Notice to Industry – Potential Application of Cybersecurity Maturity Model Certification (CMMC) Requirements
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
Quick Summary
The Department of the Navy (NAVSEA) has issued an informational notice to industry regarding the future application of Cybersecurity Maturity Model Certification (CMMC) requirements for contract actions under the SCB MAC IDIQ. This notice clarifies that future solicitations and delivery orders will include CMMC requirements, and offerors will need a current CMMC status in the Supplier Performance Risk System (SPRS) as a condition of award. This is an informational notice only and does not constitute a solicitation.
Purpose
This special notice informs current and prospective contractors for the SCB MAC IDIQ that future contract actions will incorporate CMMC requirements, in accordance with the Department of War's (DoW) implementation of the CMMC program. The specific CMMC level will be identified in each solicitation or delivery order.
Key Requirements
- CMMC Status: Offerors must have a current CMMC status, including assessment results and affirmations, recorded in SPRS.
- Applicable Clauses: Future solicitations will include relevant Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity provisions, such as FAR 52.204-21, DFARS 252.204-7012, and DFARS 252.204-7021.
- No Immediate Change: This notice does not alter existing contracts or impose new requirements directly. Specific CMMC requirements, including the applicable level and assessment type, will be detailed in future solicitations.
Contract & Timeline
- Type: Special Notice (Informational)
- Set-Aside: Partial Small Business Set-Aside (applies to the underlying SCB MAC IDIQ)
- Published: March 18, 2026
Action Items
Contractors are encouraged to review official CMMC guidance from the Department of War and ensure their cybersecurity assessments and related information are accurately recorded in SPRS. Interested vendors should continue to monitor SAM.gov and other official DoW communication channels for future opportunities that will identify applicable cybersecurity and CMMC requirements.