The response deadline has passed. Review the details for future reference or to track similar opportunities.
The Department of Defense is informing current and prospective contractors about the Cybersecurity Maturity Model Certification (CMMC) requirements applicable to NAVFAC Southwest's Planning, Design, and Construction contracts. Contractors must obtain a CMMC Level 2 certification or higher by November 10, 2026, to be eligible for IDIQ awards.
This notice outlines the CMMC requirements for contractors involved in NAVFAC Southwest's contracts, emphasizing the need for compliance with cybersecurity standards.
Notice to Industry – Application of Cybersecurity Maturity Model Certification (CMMC)
Requirements NAVFAC SOUTHWEST (SW) provides this notice to Industry to inform current and prospective contractors about the CMMC
Requirements under all NAVFAC SW Planning, Design and Construction (PDC) Multiple Award Construction Contracts (MACCs) and Architect-Engineer IDIQ Contracts. Future contract actions shall include the CMMC
requirements in accordance with Department of War (DoW) implementation of the CMMC program. As DoW continues implementation of the CMMC program, solicitations and contracts shall identify when contractor information systems are expected to process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The applicable CMMC level will be identified in the solicitation and contract. Offerors shall be required to have a current CMMC status recorded in the Supplier Performance Risk System (SPRS), including applicable assessment results and affirmations, as a condition of award for the contract, task order, and associated options where CMMC
requirements apply. In order to receive an IDIQ award from NAVFAC SW PDC, on or after November 10, 2026, prospective contractors must show that they have obtained a CMMC Level 2 (C3PAO) or higher. Task orders issued under NAVFAC SW IDIQs may be assigned a CMMC Level below Level 2 (C3PAO); however, for the majority of work under Construction and Architect-Engineering IDIQs, it is anticipated that a Level 2 (C3PAO) certification will be required after November 10, 2026. Immediate Steps Required We urge all contractors and subcontractors to take the following immediate steps to prevent any disruption to your contract
eligibility: Access SPRS: Log in to the SPRS on PIEE, at https://piee.eb.mil/ SPRS Vendor (Role) & Cyber Reports Access: https://www.sprs.csd.disa.mil/pdf/SPRS_Access_CyberReports.pdf SPRS CMMC Level 2 Entry tutorial: https://www.sprs.csd.disa.mil/videos/Tutorials/CMMCL2SelfAssessment/CMMCLevel2selfassessmenttutorial.html How to upload CMMC Level Training offered on SPRS as an Affirming Official (AO) https://www.sprs.csd.disa.mil/cmmc.htm Verify Your Status: Confirm that your firm has a current CMMC status type properly posted in SPRS. Ensure Accuracy: Validate that the posted CMMC status type accurately reflects your current cybersecurity posture as it aligns with the CMMC level required by your existing or potential contracts. This notice is for informational purposes only and does not constitute a solicitation, a request for proposal, nor a guarantee of award. Hal Hayes Alternative
Get matched to contracts like this daily
Free AI-powered contract matching for your business.