Potential Application of Cybersecurity Maturity Model Certification (CMMC) Requirements For SCB MAC

Quick Summary

The Department of the Navy (NAVSEA) has issued a Special Notice to inform current and prospective contractors for the SCB MAC IDIQ that future contract actions will incorporate Cybersecurity Maturity Model Certification (CMMC) requirements. This notice is for informational purposes only and does not constitute a solicitation.

Purpose & Scope

This notice clarifies that as the Department of War (DoW) implements the CMMC program, Contracting Officers will include applicable CMMC requirements in solicitations and contracts where contractor information systems are expected to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The specific CMMC level will be identified in future solicitations or delivery orders.

Key Requirements

Offerors will be required to have a current CMMC status recorded in the Supplier Performance Risk System (SPRS), including assessment results and affirmations, as a condition of award. Future solicitations and task/delivery orders will include relevant Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity provisions, such as FAR 52.204-21, DFARS 252.204-7012, and DFARS 252.204-7021.

Important Notes

This notice does not alter existing contracts or impose new requirements immediately. Contractors are strongly encouraged to review official CMMC guidance and resources published by the Department of War and ensure their cybersecurity assessments and related information are accurately recorded in SPRS. Interested vendors should continue to monitor SAM.gov for future opportunities detailing specific CMMC requirements.

Contract & Timeline

• Type: Special Notice (Informational)
• Set-Aside: None specified
• Published: March 17, 2026