Notice to Industry - Application of Cybersecurity Maturity Model Certification (CMMC) Requirements

Summary

Notice to Industry Application of Cybersecurity Maturity Model Certification (CMMC) Requirements NAVFAC SOUTHWEST (SW) provides this notice to Industry to inform current and prospective contractors about the CMMC Requirements under all NAVFAC SW Planning, Design and Construction (PDC) Multiple Award Construction Contracts (MACCs) and Architect-Engineer IDIQ Contracts. Future contract actions shall include the CMMC requirements in accordance with Department of War (DoW) implementation of the CMMC program. As DoW continues implementation of the CMMC program, solicitations and contracts shall identify when contractor information systems are expected to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The applicable CMMC level will be identified in the solicitation and contract. Offerors shall be required to have a current CMMC status recorded in the Supplier Performance Risk System (SPRS), including applicable assessment results and affirmations, as a condition of award for the contract, task order, and associated options where CMMC requirements apply. In order to receive an IDIQ award from NAVFAC SW PDC, on or after November 10, 2026, prospective contractors must show that they have obtained a CMMC Level 2 (C3PAO) or higher. Task orders issued under NAVFAC SW IDIQs may be assigned a CMMC Level below Level 2 (C3PAO); however, for the majority of work under Construction and Architect-Engineering IDIQs, it is anticipated that a Level 2 (C3PAO) certification will be required after November 10, 2026.

Immediate Steps Required

We urge all contractors and subcontractors to take the following immediate steps to prevent any disruption to your contract eligibility:

Access SPRS

Log in to the SPRS on PIEE, at https://piee.eb.mil/ - SPRS Vendor (Role) & Cyber Reports Access: https://www.sprs.csd.disa.mil/pdf/SPRS_Access_CyberReports.pdf - SPRS CMMC Level 2 Entry tutorial: https://www.sprs.csd.disa.mil/videos/Tutorials/CMMCL2SelfAssessment/CMMCLevel2selfassessmenttutorial.html - How to upload CMMC Level Training offered on SPRS as an Affirming Official (AO) https://www.sprs.csd.disa.mil/cmmc.htm

Verify Your Status

Confirm that your firm has a current CMMC status type properly posted in SPRS.

Ensure Accuracy

Validate that the posted CMMC status type accurately reflects your current cybersecurity posture as it aligns with the CMMC level required by your existing or potential contracts. This notice is for informational purposes only and does not constitute a solicitation, a request for proposal, nor a guarantee of award.