SAM #N62473CMMCNotice

Notice of Upcoming CMMC Requirements for NAVFAC Southwest Construction and Architect-Engineer Contracts

NAVFAC Southwest (SW) of the Department of the Navy has issued a notice to inform contractors about upcoming cybersecurity requirements for its construction and architect-engineer contracts. - Applies to all NAVFAC SW Planning, Design and Construction (PDC) Multiple Award Construction Contracts (MACCs) and Architect-Engineer IDIQ Contracts - Contractors must have a current Cybersecurity Maturity Model Certification (CMMC) status recorded in the Supplier Performance Risk System (SPRS) - Most work will require CMMC Level 2 (C3PAO) certification or higher - CMMC requirements will be included in future contract actions - No specific products, services, vendors, or part numbers are listed - This is an informational notice, not a solicitation or request for proposal - Contractors should prepare for compliance with CMMC requirements to be eligible for future awards

Description

Notice to Industry – Application of Cybersecurity Maturity Model Certification (CMMC) Requirements

NAVFAC SOUTHWEST (SW) provides this notice to Industry to inform current and prospective contractors about the CMMC Requirements under all NAVFAC SW Planning, Design and Construction (PDC) Multiple Award Construction Contracts (MACCs) and Architect-Engineer IDIQ Contracts.

Future contract actions shall include the CMMC requirements in accordance with Department of War (DoW) implementation of the CMMC program.

As DoW continues implementation of the CMMC program, solicitations and contracts shall identify when contractor information systems are expected to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The applicable CMMC level will be identified in the solicitation and contract.

Offerors shall be required to have a current CMMC status recorded in the Supplier Performance Risk System (SPRS), including applicable assessment results and affirmations, as a condition of award for the contract, task order, and associated options where CMMC requirements apply.

In order to receive an IDIQ award from NAVFAC SW PDC, on or after November 10, 2026, prospective contractors must show that they have obtained a CMMC Level 2 (C3PAO) or higher. Task orders issued under NAVFAC SW IDIQs may be assigned a CMMC Level below Level 2 (C3PAO); however, for the majority of work under Construction and Architect-Engineering IDIQs, it is anticipated that a Level 2 (C3PAO) certification will be required after November 10, 2026. 

Immediate Steps Required

We urge all contractors and subcontractors to take the following immediate steps to prevent any disruption to your contract eligibility:

Access SPRS: Log in to the SPRS on PIEE, at https://piee.eb.mil/

SPRS Vendor (Role) & Cyber Reports Access:

                      https://www.sprs.csd.disa.mil/pdf/SPRS_Access_CyberReports.pdf

SPRS CMMC Level 2 Entry tutorial: https://www.sprs.csd.disa.mil/videos/Tutorials/CMMCL2SelfAssessment/CMMCLevel2selfassessmenttutorial.html How to upload CMMC Level Training offered on SPRS as an Affirming Official (AO) https://www.sprs.csd.disa.mil/cmmc.htm

Verify Your Status: Confirm that your firm has a current CMMC status type  properly posted in SPRS. Ensure Accuracy: Validate that the posted CMMC status type accurately reflects your current cybersecurity posture as it aligns with the CMMC level required by your existing or potential contracts.

This notice is for informational purposes only and does not constitute a solicitation, a request for proposal, nor a guarantee of award.

View original listing