Notice to Industry - Application of Cybersecurity Maturity Model Certification (CMMC) Requirements
Key Dates
Due Date
-
Posted Date
-
Agency & Value
Agency
DEPT OF THE NAVY
Contract Value
Not provided
Codes & Classification
Solicitation Number
N62473CMMCNotice
NAICS
—
Classification Code
—
Additional Details
Documents1
The Department of the Navy, under the auspices of NAVFAC Southwest (SW), has issued a Special Notice to inform industry stakeholders about the forthcoming application of Cybersecurity Maturity Model Certification (CMMC) requirements. This notice is specifically relevant to all NAVFAC SW Planning, Design, and Construction (PDC) Multiple Award Construction Contracts (MACCs) and Architect-Engineer Indefinite Delivery/Indefinite Quantity (IDIQ) Contracts. The primary purpose of this communication is to ensure that current and prospective contractors are aware of the evolving cybersecurity compliance landscape and are prepared to meet the necessary standards as mandated by the Department of Defense (DoD).
The scope of this notice encompasses all future contract actions within NAVFAC SW PDC, emphasizing that CMMC requirements will be integrated in accordance with DoD’s ongoing implementation of the CMMC program. Contractors will be required to demonstrate their ability to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) at the appropriate CMMC level, which will be specified in each solicitation and contract. A critical objective is to ensure that all contractors maintain a current CMMC status, including assessment results and affirmations, recorded in the Supplier Performance Risk System (SPRS). This status will be a prerequisite for contract awards, task orders, and associated options where CMMC requirements are applicable.
A significant deliverable outlined in the notice is the requirement for prospective contractors to obtain a CMMC Level 2 (C3PAO) or higher certification in order to be eligible for IDIQ awards from NAVFAC SW PDC on or after November 10, 2026. While some task orders may require a CMMC level below Level 2, the majority of work under Construction and Architect-Engineering IDIQs is anticipated to necessitate Level 2 (C3PAO) certification post this date. Contractors are strongly encouraged to take immediate steps to access SPRS via the Procurement Integrated Enterprise Environment (PIEE), ensure proper vendor role and cyber report access, utilize available tutorials for CMMC Level 2 entry, and verify that their posted CMMC status accurately reflects their current cybersecurity posture.
The contracting entity for this notice is the Department of the Navy, a federal agency operating under the Department of Defense. The place of performance is San Diego, California, United States. For further information or clarification, contractors may contact Hal Hayes ([email protected], 619-705-4674) or Chad Slade ([email protected], 619-705-4514).
This notice is strictly informational and does not constitute a solicitation, request for proposal, or guarantee of award. Contractors should note that the CMMC requirements and associated compliance steps will remain constant throughout the contract lifecycle, ensuring ongoing protection of sensitive federal information. Interested parties are advised to review the notice in detail and take proactive measures to align their cybersecurity practices with the anticipated requirements to maintain eligibility for future NAVFAC SW contract opportunities.
For additional information and resources, contractors can refer to the official notice posted on SAM.gov at https://sam.gov/opp/ee5a3b6038af497e9a33702efb1c8ab2/view.