Notice to Industry - Application of Cybersecurity Maturity Model Certification (CMMC) Requirements
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
This is a Special Notice from NAVFAC SOUTHWEST (SW), under the Department of the Navy, informing the industry about the upcoming application of Cybersecurity Maturity Model Certification (CMMC) requirements. These requirements will apply to all future Planning, Design and Construction (PDC) Multiple Award Construction Contracts (MACCs) and Architect-Engineer IDIQ Contracts. Contractors must ensure their CMMC status is recorded in the Supplier Performance Risk System (SPRS).
Purpose and Scope
NAVFAC SW is providing this notice to prepare current and prospective contractors for the mandatory CMMC requirements. The Department of War (DoW) is implementing the CMMC program, and future solicitations and contracts will specify the applicable CMMC level based on whether contractor information systems process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
Key Requirements and Timeline
- Mandatory CMMC Status: Offerors must have a current CMMC status recorded in SPRS, including assessment results and affirmations, as a condition of award for contracts, task orders, and options where CMMC applies.
- IDIQ Award Requirement: For IDIQ awards from NAVFAC SW PDC on or after November 10, 2026, prospective contractors must demonstrate a CMMC Level 2 (C3PAO) or higher certification.
- Task Order Levels: While some task orders may require CMMC levels below Level 2, the majority of work under Construction and Architect-Engineering IDIQs is anticipated to require Level 2 certification after November 10, 2026.
- Place of Performance: San Diego, CA area.
Immediate Actions for Contractors
To prevent disruption to contract eligibility, contractors and subcontractors are urged to take the following steps:
- Access SPRS: Log in to the SPRS on PIEE (https://piee.eb.mil/) and obtain necessary Cyber Reports access.
- Utilize Tutorials: Review the SPRS CMMC Level 2 Entry tutorial and guidance on uploading CMMC Level Training as an Affirming Official (AO).
- Verify and Ensure Accuracy: Confirm that your firm has a current CMMC status properly posted in SPRS and that it accurately reflects your cybersecurity posture for current or potential contracts.
Additional Information
This notice is for informational purposes only and does not constitute a solicitation, a request for proposal, or a guarantee of award. Published Date: March 27, 2026. Primary Contact: Hal Hayes (harold.w.hayes10.civ@us.navy.mil, 619-705-4674).