment. 

    Need Help Navigating CMMC? 

    Whether you're preparing for your first assessment or managing changes in a certified environment, we're here to help. Reach out to our team for expert guidance and practical tools that keep your CMMC compliance on track no matter what changes come your way. 

    Looking for your next steps to compliance? We're Here to Help

    Summit 7 Leadership

    Author

    Recommended For You