Portland District USACE – Notice to Industry: Anticipated Requirement for CMMC Level 2 (Self-Assessment) on Future Contract Actions
Overview
Buyer
Place of Performance
NAICS
PSC
Set Aside
Original Source
Timeline
Qualification Details
Fit reasons
- NAICS alignment with historical contract wins in similar service areas.
- Scope strongly matches core technical capabilities and delivery model.
Risks
- Past performance thresholds may require one additional teaming partner.
- Potential clarification needed on staffing minimums before bid/no-bid.
Next steps
Validate eligibility requirements, assign capture owner, and schedule partner outreach to confirm teaming strategy before submission planning.
The Portland District, U.S. Army Corps of Engineers (USACE), provides this Notice to Industry to inform current and prospective contractors that most future contract actions issued by the District are expected to require Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 (Self-Assessment). This notice is informational only and does not constitute a solicitation, request for proposal, or request for quote.
In alignment with Department of Defense implementation of CMMC 2.0, contracting officers are required to include applicable CMMC levels in solicitations and to verify that an offeror’s current CMMC status (self-assessment or certification, as required) is recorded in the Supplier Performance Risk System (SPRS) as a condition of award. For most Portland District requirements, offerors will be expected to have completed a CMMC Level 2 self-assessment in accordance with NIST SP 800‑171 requirements, scored using the CMMC Level 2 assessment methodology, and entered their score and affirmation in SPRS prior to award.
The following provisions and clauses may be included in forthcoming solicitations and are available here: https://www.acquisition.gov/
Defense Federal Acquisition Regulations Supplement (DFARS) provisions 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements may be included in most future solicitations.
Federal Acquisition Regulation (FAR) clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and DFARS clauses 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (Deviation 2024-O0013), 252.204-7020 NIST SP 800-171 DoD Assessment Requirements, and 252.204-7021 Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements will likely be included in most upcoming solicitations.
Contractors are strongly encouraged to review official CMMC resources and implementation guidance published by the Department of Defense and to begin or continue their compliance efforts as soon as practicable. Organizations that anticipate pursuing Portland District USACE work should ensure that their internal cybersecurity practices, documentation, and assessments are up to date in SPRS.
This notice does not change any existing contracts and does not by itself impose new requirements; specific CMMC requirements, including the level and assessment type, will be identified in individual solicitations and contracts. Interested vendors should monitor SAM.gov and other official USACE communication channels for future solicitations that will identify the applicable CMMC requirements for each procurement.